(ISC)2 Blog

A lot of people are asking me about Lawful Interception Systems, so I had the idea to present some basic concepts about this technology here.

Introduction

Lawful interception is the legally sanctioned official access to private communications, such as telephone calls, e-mail messages, instant messages or VOIP communications. In general, LI is a security process in which a network operator or service provider gives law enforcement officials access to the communications of private individuals or organizations.

Architecture

Although the details may vary from country to country or vendor to vendor there are a general set of logical and physical requirements wich explain much of the common terminology used. The architecture requires a distinct separation of the IP network and the networks used for distribution and processing of LI information. The interfaces between the production network and the Law Enforcement System must be protected.

Basically a LI system must have a set of components (it may vary)

• Capture System - Normally a appliance with High Speed Network Capture Cards designed to receive 100% of a link traffic (using taps), analyze it and send the desired info (monitored people conversations) to the Mediation System;
• Mediation System - A system designed to act as a standard of input/output interfaces standardizing the data collection when several communication systems from different vendors are in place 
• Data Retention System - A secured storage system which stores all the captured data and allows only LEA (Law Enforcement Agencies) to access it (a carrier or an enterprise deploying cannot have access to captured data)
• Administration System - Usually a GUI that allows only LEA to access it and input all the necessary information for data capture

Types of Captured data

With LI systems is possible flows from applications like:

• emails;
• instant messengers chats;
• voip talks;
• web pages "hidden content";
• web chats,
• IRC's

etc...

Regulations

To avoid fraud or abuse some regulations are in place to protect the right of individuals and organizations.

• CALEA - http://www.askcalea.com
• ETSI - http://portal.etsi.org/li/Summary.asp

Summary

Several government agencies around the globe are deploying LI systems. Carriers are doing this also to be compliance with local regulations. There are several studies about privacy, criptography but these are beyond the scope of this post.

Regards

According to a recent GCN article, the federal government (civilian agencies) may be releasing a standardized list of security professional certifications required by the IT workforce that could see lasting benefits, however initial incur some immediate challenges.

Benefits:

The most obvious benefit would be the development of an assurance baseline for government security programs.  Through the issuance of minimum qualification requirements for each staff position, the government could reduce staff qualification deficiencies, and optimize costs needed for an highly trained IT security workforce.  The government must be agile, and must understand the competency of their security staff and IT professionals to maximize results.  This could also establish a limited playing field for IT security firms, and idealize the importance certification offer, as it has achieved in the private sector.

Challenges:

Where does this certified workforce come from?  As minimum requirements are published, it will require them to be phased in to allow a transition for existing staff through both fasttrack certification programs, and to enable organization to find staff to meet their immediate needs for IT security practitioners that have the appropriate credentials and background investigations.  This also will require certification agents (to include ISC(2)) to actively qualify their organization’s credentials to ensure current staff can qualify themselves under the new certification requirements.  Other challenges would include increased recruiting costs, additional training costs for existing staff (including attending certification programs), and a wider adoption of specialized security certifications.

Conclusion

I see this as an essential step forward for ensuring the federal government workforce has the competency to meet the changes faced in the IT security landscape, and can appropriately meet the future challenges in this diverse and evolving field.  I also think more specialized sector track will begin to emerge out of the transition, giving security practioners more focused and specialized security roles.

A short article by David Hobson on the Catalogue eBusiness site caught my imagination this morning.  David deconstructs the costs that an organization incurs when it suffers a major information security breach.  Summarizing and paraphrasing the article, the identified costs break down as follows:

• Obvious, direct or tangible costs such as:
  • Replacing stolen equipment;
  • Improving security controls to stop the losses and prevent recurrence;
  • Notifying affected parties;
  • Defense against litigation such as customer lawsuits, plus fines and damages;
  • Further costs such as credit monitoring for affected customers and fraud settlements with banks/credit card companies;
• Concealed, Indirect or intangible costs such as:
  • A share price dip (albeit typically rather short term);
  • Reputation and brand damage negating prior marketing investments and necessitating increased marketing expenditure in an attempt to restore brand value;
  • Customer erosion i.e. lost sales.

