Getting Ahead in Information Security

getting ahead

(Originally Posted on the VIA Resources Blog here.)

Advancing your career in information security, let alone getting a job in it in the first place is challenging and sometimes overwhelming at best. It can often feel like an exclusive club that is hard to break into, and the “elder statesmen” of the community distant and aloof. With these kind of barriers where do you even start to try and network and make contact with people who could not only progress your career but also start it?
The real answer at first appears flippant; if you want to be a part of a community you need to engage with it and join in. Obviously, that is harder than it seems, so here are three ways you can help yourself to getting ahead in Information Security:

1. Start attending the many free events that are held every week.
There are plenty of these around, you just have to look for them, such as (ISC)2 and ISACA events, plenty of sponsor driven events and community driven events. Europe’s largest information security event, Infosecurity Europe is a free three day event which not only gives you access to all of the vendors out there, but also an excellent education programme. Traditionally on the same week there is also BSides London, a free one days event, although this one is ticketed. Not in London? Then consider BSides ManchesterSteelCon and SecuriTay. Seek them out and you will find them. Not in the UK, then Google is your friend.

2. Attend some of the bigger, paid for conferences.
Obviously this is not always easy, especially given the price of the tickets and the whole reason you are reading this is that you need a job! All of these conferences require a huge amount of effort and willpower to get them to run smoothly on the day, and many of them require… volunteers. 44CON has one of the best volunteer crew programmes I have come across, with plenty of perks available. By volunteering for these events you are not only showing yourself to be a stand-up member of the community, willing to help out and contribute, but you will also get unprecedented access to the attendees, speakers and organisers. They are yours for the networking!

3. Contribute to the community.
This could be anything from volunteering (above), blogging, tweeting, offering to speak, writing articles for the various community news outlets, in fact anything that gets your name out there. Submit in the variety of Call for Papers (CfP) and you normally get a free ticket, and sometimes travel expenses paid too. Depending upon your grammatical and public speaking skills, this could be very tough but who said progressing your career was easy? Being able to articulate your personal opinions on the often very contentious issues in the industry is an excellent way of improving your ability to assimilate, process and form your own opinions and views for the benefit of the community. What better way of getting known in the industry?

All of the above require time dedication and effort, but since this is your career we are talking about, are these too much to ask?


Flushing Risk at 44CON

logo-1I have just returned from two long days and two long nights of 44CON, the premier conference in London for technical InfoSec professionals (and even a few of us management types). It saw the debut of by “Flushing Away Preconceptions of Risk” presentation, an expansion of the my recent post for the Analogies Project.

The core messages of the presentation are not necessarily pleasant ones; the correct use of risk in any organisation is one of the most powerful tools in an information security programme, and yet it seems to me that very few of us understand it fully. Many of us struggle with not only identifying what the real risks are in the first place, but also how to measure them and even how to properly treat them.

Doing my bit to advertise 44CON

Doing my bit to advertise 44CON

Identifying risks at first seems like an easy think – identify assets, and then identify what could go wrong. I won’t elaborate the analogy much here (read it at the Analogies Project), but given how we regularly fail to identify risky behaviours correctly in our daily lives it should be no surprise we fail to do so professionally. The same bias applies to when we subsequently try and measure the risks; every mechanism we use introduces potential errors and even vagueness. I was quite proud to introduce the Langford/Malik Risk Model (ver 1.0), an approach that I evolved from one that Javvad Malik introduced in his book. Again, it uses an analogy although this time of a pub fight to not only describe levels of risk but also risk appetite. I do hope that not too many of you will find it useful next Friday and Saturday night.

ThomLangford_2014-Sep-08

The Langford/Malik Risk Model ver 1.0

Finally the effective treatment of risk was covered, and how we so often simply do what has been done before, not what is going to be effective now. Just because a risk hasn’t been realised doesn’t mean you have treated it effectively, it just means that an incident hasn’t happened (that you know of).

The slides are below, but since my presentation style has evolved more into storytelling rather than bullet point reading, by themselves they may say little to you, but the session was recorded and when it is released I will make it available here. Like any presentation it barely touches the surface of risk management and its issues, but it was intended to be thought provoking and prompt people to not assume that just because they have always done things in a certain way that it is the best or even correct way.

