Top Five From RSA USA 2014

rsac2014-program-guide-cover-320x407pxI attended the RSA Conference USA last week and was able to witness the chaos, FUD, genuine insight, original thoughts and 25,000 people queueing for a coffee and bagel at 10 o’clock in the morning.

Rather than even attempt to do an end of show round up that other have been able to do far more successfully than me, here are the five things that I remembered the most from the week:

3M Visual Privacy

I still think 3M produce the best privacy filters for monitors, but I have been waiting a long time for technology to catch up and remove the unsightly and easily-left-behind at home piece of plastic in favour of a solution built into the screen itself. Whilst I didn’t unfortunately see that, one of the product managers assured me that this is exactly what the boffins at 3M are currently working on. This is going to be a huge step towards universal and transparent (forgive me) visual security for people using laptops in public places.

MISD_PrivacyFilters_Apple_IMG_ENWW3M also surprised me by demonstrating a pice of software they have designed as well; the known problem with privacy filters is that they only protect you from people looking at your screen from your left or right. From directly behind you they can easily see your screen. The software uses the built in webcam to recognise the users face, and if another face appears in the background looking at the screen, pops up a warning to the user and blurs the screen. To be honest it was a little clunky when I saw it, and it is currently only being developed for Windows, but this is exactly the sort of environment that people working with sensitive information need to “watch their backs” almost literally. I hope they continue to refine the software and expound it to all other major platforms.

Security Bloggers Meetup

sbnRSAC USA sees the annual meet up of the Security Bloggers Network, so i was very excited to be able to attend this year and witness the awards show and a great deal of silliness and nonsense (to whit, the “bald men of InfoSec” picture for one). I managed to meet for the first time a whole bunch of people that I have either conversed with or followed myself, and some of whom I have very much admired. No name dropping I am afraid as there is too much of that later on in this post, but one thing I did take away was that there is a very valid desire to harmonise the North American and European Security Blogger Awards moving forwards which can only be a good thing and build the international blogger network further. In fact, you can now nominate for the EU Security Bloggers awards here.

The "infamous" bald men of security.

The “infamous” bald men of security.

SnoopWall and Miss Teen USA

snoopwall-website-logoIt wouldn’t be a security conference without some kind of booth babe furore and this one was no different. Although the presence of booth babes has dramatically reduced over the last few years there were still a few vendors insisting on using them. And then we thought we had hit a new time low with the presence of Miss teen USA, Cassidy Wolf, at the SnoopWall booth in the South Hall. Condemnation was rapid and harsh. BUT WAIT… THERE’S MORE TO THIS STORY THAN MEETS THE EYE! After I retweeted my feelings about a teens presence at a conference that could best be described as a recovering alcoholic when it come misogyny, I was contacted by Patrick Rafter, the owner VP of Marketing of SnoopWall.

They have partnered with Cassidy to promote privacy amongst teens in complement to their product that detects the misuse of, for instance, the webcam on your computer or your phone. For those that may not know, Cassidy was the victim of blackmail from an ex classmate who hacked into her webcam in her bedroom, took photos and then demanded more pictures. It goes without saying she stood up to the blackmailer, and has since made privacy one of her “causes” during her tenure as Miss Teen USA. Was having her at their booth at RSA a little misjudged? Yes. Is their cause and campaign (and software for that matter) actually have very good intentions? Absolutely. I chatted with Patrick a day later and while he acknowledged how Cassidy’s presence could have been misinterpreted, he strongly defended her presence and her intentions. I honestly found it laudable. Hopefully over the next few years as the industry finally sorts out its booth babe problem, people like me won’t be jumping to the wrong conclusions as we assume the worst.

The Thomas Scoring System

Thomas Scoring System LogoA few months ago I posted about Russell Thomas’ approach to risk management. I had the good fortune to meet with Russell at the Security Bloggers Meet Up and chatted in depth about his approach to measuring risk consistently. He has turned this idea into a very practical approach via an Excel spreadsheet, a point I made in my earlier review. This is important because without a way to implement at a very practical level it remains a theory. The following day Russell was kind enough to walk me through how to use the system in practical terms, and I am going to be trying it out in my day job as soon as possible. I would urge you to take a look at the Thomas Scoring System as I strongly believe it is a great way of bringing metrics together in a meaningful way.

Gene Kim & The Phoenix Project

I was fortunate enough to have been introduced to Gene Kim, the founder of Tripwire, author, DevOps enthusiast and all round genius/nice guy a few months ago, and we had chatted a couple of times over Skype. (Gene is very generously offering me his guidance around writing a book and his experiences publishing it; yes you heard it here first folks, I intend to write a book!) Knowing he was at RSA I was able to seek him out, and I can now say I have met one of my InfoSec heroes. He is a genuinely charming, funny and generous guy, and he was good enough to sign a copy of his book, The Phoenix project, as well as allow me to get a selfie with him. I would strongly encourage everyone in this field, as well as many of those not in it to read The Phoenix Project, as it quite literally changed the way I looked at the role of InfoSec in a business, and that wasn’t even the main thrust of the book.

