I have just returned from two long days and two long nights of 44CON, the premier conference in London for technical InfoSec professionals (and even a few of us management types). It saw the debut of by “Flushing Away Preconceptions of Risk” presentation, an expansion of the my recent post for the Analogies Project.
The core messages of the presentation are not necessarily pleasant ones; the correct use of risk in any organisation is one of the most powerful tools in an information security programme, and yet it seems to me that very few of us understand it fully. Many of us struggle with not only identifying what the real risks are in the first place, but also how to measure them and even how to properly treat them.
Identifying risks at first seems like an easy think – identify assets, and then identify what could go wrong. I won’t elaborate the analogy much here (read it at the Analogies Project), but given how we regularly fail to identify risky behaviours correctly in our daily lives it should be no surprise we fail to do so professionally. The same bias applies to when we subsequently try and measure the risks; every mechanism we use introduces potential errors and even vagueness. I was quite proud to introduce the Langford/Malik Risk Model (ver 1.0), an approach that I evolved from one that Javvad Malik introduced in his book. Again, it uses an analogy although this time of a pub fight to not only describe levels of risk but also risk appetite. I do hope that not too many of you will find it useful next Friday and Saturday night.
Finally the effective treatment of risk was covered, and how we so often simply do what has been done before, not what is going to be effective now. Just because a risk hasn’t been realised doesn’t mean you have treated it effectively, it just means that an incident hasn’t happened (that you know of).
The slides are below, but since my presentation style has evolved more into storytelling rather than bullet point reading, by themselves they may say little to you, but the session was recorded and when it is released I will make it available here. Like any presentation it barely touches the surface of risk management and its issues, but it was intended to be thought provoking and prompt people to not assume that just because they have always done things in a certain way that it is the best or even correct way.
As for 44CON itself, well, any conference that has a “gin o’clock” on each day has to be pretty good in my books! It was a very well organised conference, with an excellent and highly motivated Crew to help support it. SpeakerOps were particularly good providing a personal touch I have not seen at any other conference. The quality of the talks and the speakers was also excellent, but as I alluded to in my introduction, many of them were technically beyond me!
The highlight for me however was a workshop I attended demonstrating the beta version of the Cyber CPR product. This is a virtual machine (that can also be deployed on ultra portable hardware if need be) that builds and entire incident management environment allowing for the discovery, gathering and analysis of evidence during an incident. It build a virtual “war room” environment, where multiple incidents can be tracked at once, in a secure and separate environment from the one that has actually just been breached. With tools built into the backend and access via a browser it even does away to have many of the tools on your own environment, making it great for remote and ad hoc use alike.
The product is in Beta at the moment, and does lack a few features, (they described it as not ready for active duty), but what i saw was very polished and useful even in it’s beta configuration. Commercially it will be available for free with up to three users, and only $5k GBP for up to twenty (please don’t quote me on these figures though). I would strongly recommend you take a look at this excellent environment that for very little outlay will significantly improve many current incident response teams, and their over use of Excel. The team expects it to be commercially ready by Spring next year.
The final highlight was to be able to meet Jonathon Schiefer the director of the film Algorithm which had its European debut at 44CON on Wednesday night. It was fascinating to hear about the backstory of the film, his challenges and even how he made the film financially and technically. He was an absolute pleasure to chat with, and I thoroughly regretted my decision to have a curry instead of watching the film. At a stretch you could say we are kindred spirits when it comes to our film making, but he is without a doubt in an entirely different league to me!
44CON will be back next year, but we were also enticed with the news of another 44CON spring conference being planned as well. I would strongly recommend anyone who can get to London to attend both of these conferences. Congratulations to Adrian and Steve and the many people in the crew for putting on a fabulous conference.
Do you really understand the value of the data in your organisation? Some of it is fairly straightforwards, such as personally identifiable information (PII) and/or credit card information ($188 USD per record in direct and indirect costs to the organisation for every record lost was the figure I last heard and used).
What about your intellectual property though? Or client RFP’s and and pre-sales work left on the train? Salary information? Internal network architecture diagrams? Sometimes, when this information is lost it is difficult to ascertain its value, impact to you and your organisation and therefore the scale of your response.