The examples David uses to illustrate his points are mostly business-to-consumer retailers who have suffered major credit card database breaches, the kinds of thing that hit the headlines and end up being listed at the Privacy Rights Clearinghouse.  The actual costs would be different in each case of course, and perhaps significantly different in breaches affecting other types of organization.  A financial services company - a bank for example - would probably swallow the obvious/direct/tangible costs with hardly a thought but the concealed/indirect/intangible costs could cripple its future business prospects, since "protecting your money" is so obviously a central plank of its value proposition to customers.  Similarly, business-to-business companies that typically depend on relatively fewer but larger/more valuable relationships with customers, partners and suppliers, may suffer disproportionately through brand and relationship damage.  I'll leave you to think about the nature of costs at yet other types of organization: SMEs, manufacturers, military units, charities, technology companies, information security specialists ... there's an endless variety to ponder.

Looking back at David's list of costs, it occurs to me that there are numerous entries missing, some of which could be significant:

• Press releases, publicity, promotional and legal activities to explain and ideally mitigate the immediate damage, even before commencing the brand rebuilding phase;
• Investigation, forensic analysis and legal costs associated leading perhaps to prosecution for the perpetrators (many of these costs will be incurred even if there is little prospect of prosecution, just in case it ever comes to court);
• A dip in management and staff confidence, leading to low morale, reduced productivity, diversion of efforts towards the breach containment and fix, and perhaps resignations of key people (whether forced or voluntary, directly implicated in the breach or 'collateral damage');
• Reduced applications for job vacancies from quality candidates scared off by the incident and surrounding publicity;
• Reduced investment in planned or potential new business initiatives, whether because of a lack of funding or through 'reprioritization of budgets' to focus on restoring security, confidence and brand value, leading perhaps to a reduction in market advantage;
• Increased charges from auditors and other expert advisors, some directly addressing the breaches and controls, others involved in conducting broader governance and security reviews, offering security and marketing advice etc.;
• Increased cost of capital, due to patently increased risks evidenced by reductions in the share price, brand value, stakeholder confidence etc., increasing downstream borrowing costs;
• Opportunistic exploitation by companies offering 'quick-fix solutions' to stem the bleeding without actually addressing the underlying illness;
• Costs to other victims besides the organization - identity theft, fraud and general grief shold not be underestimated for these collateral victims;
• Negative impacts on society at large, such as a generalised reluctance to use credit cards, online banking etc., increasing costs for face-to-face financial transaction processing and technophobia.

And to be fair, there are potential upsides to incidents too:

• Increased transparency to customers and other stakeholders through 'coming clean' about the incident, with the implication that perhaps the organization is going to be more honest and open in future;
• Better management appreciation of information security risks, hopefully with increased investment in information security risk management and controls in general, leading to a broader reduction in costs and losses through all security breaches (including relatively minor ones that never make the headlines, such as 'insider threats');
• Replacement of outdated equipment, software and controls with more modern, efficient and effective ones (well possibly!).

Finally, looking at the  big picture, I'm left reflecting on how closely breach costs typically projected by information security and risk management professionals (like us) reflect what actually occurs in practice.  As with the oft-repeated claims about a significant proportion of organizations without contingency plans going bust after a major incident or disaster, I'm wondering how accurate our predictions are, in fact.  Most organizations seem to suffer relatively short term impacts even from major breaches, and pretty soon the world moves along.  The news media and stock markets, if not the individual victims, seem to forget quite quickly.  The credit card machines at TKMaxx are buzzing again.  I wonder what proportion of the general public even understands, let alone cares, about such incidents given that the banks and credit card companies seem so happy to indemnify them.

Infosec/risk professionals are naturally cautious by nature, cynical and perhaps slightly paranoid in outlook.  We're trained and paid to look on the dark side.   The open question in my mind is: do we go too far?  Is the dark side quite such a deep shade of black in reality?  Or are we crying wolf? 

