Taking RANT to New Levels

4 Comments
Noise Next Door giving conferences a new twist

Noise Next Door giving conferences a new twist

For a variety of reasons I have been unable to post here as frequently as I have liked, but the great advantage of attending a conference is that it does spur one into action to get something written down. Tuesday Jun 11th saw a new kind of conference come to town, the RANT conference. Based upon the monthly RANT forum there were only three individual speakers with the rest of the sessions effectively panel debates but with significantly more audience interaction encouraged.

There were a number of highlights for me, not least all of the people I met there, new friends and old. One of the big surprises for me was the opening keynote from Mark Stevenson of the League of Pragmatic Optimists. I thought it an odd choice of speaker, a futurologist, but very much enjoyed his talk once I got over myself. he looked at (amongst many other things)  how the digital revolution is changing our lives daily. What it came down to though is that despite the massive amount of change that has gone before us, the digital revolution is merely the cocktail sausage of dinner; we cannot begin to imagine what is around the corner.

I also enjoyed watching Javvad play up to his InfoSec rockstar status alongside Neira Jones and the irrepressible Stephen Bonner. It was unfortunate that the final panellist, Ed Gibson, killed the dynamic of the panel dead, changing what should have been an upbeat and funny session into a monologue of personal dislikes that crossed the line into embarrassing.  I thought Javvad played to his RockStar persona very well, but also presented how he made his way to the level of industry notoriety he currently enjoys and the benefits it actually brings to the industry. The serious point of them actually being ambassadors for infosec was quite rightly made. Unfortunately Ed did the same for the next panel on state sponsored espionage, killing what should have been a powerful insight into the topic given his background. I understand Ed is a very highly rated speaker, but on the evidence of yesterday I won’t be rushing to see him speak, and how he handled himself was unfair on the other panellists and indeed on us as an audience.

The Boy Band Strikes back

The Boy Band Strikes back

The rest of the day went very well though, with plenty of laughs with the University Challenged pitting the grey hairs of the industry against the students of Royal Holloway, and a session on security awareness that I was invited to participate in alongside Geordie Stewart, Charles Clarke, Christian Toon and my old mate Bruce Hallas. The reaction from the audience was very positive, with some great questions and opinions. We didn’t all agree, which is exactly what needs to happen; if we all agree, nothing changes, but if there is dissent then that can finally lead to actually driving change in the industry. On the whole it was well received and moderated nicely by Jim Shields, although someone did tweet that he thought the conversation was “same old same old re training me thinks” which is actually fair enough; I do think however that we can only stop talking about it when it is “fixed” (whatever that means!).

Stephen Bonner’s presentation was a distinct improvement upon what he presented at BSides, and was a thoroughly enjoyable rant, replete with chocolate missiles for the audience.

The excellent Twist and Shout were managing the video and photography, and shared many of their corporate training videos in the breaks between sessions that not only gave a very polished and slick feel to the whole day, but also some light relief.

Networking drinks were copious and enjoyable, and the dinner was excellent with after dinner entertainment from Jim Shields in his stand up comedian alter ego and an improv comedy troupe Noise next Door. A fuzzy head this morning tells me I had perhaps a little too much fun.

It was an awesome conference overall, and I hope to see it grow and become part of the established circuit. The format can only get better as while there is a place for the traditional presentation of one person delivering content and then taking some questions has its place, there is a huge advantage to the RANT approach. It allows the audience to engage far more effectively and I would hazard a guess that the audience actually retains more than the standard 20% of content afterwards. Huge congratulations to Acumin for not only making it happen, but also for ensuring it was as free from the commercialisation of so many other vendor driven events, a hugely refreshing approach. The biggest congratulation of the day though must go to Gemma for making it happen.

photo[5]

The IRMS – a new angle on information security and risk management

Leave a comment

photo[1]I have recently returned from a conference that I might not have ordinarily attended or even been able to justify, namely the Information & Records Management Society (IRMS) conference in Brighton.

I had been invited to participate in a panel session on Monday morning entitled “Adapt or Die: Is Records Management still relevant in a World of Big Data” alongside Christian Toon (@christiantoon) and Phil Greenwood of Iron Mountain, and Sarah Norman of HM Treasury. Not only was it an excellent discussion, but it struck me quite how similar the challenges are between the IRM world and the risk management/CISO world.

We answered a question around how can the IRM folks avoid only getting funded and have attention paid to them after an emergency, and it immediately struck me that this is exactly what happens with security. Another related question concerned connecting effectively to the business and I was able to relate the tasks of the IRM function to the Confidentiality, Integrity & Availability (CIA) goals of the information security professional, and how the two goals are very similar.

