Style vs Content – Getting the Point Across Effectively

1 Comment

I have just had to present to a team on their information security responsibilities whilst they are on their current project. Their client has very specific requirements, and for a variety of reasons it was important to reinforce the key requirements again.

This was at short notice, and so I spent every spare moment I had throughout a long day last Thursday creating the presentation from scratch. After reviewing Master Services agreements, security schedules and other documents relating to the project I had to try and consolidate all of this into a meaningful presentation. I even Tweeted about my experience:

This is a battle hardened and very creatively talented team, working stupid hours and closing in on an important milestone of work. The last thing they wanted was to listen to the “corporate security guy” for twenty minutes, but for all the right reasons it was important that it was done today, and with the client present.

So I had: 1 – a disengaged audience, 2 – 24hrs notice, 3 – a client present, 4 – strong interest from HQ (“send us the presentation when you finish it so we can check it through” and finally, 5 – changes to be incorporated two hours beforehand (see 4).

Pop Quiz – do you use the corporate deck, smart and extensive bullet points, approved imagery and and a shirt and tie? Or do you focus on getting key message across, come what may?

And this is the crux of my point – the moment you try and deliver a corporate message in a corporate format your audience is going to switch off. One suggestion I received from a well meaning executive was to basically provide a list of the twenty requirements of the client in the presentation and then hand out copies to be signed by each team member. In this instance people would remember the first two, last two (at best!) and just blindly sign the rest. While this would technically meet the objectives (everyone must agree they understand the security requirements) they really wouldn’t absorb the message.

My approach? Simple, high impact and memorable. As the example below shows, not many words and a memorable picture (in the actual presentation Borat merged to Simon Cowell showing a thumbs down and back and forth). In this way, the image hits them first (thumbs up/thumbs down), the message (check X when doing Y), and that’s it! (The message has obviously been sanitised to protect the innocent).

 Of course, there were many other slides along this nature – I also used references to The Oatmeal, Dilbert and Defcon 18 amongst others. And each slide put across a very specific point.

At first glance, the deck looks awful, plain and badly designed. However, the simplicity of it ensures the message very clearly comes across with the imagery ensuring that message remains memorable.

Three things came across very strongly at the end. Firstly, the questions and comments at the end were engaging, sensible and eminently relevant. This made me very confident that the message was put across and understood, and that this approach was the correct one in this circumstance.

Secondly, the client saw this engagement, and has since requested a copy of the presentation to demonstrate how the team had been successfully “trained” and and updated on security practices.

Finally, in front of this creative audience it became crushingly obvious that I really have to up my game when it comes to clip art…

The Simple Things – The Screensaver Lock

Leave a comment

The principle behind the screensaver lock is that you build in a fail safe into your computer should you walk off leaving it unlocked (that is what we all do anyway, right?). The normal timing is somewhere between ten and fifteen minutes, and is more often than not enforced in organisations with an active directory policy or similar. In principle therefore, whenever your screensaver activates it requires a password to unlock the screen when you return.

It is worth noting that any mobile device such as a tablet or smartphone should also have this feature enabled, although it can also activated by switching the device off if required.

In the BYOS world of course this simply needs to be something you ensure is in place on your own computer, and the timing set to something that works for you – mine is fifteen minutes, and is harmonised into the energy saving and general computer power saving timings.

There are and will remain many objections to this kind of security control, but they can be boiled down into one of three:

1 – Presentations. I have heard on many occasions that the screensaver will kick in during a presentation, and I have some sympathy with this. I haven’t had it happen to me with a Mac (although I tend not to stay on one slide without any kind of mouse click or animation!). This can have two effects of course; either tell the audience that there are additional security controls employed by this company, or that the presenter is an amateur who can’t manage their computer during an important thing like this presentation.

This is challenging to fix – you can’t disable the lock for all who do presentations as that would expose a huge number of computers. And you can’t allow people to disable the lock themselves as it is very likely a large proportion will not reenable the lock.

The solution in my opinion is to allow by policy the disabling of the screensaver for a fixed period of time, say two hours before it gets automatically reenabled. I am not sure if this can be managed through standard AD policies or not, but it would certainly address this particular opposition.

2 – Servers and accounts. In many cases where people have sandbox environments or the like under their desks there are many requests to disable the screensaver because of batch files that run in the foreground. In every case I have observed to date this is simply because of sloppy or inexperienced implementation of the batch file. When the batch files or executables are converted to run as a service they can run very happily with the screensaver enabled.

Except in very rare circumstances this is not a reason to disable the screensaver lock.

3 – Finally there is the group of people who simply don’t like being told! This is where education, awareness and some good old fashioned face to face communication comes into its own!

Nonetheless, whatever the objection, anyone with an ounce of concern for security should consider this control on any device in a BYOD environment, and perhaps more importantly on any mobile device.