Kind regards,
Gary

Gary Hinson
Passionate about security awareness
www.NoticeBored.com  Creative awareness materials
www.ISO27001security.com  ISO/IEC 27000 standards

I've just been catching up with Gary Hinson's excellent piece on security awareness. We've been having a somewhat related debate in the anti-malware industry on the usefulness of user education and training for many years, on and off. In fact, I was engaged in a lively resurgence of the topic on a specialist mailing list just a few weeks ago.

In general, the community tends to polarize into the "If education was ever going to work, it would have done so by now" faction and the "Education is the most important weapon in the security professional's armoury" faction. In fact, while neither position is totally incorrect, neither constitutes a universal, incontrovertible truth, either. The first position seems to assume that:

• We should only pursue strategies that are 100% successful. In that case, I guess we should simply forget about information security, which clearly doesn't meet that criterion. And while we're at it, let's dispense with criminal justice systems and medicine, since we've failed to eliminate crime and disease.
• Current educational practice is already as good as it can be: there is no room for improvement. I've always been inclined to the view that "We don't know if education and training work, because no-one's ever done them properly." 

The second position is probably unprovable until someone does do them properly. But it flies in the face of most common practice, certainly in the anti-malware field, where most technology is implemented on the basis of transparent, automatic detection. (Unfortunately, this mode of implementation has contributed to the common assumption that it's somehow possible to get 100% detection, even where a purely reactive detection model is used, and the secondary disappointment - and even rage - when that assumption proves unwarranted. But I'll spare you that rant, this time.)

Actually, position 1 is almost invariably held by researchers: those of us with a grounding in direct customer support tend to gravitate towards a mid-position, having seen from personal experience that some groups and individuals do respond well to suitably targeted training and awareness materials. In "Viruses Revealed", Urs Gattiker quoted some research suggesting that people started to forget what they learned in training in 60-90 days, but that may have been affected by an attempt to over-teach. In fact, my experience suggests that it's not usual for a single individual to make the same mistake time and time again, though there may be some clustering in particular groups. Support specialists also tend to have more realistic expectations.

I was recently accused of wanting to turn end-users into computer/security experts, which would indeed be an absurd position. In fact, people with limited expertise often behave more "safely" than people who see themselves as proficient, because they're more likely to ask for help or advice, being less concerned with maintaining a knowledgeable image. If the training is apposite but not detailed and there is a sound tech support infrastructure in place, that's liable to raise the overall standard of awareness and responsible behaviour. It's unlikely to stop everyone from behaving like an idiot, though!

There was a presentation by Donald Donzal, CISSP, at the SANS "WhatWorks in Pen Testing Summit" on the subject of "Remodeling your career for little to no money down.". (If you are getting confused with all the links, this is the one to click.)

Donald is giving a number of very useful hints that would be valid for all careers, such as "do what you love", "quitting a job is easy, making the decision is difficult". So the underlying theme is what you would expect from most articles about self improvement.

That being said, it's still encouraging to hear someone broadcast the message that there is a gradual, natural and learnable way for becoming a professional. As Donald says, it's not just the skills that count, it's the enthusiasm. Everything else will follow in due time.

PS. Sound quality of the first five minutes is not fun, and average at best after that (my ears are still bleeding). Also you have to look at the slides separately. Despite its technical challenges it's still a worthwhile presentation.

Simon Heron just published an interesting podcast on Help Net Security, covering the art of finding the right security personnel. I invite you to listen to it yourself, some key points include the requirement for experience ("there is no substitute"), training and the natural curiosity that security bring to work and the intellectual stimulation they crave.

I have often found this confirmed, it's something that companies need to be aware of when the training budget seems like an easy target for cost saving, once again (it worked last year... and the year before...). In the long run, such companies will have either a skills or a retention problem (hard to say which is worse, paying for untapped talent or losing it altogether).

Heron also emphasizes the importance of certification, and that, in his opinion, the CISSP and the SSCP are some of the few-and-far-between certifications with credibility.

Moving on, I found another blog post this morning that seemed to make quite the opposite point, "R.I.P. CISSP" by Andre Gironda on TSSCI. The point he's making is that because of a trend for "serial specialization" the established "generalist" certifications are no longer useful.