This slideshow requires JavaScript.

As for 44CON itself, well, any conference that has a “gin o’clock” on each day has to be pretty good in my books! It was a very well organised conference, with an excellent and highly motivated Crew to help support it. SpeakerOps were particularly good providing a personal touch I have not seen at any other conference. The quality of the talks and the speakers was also excellent, but as I alluded to in my introduction, many of them were technically beyond me!

The highlight for me however was a workshop I attended demonstrating the beta version of the Cyber CPR product. This is a virtual machine (that can also be deployed on ultra portable hardware if need be) that builds and entire incident management environment allowing for the discovery, gathering and analysis of evidence during an incident. It build a virtual “war room” environment, where multiple incidents can be tracked at once, in a secure and separate environment from the one that has actually just been breached. With tools built into the backend and access via a browser it even does away to have many of the tools on your own environment, making it great for remote and ad hoc use alike.

The product is in Beta at the moment, and does lack a few features, (they described it as not ready for active duty), but what i saw  was very polished and useful even in it’s beta configuration. Commercially it will be available for free with up to three users, and only $5k GBP for up to twenty (please don’t quote me on these figures though). I would strongly recommend you take a look at this excellent environment that for very little outlay will significantly improve many current incident response teams, and their over use of Excel. The team expects it to be commercially ready by Spring next year.

ThomLangford_2014-Sep-13

Obligatory selfie with Jonathon Schiefer

The final highlight was to be able to meet Jonathon Schiefer  the director of the film Algorithm  which had its European debut at 44CON on Wednesday night. It was fascinating to hear about the backstory of the film, his challenges and even how he made the film financially and technically. He was an absolute pleasure to chat with, and I thoroughly regretted my decision to have a curry instead of watching the film. At a stretch you could say we are kindred spirits when it comes to our film making, but he is without a doubt in an entirely different league to me!

44CON will be back next year, but we were also enticed with the news of another 44CON spring conference being planned as well. I would strongly recommend anyone who can get to London to attend both of these conferences. Congratulations to Adrian and Steve and the many people in the crew for putting on a fabulous conference.


That was the week that was; InfoSec Europe, BSides and the Security Bloggers Network

?????????????????????????????????????????A lot of good stuff has already been written about this last week with regards to BSides London, InfoSecurity Europe and the Security Blogger awards, so this post is a personal recollection after the haze of too many late nights, early mornings and good times.

Tuesday 29th bought BSides London, and once again the volunteers surpassed themselves; it retained two tracks but definitely felt expanded with the workshops and a new location for the rookie track. The organizers should feel rightly proud of what they have done, and those of you who didn’t turn up on the day (and therefore denied others of a ticket) should take good long look at themselves in the mirror.

photo 5

The Danger Zone Dream Team

I had to spend the afternoon over at Infosecurity Europe as I was on a panel titled “One big threat to cyber security: IT Geeks can’t talk to management” alongside Dwayne Melancon and Stephen Bonner. It was only 25 minutes long but I felt we managed to push a lot of good advice and takeaways into it, and the conversations continued afterwards in the hallway. I even managed to get a reference to Kenny Loggins into one answer, something I feel rightfully proud of.

BmZdYWHIIAAf1Lq.jpg-large

Joseph & Ian rocking the BSides Rookie Track

photo 1

Trying to look young again…

Then back to BSides to see Joseph Gwynne-Jones speak on the rookie track. I was mentoring Joseph this year, and to be honest I found it very challenging as Joseph is profoundly deaf; we couldn’t speak in the run up to BSides and could only communicate over email and Twitter. I advised as best I could, reviewed slides etc, but what was crucial was the ability of his interpreter being able to effectively communicate the jargon etc on the day. Given Joseph wouldn’t meet him until the morning of the conference this would be quite a challenge. As it turned out Ian Hodgetts  did a marvelous job, and was also on hand to interpret into British Sign Language (BSL) of all of the talks Joseph went to. We believe this is a first for an info security conference. Joseph obviously did an absolutely cracking job and I was able to spend some time with him and Ian afterwards talking about what else we could do in the future to improve further. It was an eye opener for me, and an absolute education in how important it is to communicate clearly and effectively in these kinds of conferences to absolutely everyone who attends. At the after party I was able to wear the hoody that was generously given to me by the Abertay Ethical Hacking Society, and feel like a student again (if not look like one).