More Thoughts on BSides London 2012

Leave a comment

A very quick post to spotlight the excellent talking heads reel posted recently by Javvad. Given I will very shortly be posting the video of my presentation from there I won’t waste space going over the excellent event again, suffice to say the devilishly handsome chap at 0:35 and 2:37 sums it up nicely!

The Simple Things Part Four – Removable Media

Leave a comment

This is true Bring Your Own Security (BYOS) given that this really does fit in your pocket to “bring along”.

Everywhere you look in todays media, both in the infosec industry and mainstream media, there is yet another case of X thousands of records being lost on a memory stick by one organisation or another, and the trend seems to be getting worse. This is either because people are getting more careless (possibly) or the media is getting better at reporting it (probably). Either way, the brand and reputational damage alone is significant to any company, no matter its size.

There are two elements to this that are worth exploring:

Firstly, the prevalence of USB sticks is a part of the problem, they have become a simple commodity. They are on sale in newsagents, supermarkets and petrol stations, and are in peoples pockets, on their key rings and in hand bags. As a result it has become very natural to share files, photographs and anything else using them, and that familiarity has drifted into the workplace, especially when they are handed out at trade shows and demanded from IT departments. The problem is that they are not even basically secured, and that has become acceptable to the average person in the street.

Secondly, the media has found the “loss” of data a rich source of column inches to help sell their newspapers. The ironic part however is that in many cases when you read the back half of the story away from the headline, it transpires that the memory stick was in fact encrypted and would take the collective might of at least North Korea five years to break into.

So we have a dichotomy; a prevalence of unencrypted memory sticks in the marketplace, and the tendency therefore to assume that all memory sticks are insecure and report them as such.

The solution in a BYOS environment is simple – only buy encrypted memory sticks! It only needs to be a one time investment (my personal preference is the IronKey), and relegate all of your old memory sticks to the bin (or your favourite computer recycling facility of course). If cost is an issue (and they are more expensive, then use something like TrueCrypt (www.truecrypt.org) to encrypt your existing sticks and an be sure to keep using it. trueCrypt even has a portable mode that allows the executable to reside on a smaller unencrypted partition of the drive allowing it to be used on other systems.

By making a habit of only using encrypted portable media we all move one step closer to the concept of BYOS.

The Simple Things Part Three – Screen Privacy Filters

Leave a comment

Continuing on the theme of Bring Your Own Security (BYOS), the use of a screen privacy filter makes a huge difference in someone’s ability to work in public spaces privately.

There are many different manufacturers of these filters although the best known (and possible inventor?) of them is 3M. Basically they use a “micro louvre” system to ensure that when placed onto the screen the image can only be viewed from directly in front. Someone sat next to you can not see the screen at all, just a black image. The louvres work in a similar way to venetian blinds but in a vertical arrangement; when they are open you can see through them but the moment you move to one side the blind slat itself blocks the way. The principle is the same in the filter – vertical slats that allow enough light out to see the image but block the view fro the side.

As a technology they are very simple, albeit expensive – you can expect to pay upwards of £50/$70USD for a 3M one. That seems rather expensive, so what are the real world benefits?

Most people nowadays will travel for over an hour to their place of work, and with the increasing number of people using a laptop as their primary computer, that travel time can be more effectively utilised by working. Being able to do so without fear of someone viewing the strategy or bid document you are working on gives great peace of mind. Without wishing to countenance the transport of sensitive/confidential documents in open, it does provide an extra level of protection in addition to encryption etc..

Social engineering is also significantly reduced. Someone wishing to engage in a conversation with you to get hold of information has ready access to your screen for topics, interests, even personal details (from your wallpaper?) and has a “hook” to start that conversation. By blocking that view, they have to work much harder for those personal details.

There are downsides to using a screen filter though;

Risk homeostasis, i.e. you begin to think nobody can see your screen, and so let your guard down elsewhere. Bearing in mind that you can only view the screen from directly in front of you, that means that the person peering from between the seats directly behind you can also see the screen.

You are also highlighting the fact that you have something worth looking at! I have experienced interested stares from people in a restaurant in Washington D.C., (where I thought security techniques such as a screen filter would be de rigour) as they saw the lovely golden sheen on my new 3M filter; it was gold as it allegedly helped increase the clarity and privacy at the same time. i certainly drew attention to myself!

Of course the Pros far outweigh the Cons, and so for me the inclusion of a screen filter into my BYOS arsenal is certainly one of the most important pieces of kit to have.

As an aside, filters are also available for phones and tablets. I have one on my iPhone and it is very effective when holding the phone in portrait. If I need to show someone something on my phone i simply rotate it to landscape, and people either side of me can see the screen fully.