Woof Woof, Bark Bark (or how to not support security in your organization).

security_dog_hoodie_on_black_whiteI recieved the email below from a colleague at work. At first glance it is funny, the chief security officer being represented by a dog… Hilarious! Of course security is just about being able to bark at people and occasionally bite them. This role isn’t about corporate responsibility or even enterprise risk management, it is about wagging your tail and barking at people and getting them to do things because you have barked it so.

I’m having second thoughts about my growth plan if this is where it leads to.

CSO dog

If I am honest, I am guilty of this too. I have often described myself as an “overpaid security guard” to people who haven’t a clue about information security, and they nod knowingly at me, thinking they understand InfoSec policy, enterprise risk and even DLP.

The above example of belittling the security function of an organisation has steeled me into action; if I can’t explain the role of a CISO/CSO to my Mother, then I need to re-evaluate what it is I am doing and the impact it has on the business. It also annoys me that the role of CISO is so easily belittled. I don’t think I have ever seen a CFO role boiled down to an image of a coffee bean, or even the CIO image reduced to a mouse or keyboard. What makes this worse is that this product offers “the highest security for your files in the cloud” and yet this is how seriously they take security.

A fundamental part of this is down to us as CISO’s and security people to ensure we don’t belittle ourselves to ingratiate ourselves. It is extremely difficult for us to ensure we are valued and respected in our organisations as it is, and sometimes the somewhat subservient/comedic route feels easiest. This is not the best way; it is the longest and hardest route to acceptance and understanding because the role is by it’s nature seen as a frivolity and a hilarious side act.

(We should note however that there is a place for humour in security, and if used correctly it is extremely effective. The point I am making above is that security as a serious subject should not be presented as a humourous aside.)

I recall a situation where I noticed someone working at a hot desk who had no visible identification. I asked around if anyone knew who the individual was, and nobody did. As I approached the individual I was met with a chorus of “get him Thom” and “tackle him mate!” etc. with much hilarity ensuing. None of it was meant meanly of course, but it was synonymous with the  simplistic attitude of security. If any of the people who had spoken those words had any real idea of the security implications of having someone in their office without any idea of who they are, then their response may have been a bit more serious. The best part is of course that I had plainly failed in my security education and awareness with this group of people.

We are not guard dogs. We are not security guards (although they are an important part of the security function). We are not bouncers. We are not doing security for theatrical effect.

We are here to protect your revenue, your reputation and your bonus payouts. We are here to ensure we maintain good relationships with our clients, and allow our organisations to take on greater risk and therefore reap greater reward. We are here to help inform the business of security risk and advise as required.

What’s so funny in that?

Note: I have been extremely quiet on here these last few months; my role has changed dramatically at work requiring more travel and less time for the frivolous acts of blogging. Combine that with a busy schedule with Host Unknown and my other info sec commitments I have neglected this blog site somewhat. Hopefully this post sees me back in the saddle again, and you can always catch up with me on Twitter. Oh, and the holiday was good too!

ThomLangford_2014-Aug-10

ThomLangford_2014-Aug-10 1

 

 


That was the week that was; InfoSec Europe, BSides and the Security Bloggers Network

?????????????????????????????????????????A lot of good stuff has already been written about this last week with regards to BSides London, InfoSecurity Europe and the Security Blogger awards, so this post is a personal recollection after the haze of too many late nights, early mornings and good times.

Tuesday 29th bought BSides London, and once again the volunteers surpassed themselves; it retained two tracks but definitely felt expanded with the workshops and a new location for the rookie track. The organizers should feel rightly proud of what they have done, and those of you who didn’t turn up on the day (and therefore denied others of a ticket) should take good long look at themselves in the mirror.

photo 5

The Danger Zone Dream Team

I had to spend the afternoon over at Infosecurity Europe as I was on a panel titled “One big threat to cyber security: IT Geeks can’t talk to management” alongside Dwayne Melancon and Stephen Bonner. It was only 25 minutes long but I felt we managed to push a lot of good advice and takeaways into it, and the conversations continued afterwards in the hallway. I even managed to get a reference to Kenny Loggins into one answer, something I feel rightfully proud of.

