“An Anatomy…” at the BCS

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).

Where is Your Data?

Have you paused to consider where your data is at any given time in your organisation?

All but the smallest of organisations is likely to have notes, CV’s, financial records, personnel records, legal documents and the like, and that is just the stuff in paper form. Throw in electronic records, and you include emails, working documents, client deliverables such as code or documentation, even firewall logs or IT documentation and records.

Now that you have a picture in your head of what exactly might be out there, do you know where it actually is? Any organisation that operates in more than one country, and with the advent of the cloud any small organisation that uses third parties for any of it’s traditionally in house capabilities is very likely to find data in different countries. While this may come as no surprise to some, for many once they have carried out even a rudimentary analysis this is likely to come as a shock.

The problem I feel is that the pervasiveness of technology, and the ability in the modern business to operate without boundaries as result. By this I mean  when, for instance, someone looks at, alters, reviews or saves data of any kind more often than not they have no idea where that data resides. Is it in the server room across the hall, a colocation facility across town or in another continent? Even when the various professions in an organisation are aware of the various compliance and regulatory requirements (Human Resources, Legal etc.), because the location of the storage devices themselves are invisible to them the issue is not even considered.

For instance, a Hiring department in one country may take the personal details of a new hire such as name address and bank account and upload them to a file server in Excel or onto a SharePoint for the Finance department to set up into payroll. The server this data resides on may be in a second country, while the person who updates the financial systems resides in a third country. In many cases this may not be acceptable according to local data protection laws for the storage and access to a given country’s resident data. This is more often the case when one country has significantly greater (or better) privacy laws than another.

The solution to this is two fold, one legal and one common sense:

Legally, agreements can be put in place; these can include well known standards that can be adopted between reciprocal countries. Perhaps the most well known is the Safe Harbor Privacy Principles. This is a set of seven principles that allow for the streamlined compliance of US companies to the EU Directive 95/46/EC and was developed by the US Department of Commerce in consultation with the EC. There have however been concerns raised about the efficacy of this approach, but it still remains a common and well known one nonetheless.

Another legal approach, and one that appears to be be more commonly adopted in recent years is that of Binding Corporate Rules. Developed by the European Union Article 29 Working Party it is wider in scope than Safe Harbor as it applies to any country that may want to exchange or store data from an EU country. Both of these examples (and other alternatives) do require a lot of work to effectively adopt, the latter especially, and should not be entered into lightly. More often than not third parties/consultants will need to be employed to bring the very specialist skills required.

The second solution, and one in reality that should be taken in conjunction with the legal approach, is that of awareness. This is awareness on behalf of the organisation as to where it’s information and data is stored, and also awareness of the individuals who are managing and posting this data to the various locations required. IT moves faster than ever, and the location of your data store may well move with it. These individual teams will need to engage with IT and the CIO and become firm stakeholders during any kind of IT infrastructure upgrade and bring their specialist knowledge to the table. And the company will of course need to commission an international data location map!

The alternative unfortunately is a knock on the door from the Data Commissioners Office (or equivalent from outside of the UK) and a potentially heavy fine and the related embarrassing media frenzy. That is going to cost significantly more money than that cheap hosting deal in India.

Style vs Content – Getting the Point Across Effectively

I have just had to present to a team on their information security responsibilities whilst they are on their current project. Their client has very specific requirements, and for a variety of reasons it was important to reinforce the key requirements again.

This was at short notice, and so I spent every spare moment I had throughout a long day last Thursday creating the presentation from scratch. After reviewing Master Services agreements, security schedules and other documents relating to the project I had to try and consolidate all of this into a meaningful presentation. I even Tweeted about my experience:

This is a battle hardened and very creatively talented team, working stupid hours and closing in on an important milestone of work. The last thing they wanted was to listen to the “corporate security guy” for twenty minutes, but for all the right reasons it was important that it was done today, and with the client present.

So I had: 1 – a disengaged audience, 2 – 24hrs notice, 3 – a client present, 4 – strong interest from HQ (“send us the presentation when you finish it so we can check it through” and finally, 5 – changes to be incorporated two hours beforehand (see 4).

Pop Quiz – do you use the corporate deck, smart and extensive bullet points, approved imagery and and a shirt and tie? Or do you focus on getting key message across, come what may?