Quite the contrary, I would say. In order to be a "serial specialist" one needs a solid foundation, an understanding of the entire field. If one is unable to see the connections, one will not be able to move from one specialization to another. The rules of the game haven't changed. The game has been raised.

Incidentally, (ISC)² Concentrations are taking a step in this direction. As for the OWASP certification project Andre mentions, I am holding my breath to see what it will become, but chances are it will be very technically focused, as opposed to the combination of technical and managerial elements in the CISSP. And it certainly doesn't look like a replacement.

One of the current niche's within the Identity Management space is that of RBAC - roles based access control. RBAC is not a new 'niche' or indeed a new framework, but has seen a wave of interest in recent years with numerous small independent vendors (as well as the usual players) entering the market and creating a buzz.

The increased interest has been driven by several factors including general audit compliance and the drive for simplified account administration.  But the main one I believe to be is the general maturity of Identity Management and the missing link of roles enforcement.

With roles, organizations have the ability to manage detailed account entitlements in an automated and security controlled manner, implementing access of least privilege as well as providing entitlement ownership, reporting and accountability. Many organizations see this as a key requisite of any automated account provisioning mechanism, but fail to understand the key components of how to successfully approach or deliver such a project.

To many the migration from a user centric access platform to an RBAC framework is often a daunting enterprise wide project similar to attempting to 'Eat an Elephant'.

Role Mining Theory has generally been viewed academically for several years since papers from the likes of Ferraiolo and Kuhn became popular reading as well as standards from ANSI becoming the main starting point for any RBAC project. Role Mining (or Role Engineering) can generally be viewed from a top down (looking for patterns based on HR or job description data) or bottom up (application specific, entitlement carrying) view point. Many projects should really focus on utilizing both mining methods in order to create a hybrid model allowing roles covering a multitude of job functions and entitlements.

Like any large scale enterprise wide project strong project management is a must, by allowing the implementation to be broken down, prioritized and risk reduced. Business areas should be selected with strong business stakeholder buy-in, in order to provide guidance on non-IT requirements and role ownership.

The use of RBAC has several business process changes which require non-IT operations to understand and manage various processes in the RBAC lifecycle.  Without business buy in RBAC becomes an IT centric tool which will fail to deliver enterprise wide benefit.

Any selection of an RBAC tool is really based on enabling the business to perform greater and more efficient access governance and identity management. In order for this to be successfully accepted, the business needs first to understand the expected benefits of undertaking such a large project. This is can generally be best seen if an RBAC framework is attempted manually without any automated tools. This shows the difficult and time consuming process of attempting to cluster users and entitlements together. It also gives a point of comparison between manual delivery and an automated methodology for RBAC access governance.

The implementation of an RBAC framework should generally be seen as a long term strategic direction as opposed to a short term tactical fix for a single application. A long term view must include business ownership of the framework as well the automated IT mechanisms underpinning such a solution such as provisioning, access enforcement, role development and separation of duty monitoring.

The key to most of the points mentioned so far nearly all include business buy-in. This is true of so many enterprise security projects, with so many however over looking this critical point. Many large scale organizations now have an information security function with a representative at board level

generally seen to be the CISO or Chief Information Security Officer. Whilst they maybe the main advocate of an RBAC framework on behalf of the IT function other board members should be keenly focused too.

The CFO should be interested due to the long term ROI and lowering TCO. Representatives from Audit (for the increased reporting and access governance ownership gained by RBAC) as well CEO reports should also be part of the decision making process due to the enterprise wide

impact of RBAC. This would not be limited to non-IT managers becoming part of the access control ownership function, but cultural changes to existing business processes mainly surrounding access request and access remediation and reporting.

Industry analysts such as Gartner and Forrester now regularly comment on the expectation that RBAC frameworks will become the standard offering to large scale organizations intent on increasing access governance whilst lowering TCO for user administration.