BmZdYWHIIAAf1Lq.jpg-large

Joseph & Ian rocking the BSides Rookie Track

photo 1

Trying to look young again…

Then back to BSides to see Joseph Gwynne-Jones speak on the rookie track. I was mentoring Joseph this year, and to be honest I found it very challenging as Joseph is profoundly deaf; we couldn’t speak in the run up to BSides and could only communicate over email and Twitter. I advised as best I could, reviewed slides etc, but what was crucial was the ability of his interpreter being able to effectively communicate the jargon etc on the day. Given Joseph wouldn’t meet him until the morning of the conference this would be quite a challenge. As it turned out Ian Hodgetts  did a marvelous job, and was also on hand to interpret into British Sign Language (BSL) of all of the talks Joseph went to. We believe this is a first for an info security conference. Joseph obviously did an absolutely cracking job and I was able to spend some time with him and Ian afterwards talking about what else we could do in the future to improve further. It was an eye opener for me, and an absolute education in how important it is to communicate clearly and effectively in these kinds of conferences to absolutely everyone who attends. At the after party I was able to wear the hoody that was generously given to me by the Abertay Ethical Hacking Society, and feel like a student again (if not look like one).

photo 4

Best Personal Security Blog

Wednesday bought Infosec Europe again after a few early morning meetings, (including some scheming and rubbing of hands with invisible soap with the good folks of 44CON at the 44Cafe – I can’t wait for September!) but the highlight was of course the Security Bloggers Awards. Between me and Host Unknown I was up for eight awards in total, and came away with the award for Best Personal Security Blog, again! I was both surprised and touched that I was able to get this award again. Host Unknown didn’t fare as well unfortunately, but I can guarantee that the next twelve months will put us in a very strong position for next year, both at the European awards as well as the USA awards at RSA. Unfortunately Andrew was indisposed to help us collect a Host Unknown prize (that we didn’t win).

BmobKKsIgAAdZfj.jpg-large

Confirming what everyone already knew

(I have said this before but will say it again, everyone who is not only involved but also nominated for the blogger awards represents the very best of our industry in that they are all contributing their time and expertise to the community; I can’t recommend enough that if you are reading this that you also read their blogs too. Also, none of this would have happened without Brian Honan, Jack Daniel, Tenable, Tripwire and Firemon; thank you all.

Thursday bought another panel, this time in the Keynote Theatre with a panel on “Risk and control: Effective risk assessment methodologies to drive security strategy and investment” (alongside Vicki Gavin, Paul Haywood and moderated very well by Dave Clemente. It was a good, vibrant session and with plenty of questions both during and after the session.

photo 2

Inspired by the success of the CI Double SP film, we create a band called “CISS (P)”

A selfie, with a very famous CISO of Restricted Intelligence

A selfie, with a very famous CISO of Restricted Intelligence

Finally for the afternoon I got involved in only what can be termed a “flash mob” for Twist & Shout (as soon as that is released I will show it here!) and then got engrossed in the hallway track with the likes of Shan Lee, Quentyn Taylor, Peter Stephens, Jim Shields, Dave Lewis, Wim Remes, of course my conference partner in crime Javvad, and the lovely folks of Eskenzi and Acumin.

If there is one thing that is apparent form the above it is that any conference week is only valuable from the people you meet there. This list must be barely 10% of the people I shook hands with, shared a drink or said hello to, all of whom influence me to one degree or another. Whatever your thoughts on the infosec conference scene, this aspect alone is what makes it worthwhile. Apologies to anyone and everyone I have missed out.

InfoSecurity Europe is a show that has gone from strength to strength over the last few years, with the education programme improving; combine this with an excellent BSides London Conference, this week in Europe is one to look out for (although next year Infosec Europe and BSides will be from 2nd to 4th June at Olympia).


Why is using VPN so difficult?

mather-_660I was in the Manchester Central library over the last weekend, a newly refurbished space that has very recently been reopened to the public. I was only visiting Manchester, so it seemed like a good thing to do and I have to say I was very impressed with the space. There were computers and interactive kiosks throughout, even the cafe tables had a “Surface” like feel to them with images and documents you can read and manipulate with your fingers. As expected there was free Wi-Fi.

I connected to it, and duly fired up my VPN. It didn’t connect. Confused, I tried again. Still failed. Free, public Wi-Fi which blocks VPN! All I wanted to do was check the viewing figures of the latest Host Unknown video, but even that could potentially expose my Google username and password to anyone snooping; with BSides Manchester just around the corner I wasn’t about to become the subject of someone’s Wi-Fi pineapple presentation, so I tweeted my concern (as you do) and disconnected.

4_1024x1024There isn’t a piece of general security guidance that gets published that doesn’t include the advice to only connect through a public Wi-Fi point unless you are using a VPN. The risk of having your personal details, usernames and passwords transmitted and subsequently intercepted is too high and YOU MUST NOT DO IT! USE A VPN AT ALL TIMES!

Great advice, except that VPN has still not been adopted properly by any major hardware or software manufacturers of computers, tablets and smartphones. There needs to be a built in, simple and ubiquitous approach to VPN now that mirrors the adoption of anti-virus of 15 years ago and encryption of 5 years ago. There are paid for solutions for enterprises and the more technically minded and free solutions of both for the small business and home user. But not when it comes to VPN. No Apple VPN, or Google VPN for the average home user to be able to use with little effort or even understanding.

Where is VPN? Why can it not be made more accessible?

Where is VPN? Why can it not be made more accessible?

