Sailing the High Seas at 44CON

Leave a comment

logo-1I have just returned from 44CON, a technical infosec conference that is held in London and in its third year. As with any multi day conference you come back tired but educated, and happy but deflated that it is over. A speaker party, a conference after party, two gin’o clocks, a conference bar and some fabulous presentations makes for an exhausting two days.

Organisationally it is extremely well run; the crew are are friendly, knowledgable AND efficient (it’s rare to have all three), the venue is of a high quality, the sponsors are low key but available, SpeakerOps is excellent, and with the exception of myself and two others the attendees are amazingly smart and technical. I was able to chat to a number of the speakers at a reception on Wednesday night, and the level of detail they went into for their research was simply mind-blowing; one person even decided to write his own 3D presentation language instead of using PowerPoint or Keynote, just for this one presentation!

I spent the first day mostly at the InfoSec track rather than the technical track, learning about “Security lessons from dictators in history” and “Surviving the 0-day – reducing the window of exposure”, both very good. I did attend a technical talk in the afternoon along with two friends (the two mentioned above!), and to be honest he could have been speaking a different language with what he was talking about; to make it worse he apologised at the end for not making it technical enough! It was a fabulous talk though, wonderfully presented, and let down only by my lack of technical knowledge of the subject.

As a backup speaker for the infosec track I thought I was off the hook at this point as nobody had dropped out, but it was announced at this point that there would be a “hidden track” of talks, of which I was one of them. This hidden track would take place at an undisclosed location and you had to talk to vendors and other con goers to find out where it was. It was at this point I excused from the after party to add a little more content to my slides.

Sailing the Cs of Disaster Planning 44Con.001

Sailing the High C’s of Disaster Planning – Click for PDF

The following morning, after the opening presentation I was second in the hidden track. My talk was entitled “Sailing the C’s of Disaster Planning”, and the main drive of it was of a simple “framework” that allows you to be be able to not only test the effectiveness of your disaster/business continuity planning, but also help to communicate the key elements of the plan upwards to the board and down through the key players in the organisation. This was the first time I had given this talk, and to be honest some of the ideas have not quite been fleshed out, although the concept is sound. It was well received by about 20 people (not bad given it was a hidden track) and there were some good questions and conversations afterwards. Feedback received later in the day was both encouraging but also useful in highlighting areas that need to be improved.

A copy of the slides are above; if you take a look at them please provide feedback as always (caution, 12.5Mb PDF).

I will be using this blog to flesh out those ideas and gather feedback over the next couple of months, firstly by looking at the high level concepts of this approach, and then subsequently break down the five elements of the approach into further blog posts.

The remainder of the second day at 44CON was taken up with more talks, as well as a bit of filming with my two colleagues, the two unknown hosts you could say, for something we hope to release in the next few weeks.

I would like to thank Steve and Adrian and the entire crew of 44CON for an excellent event, and I am certainly coming back for next year, at a new, larger yet undisclosed location.

The different view of risk modelling

3 Comments

Traffic lightAs someone whose primary function at work is the ‘management’ of risk in all of its glorious forms, I have over the years become very comfortable with its accepted definition and how to measure it. ISO 27005:2008 was my bible, giving me the flexibility to choose a schema that worked for my particular environment as well as the credence that I was doing it right. I always knew that assigning arbitrary numbers to things wasn’t exactly the most scientific way of actually measuring something, but I could deal with that by simply talking about “indicative values” and “helps with prioritisation”.

It was a little under two years ago at the RSA conference that I attended a talk entitled “Pimp My Risk Model: Getting Resilient in a Complex World” by David Porter, and he spoke about a new approach to risk modelling. Rather than focussing on what could happen, and then play that through to the conclusion of an impact that is then measured, it instead focussed on what the desirable outcomes were in the first place and then worked backwards establishing what was required to achieve them, basically dependency modelling. Not only was this more efficient and scalable as not all permutations of threat/vulnerability/asset (for instance) are required to be worked out, it provides better information for early decision making.

The concept is not new, and has its roots in the late last century in the financial markets/actuaries who were looking at better ways to model and manage risk.

There are a number of proponents to this approach, all of whom have a far better understanding than me of this approach, but despite this in the last two years I have simply not seen it in a practical form that can be used every day. Unfortunately, and I am sure I am not alone here, if I can’t implement it quickly it gets passed over for the next best thing that can be. In fact, and perhaps in my own blinkered universe, the approach itself barely raised a murmour since. And yet the concept had stuck with me especially on the few occasions when I had heard it talked about.

It was on Russell Thomas’s blog, exploringpossibilityspace, that I saw just the other day this very approach being touted again. What I enjoyed about this post was the balanced and educational view of the traditional approach (little “r” approach in Russells’s parlance) versus the new dependency modeling approach (big “R”). I think the criticism of ‘r” methods is well founded, although it is widely understood in business and when used properly can help produce at the very least tactical indicators of risk to the business.