It remains to be seen whether successful RBAC implementations can be made without cross business understanding and buy-in, as with only IT sponsorship any enterprise wide project is destined to fail.

   Data, data everywhere, but nobody knows where it is.  How much time have you spent looking for a particular document in an unstructured shared repository?  When people collaborate they often haphazardly name documents and directories which does not necessarily make it easier for others to find it.  Not knowing where the data is when you need it is a classic availability problem.

   When data is temporarily lost productivity drops, tempers flair, and frustration abounds.  A lack of document management is not only a productivity problem, but a security one as well.  Sensitive information misplaced may be located in a directory with inappropriate access controls for the type of data it contains.

   Information that is moved to an improper directory is minimally copied from one location to another.  Were other copies of the data also made?  Did the information flow through other channels such as email or peer-to-peer software?  The unknown in this regard is very disconcerting.

   A recent report produced by Verizon indicates that 66% of data breaches they investigated involved information placed in areas easily accessible by the attacker, but the existence of which was unknown to the victim.  They refer to this as the “Unknown Unknowns” of their data breach investigations.  Some reasons these “Unknowns” might occur are:

• Users mistakenly making copies of the information from one location to another with weaker access controls.
• A lack of explicit directives regarding the controls necessary for the information.
• Poor security architecture design when systems are integrated and/or upgraded.

   Recommended countermeasures include:

• Establishing policies, procedures, processes, and training regarding sensitive information.  Inform users regarding the necessary access controls for each data type as well as the approved locations and access controls for storing the information.  Appropriate storage media and file types should also be explicitly identified.
• The use of file and folder naming conventions.  Establish a structure which makes sense and is easy for users to follow.  Use access controls to protect the integrity of shared documents.
• Conducting periodic file searches using system tools (such as Grep or Windows Search) to identify documents in places where they should not be.  Perform the search using sensitive keywords or words that should not be found in files in a particular directory.
• Using tools to perform dirty word searches to detect inappropriate information flows.  Some intrusion detection systems and packet sniffing software might be useful in this regard.  At a minimum, monitor information flows at the network edge to determine if sensitive information is inappropriately leaving the system.

   All sensitive information within an organization needs to be explicitly identified.  Users of the information should be made aware of the different sensitive data types and be provided guidance on approved handling methods.  Technical controls which monitor information flows or inappropriate locations of sensitive information should help counteract mistakes, oversights, and perhaps even malicious activity.  Knowing the location of your sensitive data is the first step to protect its confidentiality, integrity, and availability.

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London.  I won't bore you with all the details right now but one item in particular caught my eye/ear.  One of the presenters essentially said that security awareness doesn't work, a somewhat curious point to make in support of a security awareness initiative.  Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since.  My blood having dropped just below boiling point, it's time to respond.

Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness.  I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs.

1.  The 'awareness program' takes the form of a website and simple (first generation?) Learning Management System, basically a series of web pages plus questions covering a range of information security topics.  There was almost no introduction, explaining why I might want to pay attention (presumably because the only way anyone can be persuaded to do this stuff is if management cracks the big whip).  There was very little latitude for the user in sequencing the topics - just start at the first and proceed one by one until you reach the end.  If I had questions about password construction, for example, I had to have answered the first nine of 15 modules to get to number 10 on passwords.  The only concession to usability was that I could have interrupted the flow (between, not during any module) and could return later to the saved checkpoint.

2.  The information pages appeared to have been lifted from existing materials - policies and guidelines, complete with legalese and cross references (which didn't work since there was no way to alter the delivery sequence of the awareness package, and there were no active hyperlinks).  There was a lot of tedious content to read.  I suspect that much of it would have gone right over the heads of many of the employees taking the course, even those diligent enough to read every tedious word.  Worse still, there were inconsistencies within the text, sometimes direct and explicit contradictions - for example in one paragraph stating that limited personal use of corporate IT facilities was permitted with various caveats, and two paragraphs further on stating that corporate IT facilites were only to be used for legitimate organizational purposes. 