I was reminded of this value quandary while I was having a second fitting on a suit I was having made at the shop of Charlie Allen in Islington. Before anyone makes a judgement on my salary, the suit was a very welcome prize from my time at the InfoSecurity show in April, from the good folks at Sestus. I have had suits made before, normally in India, but this was my first suit to be made wholly in England and knew there would be a difference in price if i were to pay for it myself. After the fitting I asked to be measured up for some new shirts; I thought I would treat myself and take advantage of the time in Charlie’s studio. I checked the price of £200 with a minimum order of three. Good value I thought, three shirts for £200. It was only after the fabric selection, design, measurements etc the invoice came… The shirts were £200 each, a total of £600. I very nearly handed over my credit card simply to avoid the humiliation of admitting my mistake and exposing myself as someone who quite obviously shops in Top Man.
Blustering my apologies, I mentioned something about obviously not understanding the true value of these shirts, asked for the quote to be put on file for “later” (i.e. when I win the lottery) and made a quick exit. However, as I walked back to the office I realised that it was obviously going to be £200 each; a good quality short from Thomas Pink off the peg costs between £80 and £100 each, therefore how can three made to measure shirts cost £200? I had woefully underestimated the value of something that was actually quite obvious in hindsight.
So what? Understanding your information assets, and their value is a table stakes exercise. Doing this will allow you to do two things;
- Understand the total value of your assets and use the figure to work out what kind of exposure your organisation is likely to experience in case of a breach.
- Subsequently use this information to build a realistic business case for protective and preventative measures to avoid that breach in the first place.
- Ensure the scale of your response when those assets are compromised is commensurate to their value.
There are plenty of good resources to help guide you on this, but one of the most important pieces of the puzzle is to understand the financial value of your assets in the first place, and certainly not after a breach.
I recieved the email below from a colleague at work. At first glance it is funny, the chief security officer being represented by a dog… Hilarious! Of course security is just about being able to bark at people and occasionally bite them. This role isn’t about corporate responsibility or even enterprise risk management, it is about wagging your tail and barking at people and getting them to do things because you have barked it so.
I’m having second thoughts about my growth plan if this is where it leads to.
If I am honest, I am guilty of this too. I have often described myself as an “overpaid security guard” to people who haven’t a clue about information security, and they nod knowingly at me, thinking they understand InfoSec policy, enterprise risk and even DLP.
The above example of belittling the security function of an organisation has steeled me into action; if I can’t explain the role of a CISO/CSO to my Mother, then I need to re-evaluate what it is I am doing and the impact it has on the business. It also annoys me that the role of CISO is so easily belittled. I don’t think I have ever seen a CFO role boiled down to an image of a coffee bean, or even the CIO image reduced to a mouse or keyboard. What makes this worse is that this product offers “the highest security for your files in the cloud” and yet this is how seriously they take security.
A fundamental part of this is down to us as CISO’s and security people to ensure we don’t belittle ourselves to ingratiate ourselves. It is extremely difficult for us to ensure we are valued and respected in our organisations as it is, and sometimes the somewhat subservient/comedic route feels easiest. This is not the best way; it is the longest and hardest route to acceptance and understanding because the role is by it’s nature seen as a frivolity and a hilarious side act.
(We should note however that there is a place for humour in security, and if used correctly it is extremely effective. The point I am making above is that security as a serious subject should not be presented as a humourous aside.)
I recall a situation where I noticed someone working at a hot desk who had no visible identification. I asked around if anyone knew who the individual was, and nobody did. As I approached the individual I was met with a chorus of “get him Thom” and “tackle him mate!” etc. with much hilarity ensuing. None of it was meant meanly of course, but it was synonymous with the simplistic attitude of security. If any of the people who had spoken those words had any real idea of the security implications of having someone in their office without any idea of who they are, then their response may have been a bit more serious. The best part is of course that I had plainly failed in my security education and awareness with this group of people.
We are not guard dogs. We are not security guards (although they are an important part of the security function). We are not bouncers. We are not doing security for theatrical effect.
We are here to protect your revenue, your reputation and your bonus payouts. We are here to ensure we maintain good relationships with our clients, and allow our organisations to take on greater risk and therefore reap greater reward. We are here to help inform the business of security risk and advise as required.
What’s so funny in that?
Note: I have been extremely quiet on here these last few months; my role has changed dramatically at work requiring more travel and less time for the frivolous acts of blogging. Combine that with a busy schedule with Host Unknown and my other info sec commitments I have neglected this blog site somewhat. Hopefully this post sees me back in the saddle again, and you can always catch up with me on Twitter. Oh, and the holiday was good too!
