The Simple Things – The Screensaver Lock

Leave a comment

The principle behind the screensaver lock is that you build in a fail safe into your computer should you walk off leaving it unlocked (that is what we all do anyway, right?). The normal timing is somewhere between ten and fifteen minutes, and is more often than not enforced in organisations with an active directory policy or similar. In principle therefore, whenever your screensaver activates it requires a password to unlock the screen when you return.

It is worth noting that any mobile device such as a tablet or smartphone should also have this feature enabled, although it can also activated by switching the device off if required.

In the BYOS world of course this simply needs to be something you ensure is in place on your own computer, and the timing set to something that works for you – mine is fifteen minutes, and is harmonised into the energy saving and general computer power saving timings.

There are and will remain many objections to this kind of security control, but they can be boiled down into one of three:

1 – Presentations. I have heard on many occasions that the screensaver will kick in during a presentation, and I have some sympathy with this. I haven’t had it happen to me with a Mac (although I tend not to stay on one slide without any kind of mouse click or animation!). This can have two effects of course; either tell the audience that there are additional security controls employed by this company, or that the presenter is an amateur who can’t manage their computer during an important thing like this presentation.

This is challenging to fix – you can’t disable the lock for all who do presentations as that would expose a huge number of computers. And you can’t allow people to disable the lock themselves as it is very likely a large proportion will not reenable the lock.

The solution in my opinion is to allow by policy the disabling of the screensaver for a fixed period of time, say two hours before it gets automatically reenabled. I am not sure if this can be managed through standard AD policies or not, but it would certainly address this particular opposition.

2 – Servers and accounts. In many cases where people have sandbox environments or the like under their desks there are many requests to disable the screensaver because of batch files that run in the foreground. In every case I have observed to date this is simply because of sloppy or inexperienced implementation of the batch file. When the batch files or executables are converted to run as a service they can run very happily with the screensaver enabled.

Except in very rare circumstances this is not a reason to disable the screensaver lock.

3 – Finally there is the group of people who simply don’t like being told! This is where education, awareness and some good old fashioned face to face communication comes into its own!

Nonetheless, whatever the objection, anyone with an ounce of concern for security should consider this control on any device in a BYOD environment, and perhaps more importantly on any mobile device.

Book Review – The Cloud Security Rules

Leave a comment

I wrote a pre-emptive review on Amazon some time ago for this book based upon an advance copy I was fortunate enough to receive. Since then there has been a revision of a number of chapters, and I have therefore had a chance to read the book again, including the revisions, and decided to post another more accurate review.

(Once I work out how to update my original post on Amazon I will do so).

As one reviewer on Amazon wrote, the book is like a series of disjointed blog articles. To my mind this is both a strength and possible weakness. The weakness being just what it says; sometimes the different writing styles and approaches, as well as the chapter changes can be a little jarring as you mentally shift gears from one chapter to another.

That said, I have long realised that books like this, written for large complex subjects, are not exactly meant to be read as novels! And this is where this books strength comes out. The contributing authors (at least the ones I recognise) are well respected experts in their fields and can therefore provide best of breed advice and guidance on their relevant areas.

The ability to either dip in and out at random and learn something, or even to search for a particular topic that you need advice on is the books greatest strength. Want to know how ISO27001 can help you? Chapter/Rule 9. Is free really free in the cloud? Chapter/Rule 25. How about the effective approaches to risk management? Chapter/Rule 6.

This book is not the definitive piece on technology and security in the cloud (does that book even exist?), but it is an effective and simple approach to a large and complex subject that in many cases will stop many traditional IT and security manager in their tracks. It may not even answer all of your questions, but it will definitely ensure you know what questions to ask, and that in itself is the most important lesson.

Score: 4 out of 5

More Thoughts on BSides London 2012

Leave a comment

A very quick post to spotlight the excellent talking heads reel posted recently by Javvad. Given I will very shortly be posting the video of my presentation from there I won’t waste space going over the excellent event again, suffice to say the devilishly handsome chap at 0:35 and 2:37 sums it up nicely!

BSidesLondon – Woot Woot!

2 Comments

What a marvellous couple of days I have just had; Tuesday at InfoSec Europe in Earls Court followed by BSidesLondon in The Barbican on Wednesday. While InfoSec was good, and I enjoyed not only the wide variety of stands, prizes, swag and educational events, it is and will always be a trade show. I always feel I am one tiny eye contact away from signing up to 1000 licenses of a product I never knew I need.

BsidesLondon however was an entirely different event. This was the first BSides event I have attended anywhere, and its reputation as an edgier, grittier and slightly geekier type of conference (or at least that is what I picked up on) was entirely unjustified. What I experienced was an extremely high quality of talks, great organisation, interesting activities, engaging workshops and above all a broad, eclectic mix of information security professionals. To be honest, I was somewhat concerned that my professional background in governance, risk and compliance was going to be entirely misaligned, but I was encouraged to attend by a colleague in our Boston office. How mistaken I was!

I should have guessed really when a talk I submitted was voted for by the attendees (An Anatomy of a Risk Assessment) – I explicitly stated it wasn’t technical, or even focussed on a given standard, but rather a more social/human experience of risk assessments. Whilst I didn’t exactly fill the auditorium to the gunwales, I estimate there were about seventy people attending. I also had some great questions at the end and a stream of conversations and compliments throughout the rest of the day. I even managed a few more Twitter followers!

(On that last point, I think I really am going to have to pull my finger out now and start providing some real value on Twitter, and especially this blog!)

The “Crew”, and team of people entirely made up of volunteers who gave up their full day to support the event (and miss out on all of the great activities as well) did a phenomenal job in both setting it up and managing it. I was able to thank a few of them in the bar at the after party, but I know I missed a few; to all of you, Thank You!

If pushed to, there would be a few things I would change; please understand this is by no means a criticism of any aspect of this years event, but rather a desire to see a cycle of continual improvement!

1. Make it a two day event. I would hope this would encourage more volunteers who could do a half day stint at a time. This would mean that volunteers would not miss out on the excellent content. (I heard many times “I haven’t been able to see a single talk all day”)

2. Charge a nominal fee. By nominal I mean £50 for two days (£25 for students/concessions etc of course. That is only a night or two of beer for an average student and they will more than make up for it at the after parties!). This would ensure people actually turn up – I saw a lot of unclaimed name badges at the reception which is a massive shame given the clamour for tickets. One day tickets could be suitable priced at £30 and £15. This would also take the pressure of the organisers for the basics like T Shirts, lunch, booking fees etc and the (excellent) sponsors can focus on the value-add stuff.

3. Increase the numbers. I know smaller events have a niche value and connect with the community more effectively, but I think a third track formal could easily be accommodated next year as the reputation of this event will only improve and numbers wanting to attend will increase. There is a balance to be had, but pushing to 500 or 600 is still viable in my humble opinion.

All that said, even if everything stayed the same I will still be attending next year, and hopefully speaking again. Congratulations to all involved, what an amazing event. It’s barely been two days and I am already looking forward to next years!

An Anatomy of a Risk Assessment at BSidesLondon (Updated)

Leave a comment

(Updated) The lovely people at @twistandshoutUK and @j4vv4d have very kindly sent me the recording of my presentation. I have inserted it below, just above the slideshow so you can follow along and pause the slideshow in time with the presentation!

Here are the slides from my presentation at todays BSidesLondon. I will add the video of the presentation in a few days once I get a copy from the organisers and process it.

As always, comments are welcome; let me know if you loved it, hated it or were even perplexed by it. Every comment is a valuable piece of learning for me!

This slideshow requires JavaScript.

You can also find a downloadable version of the presentation directly here.