Sailing the High Seas at 44CON

logo-1I have just returned from 44CON, a technical infosec conference that is held in London and in its third year. As with any multi day conference you come back tired but educated, and happy but deflated that it is over. A speaker party, a conference after party, two gin’o clocks, a conference bar and some fabulous presentations makes for an exhausting two days.

Organisationally it is extremely well run; the crew are are friendly, knowledgable AND efficient (it’s rare to have all three), the venue is of a high quality, the sponsors are low key but available, SpeakerOps is excellent, and with the exception of myself and two others the attendees are amazingly smart and technical. I was able to chat to a number of the speakers at a reception on Wednesday night, and the level of detail they went into for their research was simply mind-blowing; one person even decided to write his own 3D presentation language instead of using PowerPoint or Keynote, just for this one presentation!

I spent the first day mostly at the InfoSec track rather than the technical track, learning about “Security lessons from dictators in history” and “Surviving the 0-day – reducing the window of exposure”, both very good. I did attend a technical talk in the afternoon along with two friends (the two mentioned above!), and to be honest he could have been speaking a different language with what he was talking about; to make it worse he apologised at the end for not making it technical enough! It was a fabulous talk though, wonderfully presented, and let down only by my lack of technical knowledge of the subject.

As a backup speaker for the infosec track I thought I was off the hook at this point as nobody had dropped out, but it was announced at this point that there would be a “hidden track” of talks, of which I was one of them. This hidden track would take place at an undisclosed location and you had to talk to vendors and other con goers to find out where it was. It was at this point I excused from the after party to add a little more content to my slides.

Sailing the Cs of Disaster Planning 44Con.001

Sailing the High C’s of Disaster Planning – Click for PDF

The following morning, after the opening presentation I was second in the hidden track. My talk was entitled “Sailing the C’s of Disaster Planning”, and the main drive of it was of a simple “framework” that allows you to be be able to not only test the effectiveness of your disaster/business continuity planning, but also help to communicate the key elements of the plan upwards to the board and down through the key players in the organisation. This was the first time I had given this talk, and to be honest some of the ideas have not quite been fleshed out, although the concept is sound. It was well received by about 20 people (not bad given it was a hidden track) and there were some good questions and conversations afterwards. Feedback received later in the day was both encouraging but also useful in highlighting areas that need to be improved.

A copy of the slides are above; if you take a look at them please provide feedback as always (caution, 12.5Mb PDF).

I will be using this blog to flesh out those ideas and gather feedback over the next couple of months, firstly by looking at the high level concepts of this approach, and then subsequently break down the five elements of the approach into further blog posts.

The remainder of the second day at 44CON was taken up with more talks, as well as a bit of filming with my two colleagues, the two unknown hosts you could say, for something we hope to release in the next few weeks.

I would like to thank Steve and Adrian and the entire crew of 44CON for an excellent event, and I am certainly coming back for next year, at a new, larger yet undisclosed location.

Communication, Collaboration, Command & Control

I mentioned in an earlier post that I don’t necessarily subscribe to the view that crisis plans need to be heavily documented in the form of runbooks or procedural artefacts. In this posting I would like to explore that in a little more detail.

It is certainly not the case that I think there should be no procedural documentation, or even detailed documentation, as long as it is in the right place and appropriate to the people requiring it. That said, i think the default approach to any implementation of crisis, incident or disaster recovery plans leads to a vast amount of needless writing. Having been involved in a programme to simply document what a particular team does with over thirty documents being created from scratch I can testify to the futility of that approach.  Hence I propose the two tier approach to writing these plans up.

Tier two documentation is that which is required by the functional team; in the case of disaster recovery it is the detailed documentation of how to fail over applications and services. With crisis management it may be evacuations plans, roles and responsibilities of fire wardens, and with incident management it might be an escalation and first fix path of procedures.  This is important, because in many of these cases the people involved in the ground are often in twenty four hour shift patterns and early in their career, or even volunteers (fire wardens etc.), and through no implicit fault of their own have less incentive to fully memorise or become proficient in activities that might never happen on their shift. They need to have a reference document, a thing they can refer to when their pulse is pounding and their heart pumping in the middle of a crisis. I should know, I was that soldier in my first job out of university!

However, there is a group of people that simply can’t be told to have documentation available to hand when the time comes, or even to memorise the roles and responsibilities; the senior leadership who actually make many of the critical decisions during a crisis. What is required here is ability to Communicate and Collaborate very quickly (optimally within just a few minutes of the crisis being recognised), and then have the capabilities at hand to establish rigourous Command & Control. This approach applied to most organisations (except perhaps the behemoths like IBM or TCS where different segments of the organisation could operate like this where the input of most if not all of the C level execs is required

These execs need to be involved in crisis no matter what the subject because what they are good at is synthesizing information from a variety of sources and being able to make decisions quickly, effectively and in the best interests of the company and its people.

Some pre-requisites to this approach though:

  1. A recognised approach to define the severity of a crisis prior to declaration.
  2. A mechanism of simultaneously contacting multiple people through redundant channels in a matter of seconds of a crisis being declared.
  3. A series of very simple yet effective steps for the crisis team to follow.
  4. The ability to manage a “crisis room” either real or virtual at no notice.
  5. The recognition that a crisis is by its very nature flexible, and therefore understanding you will not know all the facts from the outset (the “fog of war” effect).

I will investigate this in more detail in a later article, but for the time being, the main question anyone should ask themselves when prparing crisi plans is “how can i simplify this further?”.

Lessons Learnt From Libya and Japan

The incidents that have unfolded over the last number of weeks in Japan and Libya have resulted in mass evacuations of foreigners from the countries. This is a stark reminder of the need to ensure plans are in place to treat the risks associated with operating in international and often risky locations around the world.

Traditionally, incident management might incorporate disaster recovery and business continuity planning each with a set of detailed plans that should (but don’t always) have clear hand-offs between them. Over a series of articles I will be discussing my take on this traditional approach in addition to putting forward a more flexible, albeit perhaps more risky, approach.

For now though, it struck me how many ex-pats and business people became reliant upon their own governments to help evacuate them from the danger areas, especially Libya.  The newspapers were filled with “the British Government left us to die” stories. These workers, more often than not on lucrative contracts because of the risky locations they were in appeared to be, in my opinion, abandoned by the companies they worked for. These individuals were not expressing their anger towards their employer though; why not? In fact, what exactly can a foreign worker expect from their government compared to their employer.

To make this worse it is not as if there are not a number of organisations (International SOS is just one example) out there specialising in providing evacuation services, including in “hot spots”, and providing medical and professional advice.

In my experience, these organisations provide very clear guidance under these circumstances; “stand by”, “evacuate immediately” etc..  Why are companies not using them when trouble strikes rather than just leaving their employees to fend for themselves? My employer has been at the sharp end of this on a couple of occasions and very successfully swung into action and deployed services to ensure the safe transport of our people from war zones.

If companies operating in these hot spots ignore this advice and continue operations then governments should be able to subsequently recoup the vast costs from them for evacuating their personnel. If these companies do not even have these services in place, or even a crisis plan of sorts, they are committing a very serious dereliction of duty to their employees, no matter how much they are paying them.

And where in all this, is someone’s personal accountability for their own safety?