The ISSA-UK and why I like them

Leave a comment

I have always had a soft spot for the ISSA-UK; ISACA and (ISC)2 are all very well (and have a slightly different  value offering what with their examinations and credentials), so the ISSA have sometimes in my opinion been compared alongside them somewhat unfairly. I like them for a number of reasons:

  1. Great value for money – at less than £100 per year and with a considerably higher number of events per year (at least in London) than (ISC)2 and ISACA, that’s a lot of potential CPE’s.
  2. Quality of speakers; I am biased (having now become an ISSA-UK speaker), but I have always been impressed with the quality of speakers. The highlight for me of the last 12 months for instance was Bill Hagestad  when he spoke about the Chinese cyber threat.
  3. Awesome people and networking; I am constantly meeting great people and having great conversations with them, infosec related and otherwise. Just tonight I made tentative arrangements to do a talk alongside someone else, discussed a high profile speakers apparent downfall (always useful for the future when the inevitable happens to oneself) and “connected” with a number of highly intelligent and rightly opinionated people.

Overall I think of them as having the least of an agenda with no exams to sell or certifications fees to maintain, and this is why it puts them at the top of my list.

Telling it like it is apparently

Telling it like it is apparently

Last nights talks were very similar to the Bristol one of a few weeks ago in that Richard Hollis presented on Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry, and I did my UFO’s, Dirty Dancing and Exploding Helicopters, a Hollywood guide to risk management presentation again. The final presentation was by Adrian Wright, ISSA-UK VP of Projects on Securing The ‘Internet of Things’ – Implications and Key Questions. 

I have to apologise to Adrian as I overran on my presentation putting the pressure on him to be as succinct as possible. Running over time is rightfully seen as something of a cardinal sin for a presenter, but in my mitigation it was because of the level of interaction from audience was just brilliant, and we got a good number of opinions across all of the topics put forward.

I have commented on Richard’s excellent presentation from when he gave it in Bristol, but Adrian’s I had not seen before. It was utterly fascinating and presented (as expected) very well by Adrian. What struck me the most was that the adoption of new technology is just increasing in speed over time almost exponentially. What this means for the internet of things is that before we know it, literally in the next few years, we will see a massive shift in how we consume food, control our homes and even park our cars. Only time will tell, but in this case, not a lot of time.

A great evening as usual and my tanks go to Gabe Chomic (@infoseccrow) for the invitation.

The presentation from the night is here in PDF and native Keynote, and as always if anyone would like to continue to conversation with me you know the usual channels!

Taking RANT to New Levels

4 Comments
Noise Next Door giving conferences a new twist

Noise Next Door giving conferences a new twist

For a variety of reasons I have been unable to post here as frequently as I have liked, but the great advantage of attending a conference is that it does spur one into action to get something written down. Tuesday Jun 11th saw a new kind of conference come to town, the RANT conference. Based upon the monthly RANT forum there were only three individual speakers with the rest of the sessions effectively panel debates but with significantly more audience interaction encouraged.

There were a number of highlights for me, not least all of the people I met there, new friends and old. One of the big surprises for me was the opening keynote from Mark Stevenson of the League of Pragmatic Optimists. I thought it an odd choice of speaker, a futurologist, but very much enjoyed his talk once I got over myself. he looked at (amongst many other things)  how the digital revolution is changing our lives daily. What it came down to though is that despite the massive amount of change that has gone before us, the digital revolution is merely the cocktail sausage of dinner; we cannot begin to imagine what is around the corner.

I also enjoyed watching Javvad play up to his InfoSec rockstar status alongside Neira Jones and the irrepressible Stephen Bonner. It was unfortunate that the final panellist, Ed Gibson, killed the dynamic of the panel dead, changing what should have been an upbeat and funny session into a monologue of personal dislikes that crossed the line into embarrassing.  I thought Javvad played to his RockStar persona very well, but also presented how he made his way to the level of industry notoriety he currently enjoys and the benefits it actually brings to the industry. The serious point of them actually being ambassadors for infosec was quite rightly made. Unfortunately Ed did the same for the next panel on state sponsored espionage, killing what should have been a powerful insight into the topic given his background. I understand Ed is a very highly rated speaker, but on the evidence of yesterday I won’t be rushing to see him speak, and how he handled himself was unfair on the other panellists and indeed on us as an audience.

The Boy Band Strikes back

The Boy Band Strikes back

The rest of the day went very well though, with plenty of laughs with the University Challenged pitting the grey hairs of the industry against the students of Royal Holloway, and a session on security awareness that I was invited to participate in alongside Geordie Stewart, Charles Clarke, Christian Toon and my old mate Bruce Hallas. The reaction from the audience was very positive, with some great questions and opinions. We didn’t all agree, which is exactly what needs to happen; if we all agree, nothing changes, but if there is dissent then that can finally lead to actually driving change in the industry. On the whole it was well received and moderated nicely by Jim Shields, although someone did tweet that he thought the conversation was “same old same old re training me thinks” which is actually fair enough; I do think however that we can only stop talking about it when it is “fixed” (whatever that means!).

Stephen Bonner’s presentation was a distinct improvement upon what he presented at BSides, and was a thoroughly enjoyable rant, replete with chocolate missiles for the audience.

The excellent Twist and Shout were managing the video and photography, and shared many of their corporate training videos in the breaks between sessions that not only gave a very polished and slick feel to the whole day, but also some light relief.

Networking drinks were copious and enjoyable, and the dinner was excellent with after dinner entertainment from Jim Shields in his stand up comedian alter ego and an improv comedy troupe Noise next Door. A fuzzy head this morning tells me I had perhaps a little too much fun.

It was an awesome conference overall, and I hope to see it grow and become part of the established circuit. The format can only get better as while there is a place for the traditional presentation of one person delivering content and then taking some questions has its place, there is a huge advantage to the RANT approach. It allows the audience to engage far more effectively and I would hazard a guess that the audience actually retains more than the standard 20% of content afterwards. Huge congratulations to Acumin for not only making it happen, but also for ensuring it was as free from the commercialisation of so many other vendor driven events, a hugely refreshing approach. The biggest congratulation of the day though must go to Gemma for making it happen.

photo[5]

The IRMS – a new angle on information security and risk management

Leave a comment

photo[1]I have recently returned from a conference that I might not have ordinarily attended or even been able to justify, namely the Information & Records Management Society (IRMS) conference in Brighton.

I had been invited to participate in a panel session on Monday morning entitled “Adapt or Die: Is Records Management still relevant in a World of Big Data” alongside Christian Toon (@christiantoon) and Phil Greenwood of Iron Mountain, and Sarah Norman of HM Treasury. Not only was it an excellent discussion, but it struck me quite how similar the challenges are between the IRM world and the risk management/CISO world.

We answered a question around how can the IRM folks avoid only getting funded and have attention paid to them after an emergency, and it immediately struck me that this is exactly what happens with security. Another related question concerned connecting effectively to the business and I was able to relate the tasks of the IRM function to the Confidentiality, Integrity & Availability (CIA) goals of the information security professional, and how the two goals are very similar.

Even the opening speech spoke about IBM’s Four V’s of big data (quoted), namely:

  • Volume: Enterprises are awash with ever-growing data of all types, easily amassing terabytes—even petabytes—of information.
  • Velocity: Sometimes 2 minutes is too late. For time-sensitive processes such as catching fraud, big data must be used as it streams into your enterprise in order to maximize its value.
  • Variety: Big data is any type of data – structured and unstructured data such as text, sensor data, audio, video, click streams, log files and more. New insights are found when analyzing these data types together.
  • Veracity: 1 in 3 business leaders don’t trust the information they use to make decisions. How can you act upon information if you don’t trust it? Establishing trust in big data presents a huge challenge as the variety and number of sources grows.

Isn’t this exactly the sort of thing that CISO’s have to grapple with every day?

The world of the IRMS and the world of the Infosec Professional are very closely related it seems, and I think this relationship is one that needs to be explored by both communities further to ensure mutual goals are more easily met.

Christian Toon and me looking rather spiffy

Christian Toon and me looking rather spiffy

On a personal side I had a great time speaking with the vendors, watching a few presentations and taking part in the pub quiz (we didn’t win..). There was even a black tie gala dinner on Monday that was an absolute blast that culminated in my friend, Christian Toon, being awarded a fellowship of the IRMS which was just fantastic to to be able to see.

I am sincerely hoping to go to next years event, and perhaps hoping even more that by then the argument to attend will be much easier as our industries begin to forge closer ties.

The EU, Porn, and Hollywood

1 Comment

And if that title doesn’t attract attention I don’t know what will…

Unfortunately (for you) while this title is accurate the rest of this post may not quite deliver what you are expecting or hoping for. Just a few days ago (Thursday 16th May) I attended for the first time an ISSA-UK chapter meeting in Bristol where Marcus Alldrick, Richard Hollis and myself were presenting (in that order) to the great and the good of the south west infosec community.

Marcus Alldrick emphasises...

Marcus Alldrick emphasises…

Marcus’ presentation of The EU’s Proposed Data Protection Regulation, It’s Life Jim But Not As We Know It was very well received with a huge amount of interaction to the point of a  twenty minute overrun. I have tended to avoid expending too much energy on draft legislation like this as it often changes dramatically the closer it gets to publication (MA201 CMR 17 is a good example of this), and so the view that Marcus presented was a welcome one. Although his deck was content rich he put it across in his own inimitable style and I found it hugely educational. One point that came across loud and clear is that if it gets enacted in its current format one of the most sought after roles in any company will be that of Chief Privacy Officer for the job security alone (the role must be filled by the same person for a minimum of two years!).

...and Richard hills boasts

…and Richard Hollis boasts

Second up was Richard Hollis with his hotly anticipated Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry. While the expected jokes and euphemisms came thick and fast underneath it were some startling and very interesting lessons, but namely that the adult entertainment industry simply does information security far better than the rest of us; they are single minded, have a lot to lose, and ultimately see the “battle” with maintaining security as just that… it’s a war which they are determined to win. A fascinating insight into an often overlooked industry with some great lessons summarising the underlying security ethos of this industry.

I'm a little teapot

I’m a little teapot

Finally it was my turn. To be honest I was somewhat apprehensive following these two presentations; there was a huge amount of interaction to this point and while my presentations somewhat relied on audience participation the main points I was raising were quite high level and in some cases not often talked about. I shouldn’t have worried. I had an absolute blast talking about different elements of risk management and getting some excellent feedback, comments, questions and of course different opinions. My case was obviously helped by the fact that I was handing out prizes for each correct answer identifying a quote to a film! The presentation itself is below along with a few snippets of the presentation itself taken from the back of the room.

I have always been impressed with the ISSA-UK meetings, the quality of the discussion between people and to be honest the great value that membership of this association brings. I am very much looking forward to more of these, and if asked to present again at one of their sessions. My thanks to Alan and Gabe (@infoseccrow) for giving me the opportunity to present here.

UFOs Dirty Dancing and Exploding Helicopters (PDF)

Use Your Nose and Gut to See The Real Picture

1 Comment

avatars-000032667477-7n71zy-cropAfter the high energy of the conferences last week it was always going to be a challenge coming back to the humdrum of day to day work. Reviewing someone else’s audit findings was never going to be the quickest way to get those energy levels up!

This was compounded somewhat by what I found myself reading of course; this was a audit report on an environment that had a very limited scope, i.e. type of work being carried out, type of data being handled, type of resources required to complete the task. The auditors however were coming in from a very strictly controlled, somewhat binary view of the world. The upshot of this was that there were a lot of findings along the lines of:

  • Workstations have access to the internet.
  • Physically secured environment within the office (of the same company) required.
  • Firewall must separate development environment from the rest of the office.

On the face of it these findings are perfectly acceptable, but what they don’t do is take into account the bigger picture.

The group that was being audited did not have access to any sensitive information, PI or even intellectual property. They required access to the internet as they were a creative group that uses multiple types of resources from the web, and they were already on a secured VLAN.

Unfortunately they failed to understand what was in front of their faces throughout the entire audit and assessment process (in fact, they remind me of the type of auditor that Javvad recently showed us in his latest video)  They didn’t observe their surroundings fully, understand the working environment, nor comprehend the true purpose of the audit, namely to reduce risk not squash the life out of some very expensive resources and make it difficult to do their job.

They did everything by the book.

There is always a time and a place for a slightly more maverick approach in my opinion. There are times when as an auditor you need to go with what your nose tells you is bad, or your gut tells you isn’t right. No kind of by-the-book approach will let this happen. Let’s elaborate on these two approaches a little more:

Using your nose

This is quite literally “smelling” out the findings. Just because a document has been presented and all seems in order, or just because an activity is shown to be in normal use doesn’t always mean everything is in order. I have spent many enjoyable hours discussing with colleagues the tricks and traps that people use to fool auditors and assessors (some of the simpler ones are in Javvad’s video!). I even heard one where freshly printed documents were deliberately given coffee stains to give the impression that they had been around for some time, or people being sent home for the day when the auditor was around. Smelling this out requires a slightly cynical nature and a “poacher-turned-gamekeeper” approach. You might see a name occur too often, or the same approval date on documents that were obviously written at different times and approved by different approvers, but they are all indicators that something may be amiss.

Using your gut

A “gut feeling” is a very difficult thing to define, and to be honest not always as reliable. i often think it is because you have observed something subconsciously that make it a gut feeling. Using your nose is based upon an observable phenomenon whereas using your gut is not. They can be very good indicators that something is not quite right and deserve to be investigated further; the real skill however is knowing when to stop. Burning up half of your audit time because of a gut feeling is unprofessional, a waste of time and is doing both you and the auditees a huge disservice. However it can pay off huge dividends when you get it right in what is uncovered.

I want to caveat the above however; I don’t want to come across as though auditing is some kind of cat and mouse arms race (or any other kind of mixed metaphor). Any good audit or assessment is always going to be open, collaborative and educational and this needs to be the goal from the outset. However, many auditees are placed under huge pressure to pass an audit and sometimes will feel a high risk, deceptive, strategy is the only way to retain their jobs. I myself was once told in no uncertain terms “do whatever it takes to pass the audit” (and of course did).

What I really want to see in the industry is a move away from the checkbox and clipboard approach to auditing and assessing as the natural conclusion of that is a deeply unpleasant homogenisation of controls and environments that stifles creativity, and ultimately reduces the ability of a business to deliver to its clients and to its shareholders.