Even the opening speech spoke about IBM’s Four V’s of big data (quoted), namely:

  • Volume: Enterprises are awash with ever-growing data of all types, easily amassing terabytes—even petabytes—of information.
  • Velocity: Sometimes 2 minutes is too late. For time-sensitive processes such as catching fraud, big data must be used as it streams into your enterprise in order to maximize its value.
  • Variety: Big data is any type of data – structured and unstructured data such as text, sensor data, audio, video, click streams, log files and more. New insights are found when analyzing these data types together.
  • Veracity: 1 in 3 business leaders don’t trust the information they use to make decisions. How can you act upon information if you don’t trust it? Establishing trust in big data presents a huge challenge as the variety and number of sources grows.

Isn’t this exactly the sort of thing that CISO’s have to grapple with every day?

The world of the IRMS and the world of the Infosec Professional are very closely related it seems, and I think this relationship is one that needs to be explored by both communities further to ensure mutual goals are more easily met.

Christian Toon and me looking rather spiffy

Christian Toon and me looking rather spiffy

On a personal side I had a great time speaking with the vendors, watching a few presentations and taking part in the pub quiz (we didn’t win..). There was even a black tie gala dinner on Monday that was an absolute blast that culminated in my friend, Christian Toon, being awarded a fellowship of the IRMS which was just fantastic to to be able to see.

I am sincerely hoping to go to next years event, and perhaps hoping even more that by then the argument to attend will be much easier as our industries begin to forge closer ties.

European Security Blogger Awards 2013 – a Thank You and an important tip

4 Comments
The Beautiful Trophy Itself

One of the Shiny, Beautiful Trophies

Just over a week ago the good, the awesome and the rockstars of the European blogging scene centred upon the the function room of the Prince of Teck pub in Earls Court for the inaugural European Security Blogger Awards of 2013. The atmosphere had a nervous tension and a strong feeling of anticipation (as well as a few bow ties for some other award going on immediately after that night!). These awards would not have happened if it wasn’t for two gentlemen in particular, namely Jack Daniel (@jack_daniel) and Brian Honan (@brianhonan) and without the sponsorship of Tenable (for the bar) and Qualys (for the trophies themselves). Both of them organised this off their own backs, were extremely gracious hosts and ultimately did this for the betterment of the European infosec community, and I wish to recognise that formally.

Thank you Jack and Brian, and to our sponsors.

But moving onto the awards themselves; after an initial round of blind nominations, the finalists were announced on Saturday 13th April and a no doubt frenzied bout of voting commenced, interspersed by all the finalists vying for your votes. My favourite had to be this one from Kai Roer (@kairoer), someone certainly not known for his modesty!

Kaibloggeraward

But aside from my evil twin shamelessly and quite rightly asking for votes (he has a great blog, check him out!) there were regular reminders and links from Brian and Jack to get voting and many retweets. I’m not sure how many votes were cast but I imagine they were well into the hundreds.

And so the night came, and after a day at Infosecurity Europe just over the road, and the practising of our “disappointed we didn’t win but SO happy for the winner” faces, it was down to Jack to announce the nominees and winner. They are listed below, but before that I want to move onto the tip I promised in the title…

Below are links to some of the smartest minds in our industry, and not only that, but they are willing to share their knowledge with you, for free. In any industry that is a rare gift to be given so I would like to encourage everyone who reads this to visit some of these blogs and follow them on Twitter, and also actively participate in the discussions, opinions and (dare I say it) thought leadership that is being presented. As a blogger myself I know the thrill of discussing a topic with someone, whether they agree with me or not. If you disagree with something that is being said, then politely and respectfully say so and put your point across. Even a simple message of support or a ‘Like’ means these people are going to be more likely to continue to blog and share their ideas with you in the future. And of course, if you think you can do better we would welcome you with open arms; this is not an exclusive club.

And so, without further ado, and a final thank you to Brian and Jack, here are the results of the European Security Blogger Awards 2013!

Best Corporate Security Blog
Malware Must Die
Sophos Naked Security Blog  < WINNER!
F-Secure Labs Blog
Countermeasures
SecurityWatch
SCRT Information Security
Cyberis Blog
Security for UK Legal Professionals
Holistic Security Blog
Securelist

Best Security Podcast
Finux Tech Weekly 
Eurotrash Security Podcast  < WINNER!

Best Security Video Blog
Christian008
Info Cynic < WINNER!
Security Tube

Best Personal Security Blog
Chat Back Security
Neira Jones
/Dev/Random
Pentest-n00b
The Roer Information Security Blog
SecurityWatch
Make IT compliant – Security and Compliance
Naked Security
Thom Langford  < WINNER!

