eCrime and Information Security Congress

2 Comments

IMG_0002I presented at the eCrime and Information Security Congress on Wednesday, and had a terrific time presenting on my thoughts around making risk assessments more effective for the business. It was probably the largest audience I have presented to, and the stage and AV set up was suitably impressive. I had the support of two fine upstanding members of the infosec community (as well as @j4vv4d and @sirjester…) throughout the day and was fortunate enough to get some great feedback from both the organisers (in the form of @jonhawes) and Javvad after the event.

The key points I was making were:

  1. Ensure your risk management programme is producing the quality data that subsequently becomes business information.
  2. Know how to present your information in a compelling manner to ensure your message (and business information) gets across to the right people.
  3. Understand the connection between your activities and your organisations primary purpose, whatever that may be.

The presentation ran to just under twenty minutes but unfortunately the house style appeared to be not to field questions at the end. I felt I engaged well with the audience and had some unsolicited feedback to that effect afterwards, but I would have welcomed the opportunity to chat around the ideas and cocepts I was putting forwards. If anybody who watched the presentation reads this post please don’t hesitate to ask something!

IMG_0001

As usual I have posted the slides below; I also intend to post a movie of the slides with a voiceover, but those of you who are still waiting for the footage from an event I did in September will know how prompt I am in creating these film. Javvad I am not!

The event itself appeared to be very well attended by both the public and sponsors, in fact a huge number of sponsors compared to even RSA Europe last year. The break out session were apparently very useful (I was unable to attend any as i arrived only for the last half of the second day, but heard good things about them), and above all the food was excellent!

Thanks to the folks at AKJ Associates for inviting me to speak, and especially to Jon Hawes. With a bit of luck I will be doing more of this in the coming months.

CIA Triangle eCrimes Congress PDF

Certified Information Security [Insert Qualification Here] Post Nominals

6 Comments

exam_paperThe good news for me this last week was that I eventually took the CISSP exam and passed. I was obviously pleased and relieved, and I am currently going through the endorsement process. Despite the drubbing that the CISSP as a certification over the last year or so I have to admit that on the whole I was impressed with the depth and breadth of the subjects covered.

Of course the caveat to this is that I think this on the basis that the CISSP is an information security certification, not an IT security certification. There is plenty of content about fire extinguishers, foot candle illuminations of parking areas or even the legal constraints of transferring information outside of the EEA, all of which are important to my mind when taking into account the broader concepts of information security (especially when considering the Confidentiality, Integrity & Availability triangle). Much of the criticism I observed was around the relevance of topics like my previous three examples to IT security, to which I reply “It’s not”. There are sections that focus on these areas, but they quite rightfully don’t dominate the subject matter.

That said, there were areas that I thought were woefully under represented in the reference material that I used, for instance I disagreed with the definition of ISO 27001 versus ISO27002, their definition of an adequate security measure for WEP (hiding the SSID… really?) and other small points. I was however revising against the 2nd edition CBK which has now been updated to the third edition, so perhaps there have been updates in some of these areas.

The other area I struggled with was the relevance of some of the information required for the exam. The level of details required in areas like security architecture for models that actually aren’t in use any more or encryption techniques or even the finalists in the competition to decide what encryption method to use in what ultimately became AES… over twenty years ago! None of this is going to be useful to me in may day to day job at all.

But again, overall it really made me think about my “craft” and I have found it beneficial. There was an element of me taking this exam as a box ticking exercise given my current role, but this was mainly because I came to infosec quite late in my career and there were questions being asked as to why I didn’t have this qualification. It made sense to get it done now and out of the way as it were, and add to my CISM and CGEIT (and MBCS CITP… at this rate my business cards are going to have to be very wide.)

The big question for me now though is what’s next? CRISC or the CIPP/E? Risk or Privacy?

Presentation Style IS Important

Leave a comment

Poor Presenter Type.004Just before Christmas I had an excellent opportunity to co present one of Javvad’s (@j4vv4d) eponymous InfoSec video blogs. In it we took a tongue in cheek look at the variety of styles of bad presentation that we have observed at various conferences and forums. I should of course stress that neither one of us claims to be keynote material with regards to our own presentation style, but we are constantly struck by how many presentations are unintelligible, difficult to follow, underprepared or any other myriad of things that dramatically reduce the impact and message a presentation is supposed to give.

The video blog (here) looks at ten different styles that we felt were the most heinous; there were a further ten left on the cutting room floor! Obviously it was a humorous view in order to best get the point across but it does underscore a serious point, namely that it is astonishing that for a so called professional industry the quality of presentations is often so low, even at events that you have to pay for. I for one expect more.

What I want to look at now though is not “what” we should be doing to improve these presentations because that has been done elsewhere (here and here); rather I will focus on the “why” because it is important to understand the reasons for improving our presentations and the positive outcomes it will have to our community.

In my opinion, it comes down to three points:

Firstly (and in reference back to the video blog), I see so many people in the audience quite simply just turning off in the face of poor presentation style (be it the slide, the verbal delivery etc). All of us attend these forums and conferences to learn from other people, observe their real world experiences and look to see how we can apply the learning into our own professional lives. And yet the first message we get is that the topic in hand is dull, or inaudible or illegible. In any kind of information security conference all topics should be interesting to one extent or another to all attendees. It is the presenters primary responsibility to make the topic interesting, grab the audiences attention and maintain it throughout.

Secondly, it is a question of value for money. This is very apparent in the situations where an event costs money to attend; I expect a certain level of professionalism, content and delivery, and in too many cases it is simply not apparent. In free events, this is less obvious for the audience (who are often getting free beer and food at the same time), but the poor presenter is letting down the sponsor and perhaps sullying their name and reputation. Of course there is also the reputational damage to the individual giving the poor presentation!

