Mobile devices are great. I’m sat here in the back of a car in India travelling to a meeting. I’m connected to the internet via my iPhone and using the time to write a blog post on my laptop about the inherent dangers of using mobile devices while travelling. The irony isn’t lost on me.
Much has already been said on the various things that can be done to protect yourself while working on the move. Indeed, just the other day I wrote a piece on exactly how not to do it, and I am sure it is a regular topic of internal security articles at many companies.
The key issue I see is that the security measures are not always seen as ways to protect information. Rather, they are often seen as hoops that people need to jump through to get to the information they need to do their work. When, as is sometimes the case, security measures are poorly designed and/or poorly implemented, then the view of information security as an obstacle should come as no surprise.
Therefore, rather than trying to foist technology or procedures onto people, would we not be better focussing on behaviours that can be reinforced with easy to remember concepts? Here are a few to consider:
Think about where you are sitting with your laptop/mobile phone. Can it be stolen easily (as in this example) or can your screen be viewed easily by people sat nearby? Your data can be both physically stolen as well as “visually” appropriated.
All internet-based connections should go through a VPN. This might be overkill for some, but it ensures that there is no internal dialogue about the security of a Starbuck’s Wi-Fi versus a BT hotspot or even a hotel Wi-Fi. Always use a corporate VPN to encrypt and tunnel your traffic through any potentially unsafe network. Even when using a personal laptop to do your own work in a cafe, like a bit of banking or shopping, your credentials and details can be stolen, so use one of the many commercial (and sometimes free) VPN products that are available
Be aware of your surroundings. Is this a high-traffic area such as a cafe or airport lounge, with people moving in and out frequently? Be aware of what is on your screen – is it confidential? Should you really be working on it in a public space? This doesn’t mean you need to be paranoid, but travellers, especially when abroad, can often be spotted easily and are often viewed as vulnerable. Knowing your surroundings and behaving accordingly is an important part of not only keeping your data secure, but of keeping yourself safe also.
Let’s face it, technology is never going to solve everything. I wrote recently about an example which had all the right technology in place, only to be let down completely by a visit to the bathroom. If in doubt, your mobile devices should be your “bathroom buddies” and not left exposed in public!
This may be quite a challenging post as I potentially expose myself as a willing victim of an Orwellian world, if not a supporter of it. Nothing could be further from the truth, but I do think certain aspects of the forthcoming argument need to be aired.
I am amazed that people are surprised and angered to hear that the US and UK governments are “spying” on their citizens. I recall as a schoolboy in Dover in the eighties seeing a large installation on the cliffs of Dover, and it was common knowledge that it was used to intercept telephone and radio signals for the government. The thought was, and still is, a comforting one that various powers-that-be are intercepting communications in a morally correct albeit secretive manner.
While the scale of the interceptions highlighted through the Snowden leaks did somewhat surprise me, the fact that it was happening did not, in fact I expected it. My surprise was perhaps a factor of the rapid growth of the internet and the related technologies, but I was able to rationalise that with the many different methods of communications available to so many people on the planet.
I don’t agree with government back doors inside industry systems, and I don’t agree with the wholesale handing over of encryption keys to them either, but I do agree with the discrete and specific targeting of certain communications of “interest” and the decryption and handing over of those communications by the relevant company to the government in response to a valid and legal request. But it has to start with the interception, analysis, trending and prediction of traffic in the first place.
There, I said it.
We then move to the current advice being given to parents about monitoring and controlling their internet access and social media use. This type of advice is warmly embraced by most people, as one would expect, because children cannot possible be expected to know and understand the types of threats they might be exposed to on the internet, and too naïve to be able to deal with them. They do not have the experience or understanding of what could happen if they use the internet without some kind of supervision and monitoring, and as responsible parents we are there to protect, educate and support.
I think there is a parallel here, namely that the general population simply does not understand the kind of threats that are out there, and how monitoring communications and the internet is a fundamental way of ensuring that we don’t find out the hard way. There has to be a certain level of trust in the various government bodies that the monitoring is done for specific purposes, in the same way a child will have a level of trust that a parent monitoring contacts and online activity is doing so not to harm the child but to protect them from needless abuse and worse.
This parallel is not a clear one I understand; there have been abuses of power, and the politics of government is a dirty business at the best of times, but I pay taxes and participate in my community for the benefit of the greater good and therefore expect a certain level of protection from the powers that be. I chose to live in a somewhat paternalistic society because it benefits me and I get to enjoy a largely violence free lifestyle as a result.
Were you surprised by these revelations? Angered or resigned to them? I will continue to encrypt my most personal of data and practise good information security next time i do my banking in a Starbucks; not to protect myself from the government but from the criminals. I will leave the criminals to the government.
I’m no HBO, but I am pleased to say I have just posted a video of my talk at RSA onto YouTube, entitled “Playing the Game of Thrones; Ensuring the CISO’s Role at the King’s Table. Recorded by my good friend and evil twin brother Kai Roer (@kairoer) it is the session in its entirety along with pertinent slides throughout.