My challenge with the ‘R’ approach is that I have yet to see it applied in practical terms and in a way that is easy to digest and understand (I think I hurt myself about two thirds of the way down the article trying to get to grips with the concepts!). As a result therefore, getting business buy in is going to be extremely challenging. Partial information from an ‘r’ approach reaching the business successfully is going to be better than no information from an ‘R’ approach (however better the data is) reaching the business.

I would strongly recommend everyone to read Russell’s writings on this risak model, which also contains links to other resources as well.

There is more work to be done, but I hope it focuses on making it possible to use the approaching a day to day environment; they say there is nothing new in the world of information security, but I have high hopes for an approach to risk modeling that will allow me to do so much more for the business in terms of long term, strategic guidance and support.

And when I can use this model in Excel, count me in!

<Some of you have commented on my extended absence, but a busy few weeks followed by a lovely holiday camping in France took priority. Back in the saddle now and very much looking forward to your comments and feedback!>

Charlie?1 (2)

Charlie?1

 

Risk Appetite – managing feast and famine

Leave a comment

images-1I was able to attend the RANT forum a few nights ago, and watch an excellent presentation by Sarb Sembhi. However, and this is no insult to the speakers at the RANT forums (being one myself) the most valuable part of the evening is the socialising with colleagues and peers before and after.

I was talking to a couple of people who were recounting the challenges they face with their leadership regarding their risk management activities. I paraphrase greatly, but the gist of the issue was

Highlighting risks to them is all well and good, but then suddenly they tell us that another activity needs to be escalated up the risk matrix, or that there is a hot topic that they want pushed to the top of the risks list so it gets more attention. How are we supposed to manage a risk programme with any credibility when risks get artificially prioritised or de prioritised according to the mood of management?

We came to the conclusion that the risk appetite of the management team in question was a very flexible and fluid thing that changed quite frequently, and seemed entirely disconnected from the risk management activities being carried out.

This is a complex issue, and not one that can be solved in a single blog post, but there are a few guidelines and concepts that may be pertinent to heading off this kind of behaviour.

  1. Listen to them. On the whole an organisations management know what activities and changes will affect the business more than you. If they are highlighting something it is not to mess you around but because they are genuinely concerned about it. Look at your risk programme; does it squarely address the risks they are highlighting? Are they new risks, old risks, or poorly understood risks? Perhaps you have already found them and they need to be reviewed under the new light cast on it by management.
  2. Educate them. How much does your management team actually understand about the risk work you are doing? Do they really know what the scope of your remit is, how you go about finding risks, and more importantly how you measure them? ISO27005 is often described as an arbitary way of measuring risk, but it does a good job of explaining how you can approach and understand it. If you use that standard in your programme, make sure they understand how you measure them, and get their buy in to the approach. This way, when you disagree with their analysis of a “new” risk you can explain in agreed terms why.
  3. Use your governance structure. Your management team should only be looking at risks that are escalated to them, that is to say residual risks that are still considered as “high” (or whatever parlance you use). Every other risk below that should be managed and dealt with by the governance structure in place. Certain lower risks can be mitigated (managed, avoided or transferred) by people closer to that risk; a developer could change a portion of code, a project manager could remove or add contractors or a team member could go through more awareness training. Changing the course of a project or increasing the staffing costs by 50% is beyond their remit and they are therefore not able (or authorised) to treat them effectively; these risks get passed up your governance chain until they reach a point at which they can be dealt with. At the very top I would estimate they should be seeing no more than 0.1% of total risks escalated to them. Any more and it may be that the structure underneath is not doing their job.
  4. images-2Understand their appetite. One of the standard ISO 27005 risk acceptance approaches provides a matrices for what is acceptable and what isn’t. It is provided as an example only, and should not be used out of the box without considering the risk appetite of your organisation. If you are a risk averse organisation, the yellow and red band move down to the lower left, thereby meaning more “red” risks will need to be addressed. A risk taking organisation will move the green and yellow band up, thereby ensuring fewer “red” risks will need to be addressed. The risk profile of an organisation is something that is rarely understood by those that measure risk, and therein lies the problem. Only if the risk profile is drawn up, understood (including the approach to measure the risks in the first place) and signed off can risks be identified, “measured” and addressed in a way that meets the organisations business objectives.
  5. Accept that the appetite changes. if you review your risks annually (as a bare minimum) that is also a cue to review the risk appetite. If incidents throughout the year affect the business for the good or bad, that is a cue to review the risk appetite. If the organisation management suddenly think something is a big risk and needs to be addressed, that is a cue to review the risk appetite. And when I say review, I mean with the management, and not just in isolation.

images

There… simple! Well, not at all when you face these challenges every day, but if you can start that dialogue with your management and start to understand the business as they understand it you will be a long way towards heading off the “the sky is falling, fix it now!” response to risks.

Why I am an Analogies Project contributor

1 Comment

Bruce_Hallas-300x286That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)

Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.

In the words of the Project itself;

The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.

Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.

The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.

So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.

It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be.  The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.

TAP-Contributor-Semi-Transparent-250x160

If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.

And they say security awareness training is working?

3 Comments

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

  1. They are able to afford expensive looking laptops or have been issued an expensive looking laptop
  2. Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

 

Now you see it...

Now you see it…

Can you see it?

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.