The VPN solutions on offer are typically smaller packages that the average person would simply not come across, basically the technology has yet to be commoditised. If you have a problem convincing someone to use a decent complex password, think about trying to explain to them about using a VPN.

Even Apple, whose interface design in my opinion is some of the best in the industry has missed a trick with iOS7; VPN is buried in the settings apps, rather than being on the easy access swipe menu where you can quickly and easily enable it and disable it. And what about the option to have it permanently running, automatically reconnecting when the device goes into standby? I have lost count of the number of times I have been using free Wi-Fi at a conference or hotel only to realise that at some point my VPN has disconnected me without realising it, and I am supposed to be a security professional.

Convenience always wins over security (a wise person once said) and so until VPN is made as transparent as antivirus and encryption (when installed properly) we are simply wasting our time trying to educate the greater population about using it the next time they are in Starbucks.

(Note: the Manchester Central Library Twitter account did respond, and we are in the process of communicating about the evils of open, password free Wi-Fi. Perhaps some InfoSec locals may also wish to reach out to them to educate and discuss?)


A more secure cashpoint/ATM transaction?

skimgallery1There has been much written and talked about over the years about the use of skimming devices and cameras being installed on cashpoints (ATM’s for my international readers), their increasing complexity and ability to seamlessly blend into the cashpoint itself. With the card being entered and read, and the PIN code either intercepted with lay on keypads or filmed with cameras, the criminals ability to clone cards is quite significant, and the financial rewards high. Most of us, if we were honest, would struggle to see a sillfully crafted and installed skimmer on an average ATM.

Why are we still so reliant on this kind of security? Sure, it is technically two-factor, with the card that I have and the PIN that I know, but as my previous statements show very clearly, this security can be bypassed very easily.

The Royal Bank of Scotland (RBS) quietly announced a new feature last year to their mobile app that allows cash to be removed from an RBS or NatWest cashpoint without a card. Given there has been much research on the fact that people were no more likely to forget their wallets and purses than their phones, and actually become more distressed at not having their phone over their wallet, the bank could see a shift in how people were becoming increasingly reliant on their smartphones.

The process is straightforward; after logging into the (already downloaded) app, and pressing  “Get Cash” one simply types in the amount of money they would like to withdraw, and is then presented with a six digit, one time use PIN. This PIN can also be texted or sent to someone else if need be. (VERY useful to help out friends and family in distress.) One then uses an RBS or NatWest cashpoint (unfortunately other banks do not participate in this scheme) , presses enter on the keypad, and then enters the six digit PIN number twice followed by the amount of money that was originally requested. The cash is then dispensed. If more money is required, the process is repeated and another, different, six digit PIN is issued.

To my mind this is an excellent innovation, and other thought so too, with the creators behind the enhancement, SapientNitro being awarded a Cannes Lion at last years show. A slightly cheesy advert follows…

(Note: at this point it is worth me declaring my interest, as I am an employee of Sapient, the parent company of SapientNitro. That said, I was using the service before I realised it was Sapient that came up with the idea in the first place!)

This works in many ways:

  1. 1: The pin is only used once, so it doesn’t matter if a skimmer is in place, it is recording only a one time password.
  2. 2: Your card cannot be cloned as it is never used.
  3. 3: It is convenient because nights out only involve looking after your phone, not you phone and cash card and cash!
  4. 4: Even if you phone is lost, it is password protected, tracked, and you r banking app is also PIN protected with more than a four digit pin code (it is, right?). You can also wipe your smartphone remotely in most cases.

pizzaexpressA UK food chain, Pizza Express, did a similar thing last year as well, whereby on the bottom of the receipt is a unique code that allows people to pay with PayPal; again this is smart (your misgivings about PayPal aside) as your card cannot be taken around the back and cloned without your knowledge, as the payment is sent directly from PayPal to the restaurant and notification received on the till. Of course every time I have tried to use it the code has always been misprinted stopping me from doing so! Lovely idea nonetheless…

So what is the upshot of this? Most importantly I think it shows how with the judicial use of technology we can keep one step ahead of the criminals. Of course they will catch up, and of course there are other security implications (a rise in smartphone theft perhaps?) but RBS has shown that a relatively small change in their systems can result in a huge change in the security of their transactions. As of writing I am not aware of any other UK bank having this capability (they seem to be focussing on the ability to send payments to friends rather like PayPal than anything else), but this kind of approach should become the new norm.

It is this application of security alongside the ability to truly understand their clients and their needs that in this case has allowed RBS to steal a march on their competitors. I know this simply because of the looks on the faces of my friends when I take cash out of the cashpoint without using my card; it is magic, and they like it…

This is truly a case over security versus convenience… but with added convenience.


Why >WE< must meet the demands of the business

At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:

I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.

levelI think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.

This was reiterated by Andy Ellis at a session at RSA where he said precisely this;

are you the conscience of the business or an enabler to the business?

Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them  out), for the good of the business.

What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.