I was pleased with my personal performance at the time, but of course watching it I see many areas I could improve upon. (I am planting my feet better, but still by no means do I stand still for instance.) The staging of the room was very poor, but unfortunately there was not a lot that could be done about that, and many other speakers had to put up with the same issues.
The full abstract for the talk (from the initial submission) is:
Why is is the CISO constantly frsutrated with being required to report to areas of the business that either don’t understand it or conflict with so many of the core deliverables of the role? Too often it is beholden to the agenda of the technology focussed CIO or blinkered by the financial constraints of the CFO. How has the role even got to this place?
Starting with a brief historical look at where the CISO role was borne from in the first place, progression to this current state of affairs is shown to be inevitable. What is needed is a plan to disrupt this status quo and ensure a CISO is in a position to not only understand the power of the business intelligence that is produced in a well managed environment, but how to ensure it reaches the board in a way that is understood.
Through the use of a universally understood information security model, the CIA triangle, the presentation explores three key areas to assure the success of the CISO in being asked to report to the board rather than being summoned to it.
Initially the actual source of the information, its gathering, the methods employed and the common pitfalls often seen are explored and clarified. What are the common mistakes, how are they rectified and how can you recognise when the data gathering programme is going awry?
Secondly, how is it being pulled together, and what is it saying? How to understand the audience it is being presented to and what can be done to improve its chances of being understood.
Finally, how does the CISO make the final push for the board? What are the key principles that need to be understood about supporting a successful business, what home truths about the information security industry are rarely mentioned and how can the CISO differentiate themselves from those that came before?
This presentation seeks to broaden a CISO’s skills beyond the technical and the post nominal focussed industry accepted norms and into those that actually help a business do what it does best.
The content from this and my other recent talks will start to appear on this blog as I put my ideas down more into the written word rather than a presentation format. I have just one more speaking engagement before the end of the year now, and one in the first two weeks of the new year, so I hope to find more time to write rather than created decks.
I hope you enjoy the video, and as always I would greatly appreciate your feedback both positive and negative/constructive.
As usual it was a great week at RSA Europe, as much for the hallways track as all the other tracks on offer. Whilst it may not be as large as it’s bigger brother in San Francisco the move to Amsterdam from London seems to have given the conference a new sense of purpose and scale. The potential to grow in this location is obvious. But I hope it doesn’t grow too much more; there was always a sense of knowing what was going on and when, and where you were in relation to the auditoriums and speakers. I am sure that sense of perspective is more than lost in the scale of RSA San Francisco.
It still had it’s challenges, all minor. For instance, tea and coffee points that seemed perpetually shut throughout the day, a distinct lack of activities on Wednesday even after a 17:00hrs close, and perhaps the location did not lend itself to the kind of out of hours socialising that London had to offer. For me the Novotel bar became the centre of my networking experience, no bad thing, but I would wager there were a few more hotel bars doing the same thing meaning the networking was seriously fragmented.
The usual suspects were there for me to socialise with as well as some new faces, such as Tor and Kjetil from Norway who were both intelligent and hilarious, a combination I always enjoy. I managed to meet a few more of our industry “luminaries” as well which is always interesting (never meet your heroes!), as well as catch up with others I had met previously and enjoyed their company and insights.
For me the whole conference was focused upon 14:40hrs on the Thursday when I presented “Playing the Game of Thrones: Ensuring the CISO’s Role at the King’s Table”. Not only was I presenting in my own right but I was also presenting content and an approach that I had synthesised from a variety of sources and my previous thoughts and theories. The session went extremely well, was watched by a number of people I know and respect, and was fully attended (with even a couple of people having to stand). Questions at the end were thin on the ground although I had noticed that throughout the conference, but the feedback has been phenomenal. I haven’t had the formal feedback from RSA yet, but their newly introduced conference app allows me to see a certain degree of feedback on both me as a speaker as well as the talk itself.
The slides are above in PDF format, and are also available in Keynote format here. My good friend and evil twin brother Kai Roer kindly filmed the talk as well, and as soon as that is available I will be publishing that on YouTube. One of the key reasons for doing so is to invite more comments on the material itself, as I made a few bold statements that I am sure not everyone would agree with. For instance, the less influence a CISO has, the more prescriptive (and lengthy) the policies are, in turn making them less effectives. This is based on my observations only rather than research, so getting feedback on points such as this helps inform everybody more.
All in all it was a great week, making new friends and meeting old ones and always learning new things almost every hour. Here is my honour roll of folks from the week that made it as memorable as always:
Javvad, Brian, Kai, Kjetil, Tor, David, Dave, Bruce, Tor, John, Dwayne, Quentyn, Neira, Josh, Martin, David & Olivier (my apologies to anyone I left out, it is the fault of my memory and not how memorable your were!).