Humour And Information Security Don’t Mix – Or Do They?

Retcon

I think humour should almost always be employed when trying to put across information security awareness to people, especially as half the time they don’t even want to be there anyway.

I did a webinar with my colleagues of Host Unknown last week, hosted by Dan Raywood of IT Security Guru on just this subject. Take a look at it below (login required I am afraid):

https://www.brighttalk.com/webcast/11399/135005

Humour is a cross cultural phenomenon and not as exclusive as many people think. Use it to good effect to get your message across, and use the tips that we give, especially at the end of the webinar.

Embrace your inner stand up comedian!

Three Envelopes, One CISO

three-envelopes
The outgoing CISO of a company meets his replacements for lunch the day before he starts. He hands the newcomer three envelopes, labelled 1, 2, & 3.
I have one piece of advice for you. Whenever you have a breach, open each envelope in turn.
The job continues as expected over the months, when the fateful day come and the company suffers a security breach. Just before he is called into the boardroom to represent himself, he remember the envelopes and opens the first one. Inside, the card reads:
Blame your predecessor.
This he does and moves on.
A few months later another security breach occurs. Standing outside the boardroom, he opens the second envelope”
Blame your team.
A few months later, a third breach occurs. With a smile on his a face and spring in his step he approaches the boardroom confident he is going to get away with it again. As he is called in, he opens the envelope, mentally preparing to talk his way out of trouble. His eyes widen as he reads the card:
Prepare three envelopes.

 

512px-Sony_logo.svg
Last week saw the rather shocking news of the Sony security breach that suffered a very overt attack on Sony and multiple days of downtime. Rumours abound around if it was an insider job, the extent of the damage, the rebuilding of the entire Sony Active Directory structure and wiping of all workstations and reinstallation of operating systems. The exact details will no doubt take many months to surface, but one thing seems to be clear; the blame of the breach is being squarely laid at the CISO’s (and sometimes the CIO’s) feet.
One article from IT Security Guru supported this with a quote from Phil Lieberman, CEO of Lieberman Software:
This was a perfect example of sloppy IT security and a CISO that did not implement proper privileged identity management, or a disaster recovery backup plan for continuity of business. The consequences were a loss of control over his environment caused by a focus on convenience of IT rather than the security of the enterprise.

This may well be true of course, and the Sony CISO may well have been incompetent in this instance. There is however a very real alternative possibility. What if the CISO had been very clear in the dangers in this case of convenience over security? And what if the board, or other senior leadership simply felt it was too “expensive” culturally and from the perspective of impact to the current productivity of the company. Sony is a strongly creative focussed business; it is not a bank, an energy company or in a regulated environment, so they are not forced to carry out particular security activities. The ability of their employees to not work as flexibly and without restriction could well be seen as a higher risk than that of a breach (even after the 2011 breaches).

Perhaps the cost of this breach will simply be a blip in the years to come.

The key thing though is that the business may well have accepted this risk and simply moved on, much as they would have accepted a financial risk and moved on. Sometimes financial risks results in massive downturns in business, and I don’t always see the CFO being pilloried on the first day without evidence – that is normally reserved for the CEO or Chair of the Board.

We seem to want to chop down the CISO as soon as something goes wrong, rather than seeing it in the context of the business overall.

Let’s wait and see what actually happened before declaring his Career Is So Over, and also appreciate that security breaches are not always the result of poor information security, but often simply a risk taken by the business that didn’t pay off.

I’m off now to get my PS4 in a fire sale.

“Compromise” is not a dirty word

compromise

If it wasn’t for the users we could secure the company much more easily.

or

They just don’t get it, we are doing this for their benefit.

We often hear statements like this being made, and sometimes even uttered by ourselves. In fact I daresay they are often made by people in very different support industries, not just information security, but it seems that we harbour these feelings more than most.

Effective security is security that is understood, adhered to and respected. Ineffective security is either too lax, or so tight that individuals do their level best to work around it. They are not working around it because they are subversive elements in our organizations, but rather because it is restricting them from getting their day jobs done; it has become a barrier.

