I was in the Manchester Central library over the last weekend, a newly refurbished space that has very recently been reopened to the public. I was only visiting Manchester, so it seemed like a good thing to do and I have to say I was very impressed with the space. There were computers and interactive kiosks throughout, even the cafe tables had a “Surface” like feel to them with images and documents you can read and manipulate with your fingers. As expected there was free Wi-Fi.
I connected to it, and duly fired up my VPN. It didn’t connect. Confused, I tried again. Still failed. Free, public Wi-Fi which blocks VPN! All I wanted to do was check the viewing figures of the latest Host Unknown video, but even that could potentially expose my Google username and password to anyone snooping; with BSides Manchester just around the corner I wasn’t about to become the subject of someone’s Wi-Fi pineapple presentation, so I tweeted my concern (as you do) and disconnected.
There isn’t a piece of general security guidance that gets published that doesn’t include the advice to only connect through a public Wi-Fi point unless you are using a VPN. The risk of having your personal details, usernames and passwords transmitted and subsequently intercepted is too high and YOU MUST NOT DO IT! USE A VPN AT ALL TIMES!
Great advice, except that VPN has still not been adopted properly by any major hardware or software manufacturers of computers, tablets and smartphones. There needs to be a built in, simple and ubiquitous approach to VPN now that mirrors the adoption of anti-virus of 15 years ago and encryption of 5 years ago. There are paid for solutions for enterprises and the more technically minded and free solutions of both for the small business and home user. But not when it comes to VPN. No Apple VPN, or Google VPN for the average home user to be able to use with little effort or even understanding.
The VPN solutions on offer are typically smaller packages that the average person would simply not come across, basically the technology has yet to be commoditised. If you have a problem convincing someone to use a decent complex password, think about trying to explain to them about using a VPN.
Even Apple, whose interface design in my opinion is some of the best in the industry has missed a trick with iOS7; VPN is buried in the settings apps, rather than being on the easy access swipe menu where you can quickly and easily enable it and disable it. And what about the option to have it permanently running, automatically reconnecting when the device goes into standby? I have lost count of the number of times I have been using free Wi-Fi at a conference or hotel only to realise that at some point my VPN has disconnected me without realising it, and I am supposed to be a security professional.
Convenience always wins over security (a wise person once said) and so until VPN is made as transparent as antivirus and encryption (when installed properly) we are simply wasting our time trying to educate the greater population about using it the next time they are in Starbucks.
(Note: the Manchester Central Library Twitter account did respond, and we are in the process of communicating about the evils of open, password free Wi-Fi. Perhaps some InfoSec locals may also wish to reach out to them to educate and discuss?)
But rather a heartfelt thank you and cry for your support! In exchange for not writing yet another piece on Heartbleed (enough coverage by me here from last week) I thought I would take this opportunity to talk about the European Security Blogger Awards.
In it’s second year only, the competition has certainly heated up with a large number of high quality blogs, blogs and podcasts on offer to vote for. There is a good commentary from IT Security Guru and Brian Honan on what it is all about here. I am thrilled, excited and pleasantly surprised to have been nominated in five categories this year:
- Best Corporate Security Blog
- Best Personal Security Blog
- Most Entertaining Blog
- Most Educational Blog
- Grand Prix best Overall Security Blog
(I’m not sure how I got into the corporate blog category, but it’s all good!)
Thank you to all of those who nominated this blog in all of those categories, but with the quality amount of the competition I shall have to start practicing my Hollywood Oscars “really upset but can’t show it that I lost to that charlatan” face when the winners are announced.
One of my other internet tenancies has also been nominated three time, Host Unknown:
- Best Security Video Blog
- Most Educational Blog
- Best New Security Blog
With less than a year in “business” it is great to be nominated here as well, and we have a number of very exciting activities coming up over the next few months.
I said this last year, and it is worth repeating again; this list of nominations represents the very best of what the information security blogging community has to offer. Some of it serious, some of it humorous and some of it acerbic, but all of it providing a viewpoint of one kind of another that is worth listening to, reading or watching. Use this as a shopping list for your RSS reader.
Voting closes on Wednesday 23rd April, and the awards will be announced on Wednesday April 30th at the Prince of Teck Pub, Earls Court.
Thank you again to those of you who nominated me, time for the voting campaign to begin!
The very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.
Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.
Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.
For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.
All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.
It’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.