Finally, it is a matter of professionalism for the industry and community. Not only do we need to be taken seriously amongst ourselves but we must ensure we can speak convincingly within our own organisations. If we cannot put across our thoughts, analysis, reasoning, proposals and perhaps most importantly our requests for budget in a convincing and professional manner the infosec industry (and your department) will never be taken seriously.

None of us are perfect, especially when it comes to standing up in front of a demanding audience, but I strongly believe we should be asking our trusted colleagues, peers and acquaintances for feedback each and every time we present. What we get back from them may make for uncomfortable listening, but as long as the feedback is given constructively, openly, without fear of reprisal and with good intentions we will all benefit, as individuals, as organisations and as an industry.

 

Where is Outlook for iPad?

Leave a comment

The prevalence of the “Bring Your Own Device” (BYOD) concept as an acceptable, if little rushed, approach to empowering employees at work has resulted in many different types of devices being used in the workplace now. Arguably, these are split into two camps, Android & iOS (I don’t believe Windows Mobile has made many inroads into the enterprise… yet… watch this space as their new devices come off the production line).

The prevalence of Exchange Servers in the enterprise is also arguable, but in my own experience it is the number one mail server around, and with it of course comes Outlook. On the whole, I love Outlook; it has a few quirks (especially on the Mac) but by bringing together my email, calendar, contacts and notes into a tightly integrated package, which in turn integrates with my enterprise email/messaging/scheduling platform means it is probably the number one application I use.

Why then has Microsoft not capitalised on these two facts and marketed Outlook for mobile devices with the promise of integration, functionality and security? There are apps on the various app stores that claim to offer Outlook style experiences, but the feedback on these speaks for itself.

I can’t say I would care much for Word, Excel & Powerpoint on my tablet that much, I tend not to edit or annotate these documents on these devices much anyway. But Outlook would change how I interact with work over my iPad, but only if they implement it properly!

Given one of the core tenets of Outlook is to integrate email, contacts, calendar and notes from the enterprise, I strongly believe it should NOT integrate with the same apps on the device. By this I mean its database should be entirely separate, and ideally, encrypted to retain a certain degree of security. Because of this separate installation, the application itself can handle all of the ActiveSync profiling (e.g. encryption, password protection, password retries, remote wipe and the such like) that on existing devices causes an infinite amount of pain. Having had personal experience of rolling out a one size fits all ActiveSync profile to thousands of of BYOD devices with different hardware and firmware because they are by definition “personal” devices, I know too well of the amount of noise, frustration and lost hours this brings to the end user.

Of course, this kind of application, sold on the app stores for £10GBP/$15USD, could also be purchased by the individual owner and expensed (or not, see your expense policy) and is the one, and only, barrier the enterprise puts up to mobile BYOD adoption. Have the latest Outlook for iOS? Then gorge yourself on your work email to your hearts content! The enterprise has full control over the data, including rules of what can be forwarded, printed etc because it does not integrate with the devices native apps, and if the employee leaves or is fired, then ZAP! on the next connection and authentication the data is gone.

This approach may put companies like Good out of business, or may even drive them to greater innovation (where do you think I got the idea for the above anyway?!), but my experience of bolting on third party products onto Exchange has never been “good” anyway.

In my limited experience I know there must be some pretty major road blocks to this, otherwise why haven’t they done it already? If you are more educated in this area than me then please do comment and let me know your perspective. in the meantime, I shall dream of my iPad/Outlook nirvana and the increased amount of sleep I will get overnight not worrying about all that data flying around on peoples personal devices.

The Simple Things Part Four – Removable Media

Leave a comment

This is true Bring Your Own Security (BYOS) given that this really does fit in your pocket to “bring along”.

Everywhere you look in todays media, both in the infosec industry and mainstream media, there is yet another case of X thousands of records being lost on a memory stick by one organisation or another, and the trend seems to be getting worse. This is either because people are getting more careless (possibly) or the media is getting better at reporting it (probably). Either way, the brand and reputational damage alone is significant to any company, no matter its size.

There are two elements to this that are worth exploring:

Firstly, the prevalence of USB sticks is a part of the problem, they have become a simple commodity. They are on sale in newsagents, supermarkets and petrol stations, and are in peoples pockets, on their key rings and in hand bags. As a result it has become very natural to share files, photographs and anything else using them, and that familiarity has drifted into the workplace, especially when they are handed out at trade shows and demanded from IT departments. The problem is that they are not even basically secured, and that has become acceptable to the average person in the street.

Secondly, the media has found the “loss” of data a rich source of column inches to help sell their newspapers. The ironic part however is that in many cases when you read the back half of the story away from the headline, it transpires that the memory stick was in fact encrypted and would take the collective might of at least North Korea five years to break into.

So we have a dichotomy; a prevalence of unencrypted memory sticks in the marketplace, and the tendency therefore to assume that all memory sticks are insecure and report them as such.

The solution in a BYOS environment is simple – only buy encrypted memory sticks! It only needs to be a one time investment (my personal preference is the IronKey), and relegate all of your old memory sticks to the bin (or your favourite computer recycling facility of course). If cost is an issue (and they are more expensive, then use something like TrueCrypt (www.truecrypt.org) to encrypt your existing sticks and an be sure to keep using it. trueCrypt even has a portable mode that allows the executable to reside on a smaller unencrypted partition of the drive allowing it to be used on other systems.

By making a habit of only using encrypted portable media we all move one step closer to the concept of BYOS.