A lot of good stuff has already been written about this last week with regards to BSides London, InfoSecurity Europe and the Security Blogger awards, so this post is a personal recollection after the haze of too many late nights, early mornings and good times.
Tuesday 29th bought BSides London, and once again the volunteers surpassed themselves; it retained two tracks but definitely felt expanded with the workshops and a new location for the rookie track. The organizers should feel rightly proud of what they have done, and those of you who didn’t turn up on the day (and therefore denied others of a ticket) should take good long look at themselves in the mirror.
I had to spend the afternoon over at Infosecurity Europe as I was on a panel titled “One big threat to cyber security: IT Geeks can’t talk to management” alongside Dwayne Melancon and Stephen Bonner. It was only 25 minutes long but I felt we managed to push a lot of good advice and takeaways into it, and the conversations continued afterwards in the hallway. I even managed to get a reference to Kenny Loggins into one answer, something I feel rightfully proud of.
Then back to BSides to see Joseph Gwynne-Jones speak on the rookie track. I was mentoring Joseph this year, and to be honest I found it very challenging as Joseph is profoundly deaf; we couldn’t speak in the run up to BSides and could only communicate over email and Twitter. I advised as best I could, reviewed slides etc, but what was crucial was the ability of his interpreter being able to effectively communicate the jargon etc on the day. Given Joseph wouldn’t meet him until the morning of the conference this would be quite a challenge. As it turned out Ian Hodgetts did a marvelous job, and was also on hand to interpret into British Sign Language (BSL) of all of the talks Joseph went to. We believe this is a first for an info security conference. Joseph obviously did an absolutely cracking job and I was able to spend some time with him and Ian afterwards talking about what else we could do in the future to improve further. It was an eye opener for me, and an absolute education in how important it is to communicate clearly and effectively in these kinds of conferences to absolutely everyone who attends. At the after party I was able to wear the hoody that was generously given to me by the Abertay Ethical Hacking Society, and feel like a student again (if not look like one).
Wednesday bought Infosec Europe again after a few early morning meetings, (including some scheming and rubbing of hands with invisible soap with the good folks of 44CON at the 44Cafe – I can’t wait for September!) but the highlight was of course the Security Bloggers Awards. Between me and Host Unknown I was up for eight awards in total, and came away with the award for Best Personal Security Blog, again! I was both surprised and touched that I was able to get this award again. Host Unknown didn’t fare as well unfortunately, but I can guarantee that the next twelve months will put us in a very strong position for next year, both at the European awards as well as the USA awards at RSA. Unfortunately Andrew was indisposed to help us collect a Host Unknown prize (that we didn’t win).
(I have said this before but will say it again, everyone who is not only involved but also nominated for the blogger awards represents the very best of our industry in that they are all contributing their time and expertise to the community; I can’t recommend enough that if you are reading this that you also read their blogs too. Also, none of this would have happened without Brian Honan, Jack Daniel, Tenable, Tripwire and Firemon; thank you all.
Thursday bought another panel, this time in the Keynote Theatre with a panel on “Risk and control: Effective risk assessment methodologies to drive security strategy and investment” (alongside Vicki Gavin, Paul Haywood and moderated very well by Dave Clemente. It was a good, vibrant session and with plenty of questions both during and after the session.
Finally for the afternoon I got involved in only what can be termed a “flash mob” for Twist & Shout (as soon as that is released I will show it here!) and then got engrossed in the hallway track with the likes of Shan Lee, Quentyn Taylor, Peter Stephens, Jim Shields, Dave Lewis, Wim Remes, of course my conference partner in crime Javvad, and the lovely folks of Eskenzi and Acumin.
If there is one thing that is apparent form the above it is that any conference week is only valuable from the people you meet there. This list must be barely 10% of the people I shook hands with, shared a drink or said hello to, all of whom influence me to one degree or another. Whatever your thoughts on the infosec conference scene, this aspect alone is what makes it worthwhile. Apologies to anyone and everyone I have missed out.
InfoSecurity Europe is a show that has gone from strength to strength over the last few years, with the education programme improving; combine this with an excellent BSides London Conference, this week in Europe is one to look out for (although next year Infosec Europe and BSides will be from 2nd to 4th June at Olympia).