And this is the crux of my point – the moment you try and deliver a corporate message in a corporate format your audience is going to switch off. One suggestion I received from a well meaning executive was to basically provide a list of the twenty requirements of the client in the presentation and then hand out copies to be signed by each team member. In this instance people would remember the first two, last two (at best!) and just blindly sign the rest. While this would technically meet the objectives (everyone must agree they understand the security requirements) they really wouldn’t absorb the message.

My approach? Simple, high impact and memorable. As the example below shows, not many words and a memorable picture (in the actual presentation Borat merged to Simon Cowell showing a thumbs down and back and forth). In this way, the image hits them first (thumbs up/thumbs down), the message (check X when doing Y), and that’s it! (The message has obviously been sanitised to protect the innocent).

 Of course, there were many other slides along this nature – I also used references to The Oatmeal, Dilbert and Defcon 18 amongst others. And each slide put across a very specific point.

At first glance, the deck looks awful, plain and badly designed. However, the simplicity of it ensures the message very clearly comes across with the imagery ensuring that message remains memorable.

Three things came across very strongly at the end. Firstly, the questions and comments at the end were engaging, sensible and eminently relevant. This made me very confident that the message was put across and understood, and that this approach was the correct one in this circumstance.

Secondly, the client saw this engagement, and has since requested a copy of the presentation to demonstrate how the team had been successfully “trained” and and updated on security practices.

Finally, in front of this creative audience it became crushingly obvious that I really have to up my game when it comes to clip art…

Open Letter to Apple – Why Have You Forsaken Me?

Dear Apple,

Your new MacBook Pro’s rock… the screen alone is just like moving from black and white to colour, and with the Air-like instant on, solid state disk and all round grooviness I nearly sold a kidney there and then (thank goodness the market in kidneys crashed; this could have been a very different letter).

And then, I saw it. Or more accurately I didn’t. The lozenge shaped hole of hope, that sliver of sanity, the goddam lock lead hole… It wasn’t there; in fact I looked again and it still isn’t there!

WTF Apple? What kind of insane douchebaggery is this?

You have strived and toiled and driven to be accepted into the enterprise. You have integrated with Microsoft Exchange, AD and even licensed ActiveSync for the iPhone. You have built in full disk encryption into your OS(X), allowed corporate Microsoft into your walled garden and introduced Employee Purchase Programs. In fact, you sounded like my hip godfather; all grown up and wise and everything, and yet still somewhat cool and groovy.

I even use a MacBook Pro at work for goodness sake! You make ME look cool and hipster like, and THAT is hard work I can tell you…

I tell people about how much more stable OSX is, how much more consistent the hardware is and how much more intuitive the interface is. Sure, your enterprise hardware support isn’t as good as say HP’s and Lenovo, but it is good enough, and at a pinch I just wander up to Oxford Street and chat to a Genius and they fix it anyway.
And then you announce the retina display, and all the other coolness that goes along with the new MacBooks; everyone in the office is talking about how they need one, my work and productivity depend on it, and you know what?… I ignored them because I needed one and my productivity suddenly depended on one as well…

And when I didn’t see that hole of hope, I think I died a little inside, and not just because I couldn’t lock my laptop up now, but because I will never be able to lock it in the future. This is obviously a design decision, one that was actually thought out, not just forgotten.

I have fought and fought to get my people to understand the importance of basic DLP, that is, lock your frickin laptop up, and your data will not literally walk out of the door. And in one fell swoop, you have told all of my MacBook users that it’s OK not to have a laptop lock. “If Apple don’t think it is important, why should I listen to you?”.


I now have to fight for extra budget for a case that screws into the chassis of the laptop that I can lock a lead to (ugly) or pieces of metal to slip between the hinge for the lock lead to attach to (screen crunchingly efficient) to get a basic security control in place. And I bet the answer will be “no” – these new Macs are expensive enough, we have encryption, why bother? Ummm, downtime, productivity, overhead of security incident reporting, cost of hardware replacement and just generally lax security practises (or “risk homeostasis” – a topic of a forthcoming presentation).

You have two choices; either reintroduce said hole, or introduce the most amazingly designed and fabulous looking security device for these laptops that I will spill £50 of my own money to buy one.

Do you dare to “think different” in this regard…

Yours sincerely,

Thom “lockless” Langford