photo 4

Best Personal Security Blog

Wednesday bought Infosec Europe again after a few early morning meetings, (including some scheming and rubbing of hands with invisible soap with the good folks of 44CON at the 44Cafe – I can’t wait for September!) but the highlight was of course the Security Bloggers Awards. Between me and Host Unknown I was up for eight awards in total, and came away with the award for Best Personal Security Blog, again! I was both surprised and touched that I was able to get this award again. Host Unknown didn’t fare as well unfortunately, but I can guarantee that the next twelve months will put us in a very strong position for next year, both at the European awards as well as the USA awards at RSA. Unfortunately Andrew was indisposed to help us collect a Host Unknown prize (that we didn’t win).

BmobKKsIgAAdZfj.jpg-large

Confirming what everyone already knew

(I have said this before but will say it again, everyone who is not only involved but also nominated for the blogger awards represents the very best of our industry in that they are all contributing their time and expertise to the community; I can’t recommend enough that if you are reading this that you also read their blogs too. Also, none of this would have happened without Brian Honan, Jack Daniel, Tenable, Tripwire and Firemon; thank you all.

Thursday bought another panel, this time in the Keynote Theatre with a panel on “Risk and control: Effective risk assessment methodologies to drive security strategy and investment” (alongside Vicki Gavin, Paul Haywood and moderated very well by Dave Clemente. It was a good, vibrant session and with plenty of questions both during and after the session.

photo 2

Inspired by the success of the CI Double SP film, we create a band called “CISS (P)”

A selfie, with a very famous CISO of Restricted Intelligence

A selfie, with a very famous CISO of Restricted Intelligence

Finally for the afternoon I got involved in only what can be termed a “flash mob” for Twist & Shout (as soon as that is released I will show it here!) and then got engrossed in the hallway track with the likes of Shan Lee, Quentyn Taylor, Peter Stephens, Jim Shields, Dave Lewis, Wim Remes, of course my conference partner in crime Javvad, and the lovely folks of Eskenzi and Acumin.

If there is one thing that is apparent form the above it is that any conference week is only valuable from the people you meet there. This list must be barely 10% of the people I shook hands with, shared a drink or said hello to, all of whom influence me to one degree or another. Whatever your thoughts on the infosec conference scene, this aspect alone is what makes it worthwhile. Apologies to anyone and everyone I have missed out.

InfoSecurity Europe is a show that has gone from strength to strength over the last few years, with the education programme improving; combine this with an excellent BSides London Conference, this week in Europe is one to look out for (although next year Infosec Europe and BSides will be from 2nd to 4th June at Olympia).


Why >WE< must meet the demands of the business

At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:

I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.

levelI think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.

This was reiterated by Andy Ellis at a session at RSA where he said precisely this;

are you the conscience of the business or an enabler to the business?

Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them  out), for the good of the business.

What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.


Top Five From RSA USA 2014

rsac2014-program-guide-cover-320x407pxI attended the RSA Conference USA last week and was able to witness the chaos, FUD, genuine insight, original thoughts and 25,000 people queueing for a coffee and bagel at 10 o’clock in the morning.

Rather than even attempt to do an end of show round up that other have been able to do far more successfully than me, here are the five things that I remembered the most from the week:

3M Visual Privacy

I still think 3M produce the best privacy filters for monitors, but I have been waiting a long time for technology to catch up and remove the unsightly and easily-left-behind at home piece of plastic in favour of a solution built into the screen itself. Whilst I didn’t unfortunately see that, one of the product managers assured me that this is exactly what the boffins at 3M are currently working on. This is going to be a huge step towards universal and transparent (forgive me) visual security for people using laptops in public places.

MISD_PrivacyFilters_Apple_IMG_ENWW3M also surprised me by demonstrating a pice of software they have designed as well; the known problem with privacy filters is that they only protect you from people looking at your screen from your left or right. From directly behind you they can easily see your screen. The software uses the built in webcam to recognise the users face, and if another face appears in the background looking at the screen, pops up a warning to the user and blurs the screen. To be honest it was a little clunky when I saw it, and it is currently only being developed for Windows, but this is exactly the sort of environment that people working with sensitive information need to “watch their backs” almost literally. I hope they continue to refine the software and expound it to all other major platforms.