Most Entertaining Blog
The Gentleman Hackers Club
Info Cynic  < WINNER!
Sophos Naked Security Blog
Holistic Security Blog

Most Educational Blog
Sophos Naked Security Blog
Infosec Cynic
HTML5 Security
Security Watch  < WINNER!
Securelist
Holistic Security Blog
Professor Alan Woodward Blog
Offensive Coder
Bruce Hallas 

Best New Security Blog
Jitender’s blog
Advent IM Security For Schools
Chatback Security
Marlin Brighton Blog
Dave Waterson on Security  < WINNER!

Best EU Security Tweeter
@rik_ferguson < WINNER!
@jameslyne
@_securitycat
@ChrisJohnRiley
@quentynblog
@j4vv4d
@brianhonan
@xme
@securityspeak
@gcluley
@n0x00
@0x6D6172696F
@mikko

Grand Prix Prize for the Best Overall Security Blog
Sophos Naked Security Blog < WINNER!
Infosec Cynic
F-Secure
Security Watch
Light Blue Touchpaper
Holistic Security Blog
Didier Steven’s Blog
Bruce Hallas 

If you made it this far you may have noticed I was very honoured and pleasantly surprised to have won Best Personal Security Blog, and against some real industry heavyweights too. My thanks to all of those that voted for me, it means the world to me.

One Award, Two Conferences and a Surprise in the Works

5 Comments

IMG_2138IMG_2153I am just returning from a very full three days in west London for the annual infosec conference season. I will do my best to name as many of the wonderful people I met throughout all three days, both new and old, but if I miss a namecheck or two, forgive me, let me know, and I will rectify immediately!

Tuesday bought the kick off of InfoSec Europe. After a quick run round to get some schwag  and chat with a few key vendors I had lunch with Cindy (@cindyv), Dwayne (@thatdwayne), Jitender (@jitenderarora), Javvad (@j4vv4d) and Brian (@brianhonan) to chat about RSA Europe and our proposed submissions. This was quickly followed by a couple of panels in the Keynote theatre (one moderated by Javvad) and then some good gossiping with Brian and Neira (@neirajones) before heading off to one the two award ceremonies of the night.

Well goodness, gosh and golly!

Well goodness, gosh and golly!

It was at this point the evening took a somewhat surreal turn. Having been nominated for Best Personal Security Blog at the inaugural European Security Bloggers Awards, I was both deeply honoured and supremely surprised to win!  I was also very proud to see Javvad pick up two awards as well. To say that the evening started to blur somewhat from that point on would be an understatement, but I am glad to say that the award itself did make it home safely. I did spend quite some time talking with Dwayne and Jack (@jackdaniel), predominantly about the mysogeny that still manages to find its way into infosec trade shows through booth babes that were supposedly banned form this years infosec show (looking at you ForeScout…) and then about possibly spinning up a BSides in India. Jack proved what a class act he was by offering to advise anyone who would be willing to take on this mantle in India, something I am hoping to encourage. I will be posting more on the awards in the next few days but suffice to say a huge thank you to Brian and Jack for making these awards happen.

Wednesday bought BSidesLondon. Whilst I was very disappointed not to have been able to speak it did take the pressure off considerably and I was able to enjoy a few good talks

Javvad and his heroes

Javvad and his heroes

(javvad and Stephen Bonner, @stephenbonner) and some great conversations with friends and colleagues. Max (@hoolers) if you are reading this, I apologise unreservedly for not getting around to having the chat I promised! I also managed to meet my “rookie” for the Rookie Track, Gavin (@gavinholt), as well as a great chat with Leron (@le_rond). Halfway through the afternoon I had to head back to InfoSec for my a panel I was a part of on BYOD and Consumerisation. This went very well, was entertaining and informative in my opinion, and despite two attempts at distracting me by Geordie Stewart and Andrew (@sirjester) completed without incident!

View from the panel

View from the panel

A quick visit to the RANT forum (@rantforum) was followed by a couple of drinks at the BSidesLondon after party and then an early night.

Thursday bought a couple of early meetings including Bruce to discuss the Analogies Project (@analogies) which is always a pleasure. I then formally went on vacation…

The rest of the day was taken up with filming for a project I am involved in with Javvad, Andrew and the very talented Jim (@jimshields) of Twist & Shout. More of that to follow in the coming few weeks but I am incredibly excited at what this project may bring not just to me personally but also to the infosec community as a whole (for instance, a sense of humour…).

After dinner with @secwonk, @gattaca, @turbodog, @anthonymfreed, Cindy, Javvad and Andrew, a weary but very satisfied Mr Langford returned home.

