“An Anatomy…” at the BCS

Leave a comment

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).

Style vs Content – Getting the Point Across Effectively

1 Comment

I have just had to present to a team on their information security responsibilities whilst they are on their current project. Their client has very specific requirements, and for a variety of reasons it was important to reinforce the key requirements again.

This was at short notice, and so I spent every spare moment I had throughout a long day last Thursday creating the presentation from scratch. After reviewing Master Services agreements, security schedules and other documents relating to the project I had to try and consolidate all of this into a meaningful presentation. I even Tweeted about my experience:

This is a battle hardened and very creatively talented team, working stupid hours and closing in on an important milestone of work. The last thing they wanted was to listen to the “corporate security guy” for twenty minutes, but for all the right reasons it was important that it was done today, and with the client present.

So I had: 1 – a disengaged audience, 2 – 24hrs notice, 3 – a client present, 4 – strong interest from HQ (“send us the presentation when you finish it so we can check it through” and finally, 5 – changes to be incorporated two hours beforehand (see 4).

Pop Quiz – do you use the corporate deck, smart and extensive bullet points, approved imagery and and a shirt and tie? Or do you focus on getting key message across, come what may?

And this is the crux of my point – the moment you try and deliver a corporate message in a corporate format your audience is going to switch off. One suggestion I received from a well meaning executive was to basically provide a list of the twenty requirements of the client in the presentation and then hand out copies to be signed by each team member. In this instance people would remember the first two, last two (at best!) and just blindly sign the rest. While this would technically meet the objectives (everyone must agree they understand the security requirements) they really wouldn’t absorb the message.

My approach? Simple, high impact and memorable. As the example below shows, not many words and a memorable picture (in the actual presentation Borat merged to Simon Cowell showing a thumbs down and back and forth). In this way, the image hits them first (thumbs up/thumbs down), the message (check X when doing Y), and that’s it! (The message has obviously been sanitised to protect the innocent).

 Of course, there were many other slides along this nature – I also used references to The Oatmeal, Dilbert and Defcon 18 amongst others. And each slide put across a very specific point.

At first glance, the deck looks awful, plain and badly designed. However, the simplicity of it ensures the message very clearly comes across with the imagery ensuring that message remains memorable.

Three things came across very strongly at the end. Firstly, the questions and comments at the end were engaging, sensible and eminently relevant. This made me very confident that the message was put across and understood, and that this approach was the correct one in this circumstance.

Secondly, the client saw this engagement, and has since requested a copy of the presentation to demonstrate how the team had been successfully “trained” and and updated on security practices.

Finally, in front of this creative audience it became crushingly obvious that I really have to up my game when it comes to clip art…

The Simple Things – The Screensaver Lock

Leave a comment

The principle behind the screensaver lock is that you build in a fail safe into your computer should you walk off leaving it unlocked (that is what we all do anyway, right?). The normal timing is somewhere between ten and fifteen minutes, and is more often than not enforced in organisations with an active directory policy or similar. In principle therefore, whenever your screensaver activates it requires a password to unlock the screen when you return.

It is worth noting that any mobile device such as a tablet or smartphone should also have this feature enabled, although it can also activated by switching the device off if required.

In the BYOS world of course this simply needs to be something you ensure is in place on your own computer, and the timing set to something that works for you – mine is fifteen minutes, and is harmonised into the energy saving and general computer power saving timings.

There are and will remain many objections to this kind of security control, but they can be boiled down into one of three:

1 – Presentations. I have heard on many occasions that the screensaver will kick in during a presentation, and I have some sympathy with this. I haven’t had it happen to me with a Mac (although I tend not to stay on one slide without any kind of mouse click or animation!). This can have two effects of course; either tell the audience that there are additional security controls employed by this company, or that the presenter is an amateur who can’t manage their computer during an important thing like this presentation.

This is challenging to fix – you can’t disable the lock for all who do presentations as that would expose a huge number of computers. And you can’t allow people to disable the lock themselves as it is very likely a large proportion will not reenable the lock.

The solution in my opinion is to allow by policy the disabling of the screensaver for a fixed period of time, say two hours before it gets automatically reenabled. I am not sure if this can be managed through standard AD policies or not, but it would certainly address this particular opposition.

2 – Servers and accounts. In many cases where people have sandbox environments or the like under their desks there are many requests to disable the screensaver because of batch files that run in the foreground. In every case I have observed to date this is simply because of sloppy or inexperienced implementation of the batch file. When the batch files or executables are converted to run as a service they can run very happily with the screensaver enabled.

Except in very rare circumstances this is not a reason to disable the screensaver lock.

3 – Finally there is the group of people who simply don’t like being told! This is where education, awareness and some good old fashioned face to face communication comes into its own!

Nonetheless, whatever the objection, anyone with an ounce of concern for security should consider this control on any device in a BYOD environment, and perhaps more importantly on any mobile device.

More Thoughts on BSides London 2012

Leave a comment

A very quick post to spotlight the excellent talking heads reel posted recently by Javvad. Given I will very shortly be posting the video of my presentation from there I won’t waste space going over the excellent event again, suffice to say the devilishly handsome chap at 0:35 and 2:37 sums it up nicely!

The Simple Things Part Four – Removable Media

Leave a comment

This is true Bring Your Own Security (BYOS) given that this really does fit in your pocket to “bring along”.

Everywhere you look in todays media, both in the infosec industry and mainstream media, there is yet another case of X thousands of records being lost on a memory stick by one organisation or another, and the trend seems to be getting worse. This is either because people are getting more careless (possibly) or the media is getting better at reporting it (probably). Either way, the brand and reputational damage alone is significant to any company, no matter its size.

There are two elements to this that are worth exploring:

Firstly, the prevalence of USB sticks is a part of the problem, they have become a simple commodity. They are on sale in newsagents, supermarkets and petrol stations, and are in peoples pockets, on their key rings and in hand bags. As a result it has become very natural to share files, photographs and anything else using them, and that familiarity has drifted into the workplace, especially when they are handed out at trade shows and demanded from IT departments. The problem is that they are not even basically secured, and that has become acceptable to the average person in the street.

Secondly, the media has found the “loss” of data a rich source of column inches to help sell their newspapers. The ironic part however is that in many cases when you read the back half of the story away from the headline, it transpires that the memory stick was in fact encrypted and would take the collective might of at least North Korea five years to break into.

So we have a dichotomy; a prevalence of unencrypted memory sticks in the marketplace, and the tendency therefore to assume that all memory sticks are insecure and report them as such.

The solution in a BYOS environment is simple – only buy encrypted memory sticks! It only needs to be a one time investment (my personal preference is the IronKey), and relegate all of your old memory sticks to the bin (or your favourite computer recycling facility of course). If cost is an issue (and they are more expensive, then use something like TrueCrypt (www.truecrypt.org) to encrypt your existing sticks and an be sure to keep using it. trueCrypt even has a portable mode that allows the executable to reside on a smaller unencrypted partition of the drive allowing it to be used on other systems.

By making a habit of only using encrypted portable media we all move one step closer to the concept of BYOS.