3.  The quiz questions were mostly idiotic.  It is common practice to include one obvious distractor in a multiple choice question, something that is clearly wrong.  However, some of the questions had 2 obvious distractors with only one remaining option.  About a third of the questions showed no creativity whatever, being merely "true/false" or "yes/no" choices.  In most cases, the correct answer was easily identified from the quiz alone i.e. without needing to reference the information previously presented, typically because it was the longest and most legalese answer and/or it repeated key words from the question.  I had to try especially hard to answer anything wrong ...

4.  When I entered an incorrect answer, the system told me it was correct and highlighted the correct answer in bold.  It gave me absolutely no further information about why my chosen answer was wrong or why the correct answer was right.  There was no opportunity for me to go back to the information page to re-read and check my understanding - in fact the introduction to every module said I could not return to the information page after starting the questions.    In other words, this was really a quiz not an awareness activity.

5.  At the end, the system told me "congratulations", emailed me a certificate of completion (whoop whoop!  Lashings of ginger beer all round, I've got a CERTIFICATE!), and finished with "See you next year!"    SEE YOU NEXT YEAR!!  Oh boy, it seems this is a once-a-year process.  I will have trouble remembering all that content tomorrow.  I will probably forget chunks of it and important details by the end of this week.  Next month, I will have forgotten I even took the test and wrote this rant.  What's the point of once-a-year anything?  Imagine if, say, learning to drive a car was done this way! Or sex!  <Slaps forehead>

6.   Some of the information and questions were inaccurate, ambiguous or misleading, occasionally technically incorrect.  For example, a "complex password" that fulfils the corporate minimum specifications (8 characters, mixed case with numbers) is actually WEAKER than a substantially longer password example.  There are indeed "more than 97,000 viruses" but that data item is, oh, about a decade out of date.  There were grammatical errors and logical errors too.  I admit to still being in a particularly picky and cynical mood today but these problems should have been addressed by more careful proofreading before this was released for use.  It is being used to assess tens of thousands of employees in an organization for which information security is extremely important.  Couldn't they afford to pass it by a competent reviewer first?

7.  There were 15 modules.  I'm a lightning quick reader and an infosec professional.  It took me about 5 to 10 mins to read each module and do the quiz.  That's an hour or two facing the little screen - many employees would need much longer.  It was a totally humorless, soul destroying and, yes, boring exercise.  Almost entirely text, with no diagrams and only a few nasty cartoon icons for company.  I came away thinking "Thank <deity>, that's over for a year!".  It was a distinctly negative experience, equating information security with tedium and slog.  Q: What's in it for me?  A:  Nothing.  In fact, the entire perspective was around protecting the organization's interests, not the indivudual user.  Maybe if it had explained why installing and updating antivirus software on my home system would help protect me and my family from identity theft, then I might just have paid more attention.

8.  Some modules appear to have been updated, including a couple of mentions of a major information security breach that hit the news headlines, oh, about 2 years ago.  All the impact has gone.  Old news is an oxymoron.  Its such a shame because the news media, IT press and infosec specialist press is full of highly relevant, topical and, dare I say it, INTERESTING news and incidents.  Even better, the organization has undoubtedly suffered infosec incidents that could have made even more relevant and interesting case studies.  But no. 

9.  Some of the modules mention (relatively) new infosec risks, including social engineering.  Great!  Unfortunately, they provided no (zero, nothing at all) advice on what I ought to be doing about the social engineering and similar 'new' threats such as wireless network hacks.  "X could be really nasty!  It's a big issue!  You're on your own kid!" is hardly the most productive awareness content.  I wonder if this is partly because someone would have to create (and ideally proofread!) new content ... and if there is nobody on the payroll with the competencies and time to do it, that means going back cap-in-hand to the supplier of the "leading edge online information security awareness and training" pup they've been sold.

OK OK I'm ranting I know, but the reason is to point out that:
(a) with little investment and even less thought, security awareness can be done really badly;
(b) bad security awareness is unlikely to be effective, and in fact could be counterproductive;
(c) the ineffectiveness of badly designed, constructed and delivered awareness programs says nothing about the potential for well designed, well constructed and effectively delivered programs; and
(d) it really doesn't take a genuis to figure out how to improve security awareness, especially when starting from such a low base.  A 20 minute team seminar about information security would have achieved so much more than this hour or two of extreme tedium.  Almost ANYTHING else would have been better!