Security Bloggers Meetup

sbnRSAC USA sees the annual meet up of the Security Bloggers Network, so i was very excited to be able to attend this year and witness the awards show and a great deal of silliness and nonsense (to whit, the “bald men of InfoSec” picture for one). I managed to meet for the first time a whole bunch of people that I have either conversed with or followed myself, and some of whom I have very much admired. No name dropping I am afraid as there is too much of that later on in this post, but one thing I did take away was that there is a very valid desire to harmonise the North American and European Security Blogger Awards moving forwards which can only be a good thing and build the international blogger network further. In fact, you can now nominate for the EU Security Bloggers awards here.

The "infamous" bald men of security.

The “infamous” bald men of security.

SnoopWall and Miss Teen USA

snoopwall-website-logoIt wouldn’t be a security conference without some kind of booth babe furore and this one was no different. Although the presence of booth babes has dramatically reduced over the last few years there were still a few vendors insisting on using them. And then we thought we had hit a new time low with the presence of Miss teen USA, Cassidy Wolf, at the SnoopWall booth in the South Hall. Condemnation was rapid and harsh. BUT WAIT… THERE’S MORE TO THIS STORY THAN MEETS THE EYE! After I retweeted my feelings about a teens presence at a conference that could best be described as a recovering alcoholic when it come misogyny, I was contacted by Patrick Rafter, the owner VP of Marketing of SnoopWall.

They have partnered with Cassidy to promote privacy amongst teens in complement to their product that detects the misuse of, for instance, the webcam on your computer or your phone. For those that may not know, Cassidy was the victim of blackmail from an ex classmate who hacked into her webcam in her bedroom, took photos and then demanded more pictures. It goes without saying she stood up to the blackmailer, and has since made privacy one of her “causes” during her tenure as Miss Teen USA. Was having her at their booth at RSA a little misjudged? Yes. Is their cause and campaign (and software for that matter) actually have very good intentions? Absolutely. I chatted with Patrick a day later and while he acknowledged how Cassidy’s presence could have been misinterpreted, he strongly defended her presence and her intentions. I honestly found it laudable. Hopefully over the next few years as the industry finally sorts out its booth babe problem, people like me won’t be jumping to the wrong conclusions as we assume the worst.

The Thomas Scoring System

Thomas Scoring System LogoA few months ago I posted about Russell Thomas’ approach to risk management. I had the good fortune to meet with Russell at the Security Bloggers Meet Up and chatted in depth about his approach to measuring risk consistently. He has turned this idea into a very practical approach via an Excel spreadsheet, a point I made in my earlier review. This is important because without a way to implement at a very practical level it remains a theory. The following day Russell was kind enough to walk me through how to use the system in practical terms, and I am going to be trying it out in my day job as soon as possible. I would urge you to take a look at the Thomas Scoring System as I strongly believe it is a great way of bringing metrics together in a meaningful way.

Gene Kim & The Phoenix Project

I was fortunate enough to have been introduced to Gene Kim, the founder of Tripwire, author, DevOps enthusiast and all round genius/nice guy a few months ago, and we had chatted a couple of times over Skype. (Gene is very generously offering me his guidance around writing a book and his experiences publishing it; yes you heard it here first folks, I intend to write a book!) Knowing he was at RSA I was able to seek him out, and I can now say I have met one of my InfoSec heroes. He is a genuinely charming, funny and generous guy, and he was good enough to sign a copy of his book, The Phoenix project, as well as allow me to get a selfie with him. I would strongly encourage everyone in this field, as well as many of those not in it to read The Phoenix Project, as it quite literally changed the way I looked at the role of InfoSec in a business, and that wasn’t even the main thrust of the book.

Gene very graciously allowing me to take a selfie with him

Gene very graciously allowing me to take a selfie with him

It has taken me nearly a week to recover from RSA, but despite the scandal and boycotts and minor demonstrations it was an excellent conference, as much for the presentations as the “hallway track”. As always, my thanks to Javvad for being my conference wing man again.

Is that Javvad, or a waxwork I am posing with?

Is that Javvad, or a waxwork I am posing with?

Now it is back to real life.