But rather a heartfelt thank you and cry for your support! In exchange for not writing yet another piece on Heartbleed (enough coverage by me here from last week) I thought I would take this opportunity to talk about the European Security Blogger Awards.
In it’s second year only, the competition has certainly heated up with a large number of high quality blogs, blogs and podcasts on offer to vote for. There is a good commentary from IT Security Guru and Brian Honan on what it is all about here. I am thrilled, excited and pleasantly surprised to have been nominated in five categories this year:
- Best Corporate Security Blog
- Best Personal Security Blog
- Most Entertaining Blog
- Most Educational Blog
- Grand Prix best Overall Security Blog
(I’m not sure how I got into the corporate blog category, but it’s all good!)
Thank you to all of those who nominated this blog in all of those categories, but with the quality amount of the competition I shall have to start practicing my Hollywood Oscars “really upset but can’t show it that I lost to that charlatan” face when the winners are announced.
One of my other internet tenancies has also been nominated three time, Host Unknown:
- Best Security Video Blog
- Most Educational Blog
- Best New Security Blog
With less than a year in “business” it is great to be nominated here as well, and we have a number of very exciting activities coming up over the next few months.
I said this last year, and it is worth repeating again; this list of nominations represents the very best of what the information security blogging community has to offer. Some of it serious, some of it humorous and some of it acerbic, but all of it providing a viewpoint of one kind of another that is worth listening to, reading or watching. Use this as a shopping list for your RSS reader.
Voting closes on Wednesday 23rd April, and the awards will be announced on Wednesday April 30th at the Prince of Teck Pub, Earls Court.
Thank you again to those of you who nominated me, time for the voting campaign to begin!
The very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.
Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.
Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.
For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.
All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.
It’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.
There has been much written and talked about over the years about the use of skimming devices and cameras being installed on cashpoints (ATM’s for my international readers), their increasing complexity and ability to seamlessly blend into the cashpoint itself. With the card being entered and read, and the PIN code either intercepted with lay on keypads or filmed with cameras, the criminals ability to clone cards is quite significant, and the financial rewards high. Most of us, if we were honest, would struggle to see a sillfully crafted and installed skimmer on an average ATM.
Why are we still so reliant on this kind of security? Sure, it is technically two-factor, with the card that I have and the PIN that I know, but as my previous statements show very clearly, this security can be bypassed very easily.
The Royal Bank of Scotland (RBS) quietly announced a new feature last year to their mobile app that allows cash to be removed from an RBS or NatWest cashpoint without a card. Given there has been much research on the fact that people were no more likely to forget their wallets and purses than their phones, and actually become more distressed at not having their phone over their wallet, the bank could see a shift in how people were becoming increasingly reliant on their smartphones.
The process is straightforward; after logging into the (already downloaded) app, and pressing “Get Cash” one simply types in the amount of money they would like to withdraw, and is then presented with a six digit, one time use PIN. This PIN can also be texted or sent to someone else if need be. (VERY useful to help out friends and family in distress.) One then uses an RBS or NatWest cashpoint (unfortunately other banks do not participate in this scheme) , presses enter on the keypad, and then enters the six digit PIN number twice followed by the amount of money that was originally requested. The cash is then dispensed. If more money is required, the process is repeated and another, different, six digit PIN is issued.
To my mind this is an excellent innovation, and other thought so too, with the creators behind the enhancement, SapientNitro being awarded a Cannes Lion at last years show. A slightly cheesy advert follows…
(Note: at this point it is worth me declaring my interest, as I am an employee of Sapient, the parent company of SapientNitro. That said, I was using the service before I realised it was Sapient that came up with the idea in the first place!)
This works in many ways:
- 1: The pin is only used once, so it doesn’t matter if a skimmer is in place, it is recording only a one time password.
- 2: Your card cannot be cloned as it is never used.
- 3: It is convenient because nights out only involve looking after your phone, not you phone and cash card and cash!
- 4: Even if you phone is lost, it is password protected, tracked, and you r banking app is also PIN protected with more than a four digit pin code (it is, right?). You can also wipe your smartphone remotely in most cases.