Each organization will have it’s own unique requirements, and even within that organization unique requirements will come about. The finance and legal teams are likely to require a different level or type of security around their work than a creative or IT team. If you have ever observed a creative team in full flow you will understand that the concept of a “clear desk” policy is not only laughable but also extremely restrictive to the very fundamentals of their craft. That same policy however will be more easily understood and accepted by the aforementioned finance and legal teams.

So in this example do you enforce an organisation wide clear desk policy? Probably not. It may make sense to have a departmental one, although in some circumstances this would be harder to police. Or you could implement clear desk “zones”, i.e. areas where it is not necessary to have a clear desk because of other measures. The measure may be soft, such as background checks on cleaning staff or hard, such as supervised cleaning staff.

Variations to blanket policies always cost money, but if you ascertain the potential financial value of that loss and compare it to the cost of the measures you can help your business to understand, adhere and respect the measure you are proposing.

This doesn’t just apply to physical security (although it very frequently does!) but also to technical and administrative controls too. Policies have to be very carefully written and reviewed by the various stakeholder of your organisation to ensure the right balance is struck. Technical controls also have to have this balance. Data Loss protection (DLP) is a marvelous technology that when implemented correctly can reap huge rewards and avoided risks, but it is expensive and time consuming to install and run. Who should ultimately make that decision, you, or the business. (clue, it’s not you).

Don’t be afraid to compromise in your dealings with your organisation. If they disagree with your approach, they either get it and feel it is simply the cost of doing business, in which case go off and look at other ways to support them. Or they don’t get it, which means you need to do a better job of convincing them of the risk in which case, go off and look at other ways of making your point. A good compromise is made when each party respects and aligns to the other parties point of view, not when each party is on fundamentally different sides.

Help your business respect and align to the information security ideals you hold dear, and do the same for theirs and you will always get more effective security.

Getting Ahead in Information Security

getting ahead

(Originally Posted on the VIA Resources Blog here.)

Advancing your career in information security, let alone getting a job in it in the first place is challenging and sometimes overwhelming at best. It can often feel like an exclusive club that is hard to break into, and the “elder statesmen” of the community distant and aloof. With these kind of barriers where do you even start to try and network and make contact with people who could not only progress your career but also start it?
The real answer at first appears flippant; if you want to be a part of a community you need to engage with it and join in. Obviously, that is harder than it seems, so here are three ways you can help yourself to getting ahead in Information Security:

1. Start attending the many free events that are held every week.
There are plenty of these around, you just have to look for them, such as (ISC)2 and ISACA events, plenty of sponsor driven events and community driven events. Europe’s largest information security event, Infosecurity Europe is a free three day event which not only gives you access to all of the vendors out there, but also an excellent education programme. Traditionally on the same week there is also BSides London, a free one days event, although this one is ticketed. Not in London? Then consider BSides ManchesterSteelCon and SecuriTay. Seek them out and you will find them. Not in the UK, then Google is your friend.

2. Attend some of the bigger, paid for conferences.
Obviously this is not always easy, especially given the price of the tickets and the whole reason you are reading this is that you need a job! All of these conferences require a huge amount of effort and willpower to get them to run smoothly on the day, and many of them require… volunteers. 44CON has one of the best volunteer crew programmes I have come across, with plenty of perks available. By volunteering for these events you are not only showing yourself to be a stand-up member of the community, willing to help out and contribute, but you will also get unprecedented access to the attendees, speakers and organisers. They are yours for the networking!

3. Contribute to the community.
This could be anything from volunteering (above), blogging, tweeting, offering to speak, writing articles for the various community news outlets, in fact anything that gets your name out there. Submit in the variety of Call for Papers (CfP) and you normally get a free ticket, and sometimes travel expenses paid too. Depending upon your grammatical and public speaking skills, this could be very tough but who said progressing your career was easy? Being able to articulate your personal opinions on the often very contentious issues in the industry is an excellent way of improving your ability to assimilate, process and form your own opinions and views for the benefit of the community. What better way of getting known in the industry?

All of the above require time dedication and effort, but since this is your career we are talking about, are these too much to ask?

An open letter to Apple – a change of heart

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford

%d bloggers like this: