And they say security awareness training is working?

3 Comments June 20, 2013 Thom Langford

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

They are able to afford expensive looking laptops or have been issued an expensive looking laptop
Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

Now you see it…

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.

The ISSA-UK and why I like them

Leave a comment June 14, 2013 Thom Langford

I have always had a soft spot for the ISSA-UK; ISACA and (ISC)2 are all very well (and have a slightly different value offering what with their examinations and credentials), so the ISSA have sometimes in my opinion been compared alongside them somewhat unfairly. I like them for a number of reasons:

Great value for money – at less than £100 per year and with a considerably higher number of events per year (at least in London) than (ISC)2 and ISACA, that’s a lot of potential CPE’s.
Quality of speakers; I am biased (having now become an ISSA-UK speaker), but I have always been impressed with the quality of speakers. The highlight for me of the last 12 months for instance was Bill Hagestad when he spoke about the Chinese cyber threat.
Awesome people and networking; I am constantly meeting great people and having great conversations with them, infosec related and otherwise. Just tonight I made tentative arrangements to do a talk alongside someone else, discussed a high profile speakers apparent downfall (always useful for the future when the inevitable happens to oneself) and “connected” with a number of highly intelligent and rightly opinionated people.

Overall I think of them as having the least of an agenda with no exams to sell or certifications fees to maintain, and this is why it puts them at the top of my list.

Telling it like it is apparently

Last nights talks were very similar to the Bristol one of a few weeks ago in that Richard Hollis presented on Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry, and I did my UFO’s, Dirty Dancing and Exploding Helicopters, a Hollywood guide to risk management presentation again. The final presentation was by Adrian Wright, ISSA-UK VP of Projects on Securing The ‘Internet of Things’ – Implications and Key Questions.

I have to apologise to Adrian as I overran on my presentation putting the pressure on him to be as succinct as possible. Running over time is rightfully seen as something of a cardinal sin for a presenter, but in my mitigation it was because of the level of interaction from audience was just brilliant, and we got a good number of opinions across all of the topics put forward.

I have commented on Richard’s excellent presentation from when he gave it in Bristol, but Adrian’s I had not seen before. It was utterly fascinating and presented (as expected) very well by Adrian. What struck me the most was that the adoption of new technology is just increasing in speed over time almost exponentially. What this means for the internet of things is that before we know it, literally in the next few years, we will see a massive shift in how we consume food, control our homes and even park our cars. Only time will tell, but in this case, not a lot of time.

A great evening as usual and my tanks go to Gabe Chomic (@infoseccrow) for the invitation.

The presentation from the night is here in PDF and native Keynote, and as always if anyone would like to continue to conversation with me you know the usual channels!

Taking RANT to New Levels

4 Comments June 12, 2013 Thom Langford

Noise Next Door giving conferences a new twist

For a variety of reasons I have been unable to post here as frequently as I have liked, but the great advantage of attending a conference is that it does spur one into action to get something written down. Tuesday Jun 11th saw a new kind of conference come to town, the RANT conference. Based upon the monthly RANT forum there were only three individual speakers with the rest of the sessions effectively panel debates but with significantly more audience interaction encouraged.

There were a number of highlights for me, not least all of the people I met there, new friends and old. One of the big surprises for me was the opening keynote from Mark Stevenson of the League of Pragmatic Optimists. I thought it an odd choice of speaker, a futurologist, but very much enjoyed his talk once I got over myself. he looked at (amongst many other things) how the digital revolution is changing our lives daily. What it came down to though is that despite the massive amount of change that has gone before us, the digital revolution is merely the cocktail sausage of dinner; we cannot begin to imagine what is around the corner.

I also enjoyed watching Javvad play up to his InfoSec rockstar status alongside Neira Jones and the irrepressible Stephen Bonner. It was unfortunate that the final panellist, Ed Gibson, killed the dynamic of the panel dead, changing what should have been an upbeat and funny session into a monologue of personal dislikes that crossed the line into embarrassing. I thought Javvad played to his RockStar persona very well, but also presented how he made his way to the level of industry notoriety he currently enjoys and the benefits it actually brings to the industry. The serious point of them actually being ambassadors for infosec was quite rightly made. Unfortunately Ed did the same for the next panel on state sponsored espionage, killing what should have been a powerful insight into the topic given his background. I understand Ed is a very highly rated speaker, but on the evidence of yesterday I won’t be rushing to see him speak, and how he handled himself was unfair on the other panellists and indeed on us as an audience.

The Boy Band Strikes back

The rest of the day went very well though, with plenty of laughs with the University Challenged pitting the grey hairs of the industry against the students of Royal Holloway, and a session on security awareness that I was invited to participate in alongside Geordie Stewart, Charles Clarke, Christian Toon and my old mate Bruce Hallas. The reaction from the audience was very positive, with some great questions and opinions. We didn’t all agree, which is exactly what needs to happen; if we all agree, nothing changes, but if there is dissent then that can finally lead to actually driving change in the industry. On the whole it was well received and moderated nicely by Jim Shields, although someone did tweet that he thought the conversation was “same old same old re training me thinks” which is actually fair enough; I do think however that we can only stop talking about it when it is “fixed” (whatever that means!).

Stephen Bonner’s presentation was a distinct improvement upon what he presented at BSides, and was a thoroughly enjoyable rant, replete with chocolate missiles for the audience.

The excellent Twist and Shout were managing the video and photography, and shared many of their corporate training videos in the breaks between sessions that not only gave a very polished and slick feel to the whole day, but also some light relief.