I cannot understand why security awareness seems to be stuck in the mold of once-a-year inform-and-test (I used to call it the "sheep dip" approach to awareness, but subsequently found out that sheep are dipped more often than most employees are made to jump through the awareness hoops!).  It's high time for a new approach and some fresh ideas.  ISC2's own Cyber Security Awareness Resource Center offers a range of freely available creative materials and ideas.  Rebecca Herold's wonderful book "Managing an information security and privacy awareness and training program" is full to the brim with sound advice. 

Security awareness is dead.  Long live security awareness!

Kind regards,
Gary Hinson CISSP

UPDATE 17th June 2008: after three laptops were stolen in as many months from a British hospital, a spokesman is quoted as saying "'We give advice to our staff on security in their area and advise them to lock unattended rooms and offices and to lock away any valuable portable equipment whenever possible.  Security patrols take place and CCTV monitors many areas.'  He said there were regular security site surveys and an annual security awareness week."  I wonder if it has even occurred to them to get the annual security awareness week materials out of the cupboard, dust them off, bring them up to date and reissue them, along with more targeted and useful information on physical security, privacy etc.?  Probably not.  If management truly believe an 'annual security awareness week' is sufficient, perhaps they should see their own mental health specialists.

Hot on the heels of news in the British press last week about secret intelligence papers relating to Al Quaeda being found on a train comes news of a second incident, this time concerning Iran.

Being a slightly paranoid CISSP, of course, my thoughts turned immediately to 'leaks' deliberately sanctioned by Whitehall or the government - misinformation, propaganda and counterintelligence, designed to throw Britain's enemies, Johnny Foreigner, off the scent. 

But then I started to wonder about the possibility that Al Quaeda themsleves might be implicated in the 'accidents', perhaps some sort of dispute with one of their agents/moles?  Why should we trust the official government announcements/press releases regarding the suspension of those held accountable any more than we trust the original story?  Perhaps the gummt is communicating with Al Quaeda via the newspapers, maybe sending an entirely different message to that which the literal words imply?

And finally, coming back to Earth, it occurred to me that the most likely explanation is plain old human error.  I recall my sage biology teacher patiently describing Occam's Razor to the class.  In essence, unless there is some justifiable reason for believing otherwise, the simplest explanation is most likely correct.  I have no inside knowledge of the British gummt or Al Quaeda, and no special reason to assume deep dark 007-style maneuverings beyond my fertile imagination, and fond memories of "Yes Minister!".

Human beings place extraordinary, perhaps mystic significance in plain old coincidence.  Before the rise of the scientific discipline, society thrived on religious doctrine, magicians, snake oil salesmen, alchemists and assorted crystal-ball-gazers.  I remain truly amazed at the extent to which such charlatans still influence modern culture, and the lottery (described by some wags as 'a tax on the mathematically challenged') continues to rake in great fortunes from willing victims.  [Aside: I sometimes suspend my personal disbelief long enough to buy a lottery ticket too - but while I enjoy making  charitable donations and dreaming about the possibilities, I don't actually expect to win.  Choosing number combinations such as 1-2-3-4-5-6-7-8 amuses me but shocks the lottery agents.].

So, scratching the surface a little deeper, I wonder just how much other valuable information gets accidentally 'left on the train' or 'forgotten on the back seat of the taxi' ... and how interesting it might be for someone so inclined to visit a 'lost luggage' facility with some social engineering skills and malicious intent.

There's a lot to be said for routinely strongly encrypting such sensitive data on ALL removable media, including laptop hard drives, and ideally banning the use of printers for secret or higher-grade information.  We have the technology.  Does management have the will?

Kind regards,
Gary

Gary Hinson
Passionate about security awareness
www.NoticeBored.com  Creative awareness materials
www.ISO27001security.com  ISO/IEC 27000 standards