A UK food chain, Pizza Express, did a similar thing last year as well, whereby on the bottom of the receipt is a unique code that allows people to pay with PayPal; again this is smart (your misgivings about PayPal aside) as your card cannot be taken around the back and cloned without your knowledge, as the payment is sent directly from PayPal to the restaurant and notification received on the till. Of course every time I have tried to use it the code has always been misprinted stopping me from doing so! Lovely idea nonetheless…
So what is the upshot of this? Most importantly I think it shows how with the judicial use of technology we can keep one step ahead of the criminals. Of course they will catch up, and of course there are other security implications (a rise in smartphone theft perhaps?) but RBS has shown that a relatively small change in their systems can result in a huge change in the security of their transactions. As of writing I am not aware of any other UK bank having this capability (they seem to be focussing on the ability to send payments to friends rather like PayPal than anything else), but this kind of approach should become the new norm.
It is this application of security alongside the ability to truly understand their clients and their needs that in this case has allowed RBS to steal a march on their competitors. I know this simply because of the looks on the faces of my friends when I take cash out of the cashpoint without using my card; it is magic, and they like it…
This is truly a case over security versus convenience… but with added convenience.
At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:
I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.
I think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.
This was reiterated by Andy Ellis at a session at RSA where he said precisely this;
are you the conscience of the business or an enabler to the business?
Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them out), for the good of the business.
What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.
Being a frequent traveller, be it train, bus, car or plane, I often get to see people working in all of these environments to one extent or another. From seeing people’s laptops on the front seat of their cars to leaving them unattended in travel lounges, I have seen all sorts of behaviour that we, as information security professionals, would see as unforgivable. We regularly question ourselves as to why this happens, especially when the effects can be so dramatic and have direct impacts on our professional and personal lives.
My most recent example was just last week, sitting opposite a woman who was working on her laptop and referring to a sheaf of A3 colourful papers. They had the unmistakable artwork of Lauren Child, a children’s author and illustrator. As a father of a ten year old and an eight year I recognised the artwork and style immediately as the author of Charlie and Lola, some of my children’s favourite story characters. The papers in questions had plenty of hand drawn mark up on them suggesting this was in the final stages of editing and layout prior to printing, the story itself centering around one Elmore Green who was jealous at the arrival of a younger sibling into his family. It all ends well of course, with Elmore having someone to snuggle with at the end of the book.
Three things surprised me. Firstly, the way in which the papers in question were left out of the direct sight of the woman concerned, either on a seat on the opposite side of the walkway, or even underneath her own seat (and very accessible from behind). Secondly I was able to discern a large amount of detail from the book in a very short period of time; this is of course partly down to the nature of the book itself, but also, because each page was carefully moved to in turn and then placed somewhere I could review it and even photograph it. Finally, I was alarmed that someone like Lauren Child, who has a very unique and successful place in children’s literature would allow an as yet unpublished book be revealed in public in such a way as this.
This is of course very serious for Lauren Child and her publishers; why was this person allowed to take large copies of this book into a public space? If they knew it needed to be worked on in a train or other public space why weren’t electronic versions made available? Or had they even considered the fact that someone could have easily stolen the manuscript and copied it for an earlier release to capture their particular market?
The implications for UK PLC are probably not that great, and yet examples like this are played out across the country whenever people travel and feel they are in ‘safe‘ environments, with a dangerous cumulative effect for the country. The combined effect of actions like this could potentially add up to the millions in lost opportunities and lost work. It reminded me of Wendy Nather’s response to a question about public apathy to security, and her surprising yet eerily accurate response was;
I don’t think that society in general will stand up and do something about security until people start dying in enough numbers that it could happen to them individually and not just organizations because we don’t care about organizations.
I sincerely hope Lauren Child has not been hurt by this incident financially or otherwise, she has given too much joy to my children to wish that; but if she reads this I do hope she feels sufficiently motivated to insist on stronger controls around the management of her manuscripts from her publishers. If you would like some help doing that Lauren, feel free to contact me!