Networking drinks were copious and enjoyable, and the dinner was excellent with after dinner entertainment from Jim Shields in his stand up comedian alter ego and an improv comedy troupe Noise next Door. A fuzzy head this morning tells me I had perhaps a little too much fun.

It was an awesome conference overall, and I hope to see it grow and become part of the established circuit. The format can only get better as while there is a place for the traditional presentation of one person delivering content and then taking some questions has its place, there is a huge advantage to the RANT approach. It allows the audience to engage far more effectively and I would hazard a guess that the audience actually retains more than the standard 20% of content afterwards. Huge congratulations to Acumin for not only making it happen, but also for ensuring it was as free from the commercialisation of so many other vendor driven events, a hugely refreshing approach. The biggest congratulation of the day though must go to Gemma for making it happen.

The IRMS – a new angle on information security and risk management

Leave a comment May 23, 2013 Thom Langford

I have recently returned from a conference that I might not have ordinarily attended or even been able to justify, namely the Information & Records Management Society (IRMS) conference in Brighton.

I had been invited to participate in a panel session on Monday morning entitled “Adapt or Die: Is Records Management still relevant in a World of Big Data” alongside Christian Toon (@christiantoon) and Phil Greenwood of Iron Mountain, and Sarah Norman of HM Treasury. Not only was it an excellent discussion, but it struck me quite how similar the challenges are between the IRM world and the risk management/CISO world.

We answered a question around how can the IRM folks avoid only getting funded and have attention paid to them after an emergency, and it immediately struck me that this is exactly what happens with security. Another related question concerned connecting effectively to the business and I was able to relate the tasks of the IRM function to the Confidentiality, Integrity & Availability (CIA) goals of the information security professional, and how the two goals are very similar.

Even the opening speech spoke about IBM’s Four V’s of big data (quoted), namely:

Volume: Enterprises are awash with ever-growing data of all types, easily amassing terabytes—even petabytes—of information.
Velocity: Sometimes 2 minutes is too late. For time-sensitive processes such as catching fraud, big data must be used as it streams into your enterprise in order to maximize its value.
Variety: Big data is any type of data – structured and unstructured data such as text, sensor data, audio, video, click streams, log files and more. New insights are found when analyzing these data types together.
Veracity: 1 in 3 business leaders don’t trust the information they use to make decisions. How can you act upon information if you don’t trust it? Establishing trust in big data presents a huge challenge as the variety and number of sources grows.

Isn’t this exactly the sort of thing that CISO’s have to grapple with every day?

The world of the IRMS and the world of the Infosec Professional are very closely related it seems, and I think this relationship is one that needs to be explored by both communities further to ensure mutual goals are more easily met.

Christian Toon and me looking rather spiffy

On a personal side I had a great time speaking with the vendors, watching a few presentations and taking part in the pub quiz (we didn’t win..). There was even a black tie gala dinner on Monday that was an absolute blast that culminated in my friend, Christian Toon, being awarded a fellowship of the IRMS which was just fantastic to to be able to see.

I am sincerely hoping to go to next years event, and perhaps hoping even more that by then the argument to attend will be much easier as our industries begin to forge closer ties.

The EU, Porn, and Hollywood

1 Comment May 18, 2013 Thom Langford

And if that title doesn’t attract attention I don’t know what will…

Unfortunately (for you) while this title is accurate the rest of this post may not quite deliver what you are expecting or hoping for. Just a few days ago (Thursday 16th May) I attended for the first time an ISSA-UK chapter meeting in Bristol where Marcus Alldrick, Richard Hollis and myself were presenting (in that order) to the great and the good of the south west infosec community.

Marcus Alldrick emphasises…

Marcus’ presentation of The EU’s Proposed Data Protection Regulation, It’s Life Jim But Not As We Know It was very well received with a huge amount of interaction to the point of a twenty minute overrun. I have tended to avoid expending too much energy on draft legislation like this as it often changes dramatically the closer it gets to publication (MA201 CMR 17 is a good example of this), and so the view that Marcus presented was a welcome one. Although his deck was content rich he put it across in his own inimitable style and I found it hugely educational. One point that came across loud and clear is that if it gets enacted in its current format one of the most sought after roles in any company will be that of Chief Privacy Officer for the job security alone (the role must be filled by the same person for a minimum of two years!).

…and Richard Hollis boasts

Second up was Richard Hollis with his hotly anticipated Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry. While the expected jokes and euphemisms came thick and fast underneath it were some startling and very interesting lessons, but namely that the adult entertainment industry simply does information security far better than the rest of us; they are single minded, have a lot to lose, and ultimately see the “battle” with maintaining security as just that… it’s a war which they are determined to win. A fascinating insight into an often overlooked industry with some great lessons summarising the underlying security ethos of this industry.

I’m a little teapot

Finally it was my turn. To be honest I was somewhat apprehensive following these two presentations; there was a huge amount of interaction to this point and while my presentations somewhat relied on audience participation the main points I was raising were quite high level and in some cases not often talked about. I shouldn’t have worried. I had an absolute blast talking about different elements of risk management and getting some excellent feedback, comments, questions and of course different opinions. My case was obviously helped by the fact that I was handing out prizes for each correct answer identifying a quote to a film! The presentation itself is below along with a few snippets of the presentation itself taken from the back of the room.

I have always been impressed with the ISSA-UK meetings, the quality of the discussion between people and to be honest the great value that membership of this association brings. I am very much looking forward to more of these, and if asked to present again at one of their sessions. My thanks to Alan and Gabe (@infoseccrow) for giving me the opportunity to present here.

UFOs Dirty Dancing and Exploding Helicopters (PDF)