Highlights

  • Winning the Best Personal Security Blog Award
  • Thursday afternoon (see above)
  • ForeScout’s apparent admittance that they needed booth babes to help sell their product

Lowlights

  • Missing Gavin’s presentation because of a scheduling conflict
  • Not finding myself spoilt for choice for presentations to attend at BSides – I thought the choice was predominantly technical and not as broad as last year. Still a great conference, well run and with a huge amount of talent; just less applicable to me this year.

RSA 2012 Debate – Should You Train Your Employees On Information Security?

Leave a comment

Below are the slides, my argument and some photographs from the debate session at RSA that I was involved in alongside Acumin, Christian Toon, Geordie Stewart, Kai Roer, Rowenna Fielding and Javvad Malik. Obviously by posting it here I am only presenting one side of the argument, but if nothing else I hope to at least stir up the conversation as in reality there is no clear cut answer on this topic. The text itself was my first draft notes and attempt to build an argument; I presented it from memory on the day, so it is obviously not an exact duplicate. I felt I was in a challenging position of not only opening up the argument, but also had no one to put a rebuttal against… at least that is my excuse!

I would very much welcome your thoughts on this somewhat hot topic as well as hear about how you do things differently to ensure the effectiveness of your training programmes.


Being asked to open a debate of this nature is probably challenging enough, but having to tell people that their information security awareness programs don’t work is a bit like telling them that they have an ugly baby; however much it may be true it is not something you can get away with saying very often before someone takes offence… or you get asked to justify yourself in a large public forum.

My colleagues will be presenting their cases far more eruditely than I am about to do so, and given what I suspect the prevailing attitudes in this room are I would therefore ask that you keep an open mind, and ask yourself the awkward questions that our arguments will pose. My arguments stem from the perspective of a poacher turned gamekeeper, so I can confidently vouch for their truthfulness from observations on both sides of the table.

So why am I against information security awareness training? Well, I think the actual term itself is outmoded, and the mechanism by which it is delivered more so. I strongly believe there are three key behaviours that stop the effectiveness of security awareness in its tracks.

Fatigue


Ethics training, anti bribery training, how to submit expenses training, how to work the training system training and goodness knows how many other trainings, and all of these have to be done every year, and more often than not within the same few months during “compliance season”. Is it any surprise that the CBT’s are completed whilst listening to iPod’s, that the “time per slide” statistic is never more than a few seconds and that when it comes to the obligatory questions at the end the cheat sheets get handed out amongst people. People simply can’t take any more!

Do your reported security incidents really go up after your training? Because they should as people become more aware of theirs and others security practices. Or do you still continue to see the same number of malware breakouts, lost USB sticks and laptops “left on the train”, all of the stuff that was happening before. Take a closer look, and see what you can find.

Memory


And with all of this training going on, it would take a full time job to remember it all, let alone trying to retain it in conjunction with their day job. Any kind of training that is carried out needs to be reinforced through regular practice of what has been learnt. But how often do people consciously “practice” their security skills? How often do you hear at the water cooler “I stopped a virus today!”?

Even when this training is put into supposedly professional training packages aimed at companies, they bizarrely even admit that they are not going to be fully successful; in a previous talk I referenced a company that proudly declared that their course would reduce phishing click throughs by 75%. Their course, by their own admittance is ineffective in 25% of cases.

The information security industry has a habit of streaming facts, rules, laws and requirements at people, throwing questions at them and then expecting them to put into their daily work lives. If they are lucky they might get the odd article or even get talked at by someone from IT Security rather wishing they were somewhere else. The marketing and advertising industries clocked onto this years ago, and produce smart, impactful and “sticky” bite sized pieces of information., why haven’t we?

Around, Through and Under


So we now have a picture of people tired of taking yet another training, can barely remember what the training was about anyway, but are also continually under pressure to get their day job done on time and on budget. With these pressures, people are going to be doing whatever it takes to get the job done.

Transferring a large data file to a client at 10 o’clock at night and the IT department have gone home? USB stick or drop box. Having to deal with hundreds of emails day in and day out? Snow blindness to clever phishing emails. Constantly changing workforce due to rapid growth  (or contraction)? Let them in, they need to get their job done just like me. Printers constantly going offline because of under investment? Just keep sending that confidential print job to a different printer until it works, someone else can clear up the spare prints.

Unless their environment is stable, and helps control their actions, or asks them the questions they need to be asked to make an informed decision, people will do whatever it takes to get their job done; the consequences can, and will, be dealt with tomorrow.

In Summary

Until such a time as companies and the security training industry cotton onto this, all your thousands of pounds, dollars or rubles spent on training courses will buy you one thing and one thing only, a tick in the box of your compliance checklist. Is that enough for you, or do you want more

This slideshow requires JavaScript.

(Photos courtesy of David Turner)