Gene very graciously allowing me to take a selfie with him

Gene very graciously allowing me to take a selfie with him

It has taken me nearly a week to recover from RSA, but despite the scandal and boycotts and minor demonstrations it was an excellent conference, as much for the presentations as the “hallway track”. As always, my thanks to Javvad for being my conference wing man again.

Is that Javvad, or a waxwork I am posing with?

Is that Javvad, or a waxwork I am posing with?

Now it is back to real life.


Really Silly Attitude? Ropey Sales Approach?

cashRSA has had a tough few years; the subject of a high profile phishing attack in March 2011 resulting in the loss of information related to their SecureID product. They denied it was an issue until three months later when information gained from that attack was used against other companies, including Lockheed Martin, and had to subsequently replace a large number of the tokens.

In September this year they recommended that customers of their BSafe product should stop using the built in, default, encryption algorithm because it contained a weakness that the NSA could exploit using a backdoor and therefore would be vulnerable to interception and reading. How very open and forthright of RSA I thought at the time. Despite the potential damage they may be doing to their brand by giving this information freely out, they are doing so in their customers interests and at the same time offering secure alternatives. It reminded me of the early nineties and the pushback against the Clipper chip, with RSA at the forefront protecting client interests and pushing back against the spooks of the three letter agencies of the USA. Here is what D. James Bidzos said at the time:

“We have the system that they’re most afraid of,” Bidzos says. “If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.’s interests that it’s driving them into a frenzy.

Powerful stuff. The newly formed Electronic Frontiers Foundation would have been proud.

 Now this is where it gets interesting and has raised the shackles of many in the Twittersphere and internet echo chambers. A few days ago it was revealed that the real reason for RSA to have used a flawed products for so many years was because the NSA paid them to. It wasn’t a huge amount of money although it possibly helped save the division that runs BSafe in RSA that was struggling at the time.

Businesses change. Leadership changes. Market forces steer a company in different direction to one a degree or another. To my mind though, to deliberately weaken your own product for financial gain is extraordinarily unwise. By taking the money, RSA have declared that profit is above patriotism, whatever your view of patriotism is. If they took no money at all, there would be a good defence that the decision was taken in the national interest and to work harmoniously with the governmental agencies that protect the USA from danger. Unfortunately organisations that have relied on RSA’s products to secure their data have been let down simply to make a fast buck,

In October this year Art Coviello spoke about “Anonymity being the enemy of Security” at his Keynote at RSA Europe. That statement takes on a very different viewpoint now.

The response has been fairly unanimous, but here is one that got me thinking about my relationship with RSA:

Mikko RSA

I personally wouldn’t go this far as I go to network with friends, peers and colleagues, as well as listen to folks from the industry talk and present; I don’t necessarily go to listen to RSA as such. However this kind of reaction is going to have an impact on RSA that is likely to be felt for a number of years to come. Most security people I know are somewhat distrusting in the first place (hence why they are in security very often!). To have these revelations is going to have an impact both in their mainstream business as well as their conference business, so often seen as the gold standard of conferences globally.

If the last few years were tough for RSA, what is the next few years going to be like for a giant in our industry?


Do as I say, not as I do (and other things our parents told us)

clip-image0026This may be quite a challenging post as I potentially expose myself as a willing victim of an Orwellian world, if not a supporter of it. Nothing could be further from the truth, but I do think certain aspects of the forthcoming argument need to be aired.

I am amazed that people are surprised and angered to hear that the US and UK governments are “spying” on their citizens. I recall as a schoolboy in Dover in the eighties seeing a large installation on the cliffs of Dover, and it was common knowledge that it was used to intercept telephone and radio signals for the government. The thought was, and still is, a comforting one that various powers-that-be are intercepting communications in a morally correct albeit secretive manner.

While the scale of the interceptions highlighted through the Snowden leaks did somewhat surprise me, the fact that it was happening did not, in fact I expected it. My surprise was  perhaps a factor of the rapid growth of the internet and the related technologies, but I was able to rationalise that with the many different methods of communications available to so many people on the planet.

I don’t agree with government back doors inside industry systems, and I don’t agree with the wholesale handing over of encryption keys to them either, but I do agree with the discrete and specific targeting of certain communications of “interest” and the decryption and handing over of those communications by the relevant company to the government in response to a valid and legal request. But it has to start with the interception, analysis, trending and prediction of traffic in the first place.

There, I said it.

We then move to the current advice being given to parents about monitoring and controlling their internet access and social media use. This type of advice is warmly embraced by most people, as one would expect, because children cannot possible be expected to know and understand the types of threats they might be exposed to on the internet, and too naïve to be able to deal with them. They do not have the experience or understanding of what could happen if they use the internet without some kind of supervision and monitoring, and as responsible parents we are there to protect, educate and support.

I think there is a parallel here, namely that the general population simply does not understand the kind of threats that are out there, and how monitoring communications and the internet is a fundamental way of ensuring that we don’t find out the hard way. There has to be a certain level of trust in the various government bodies that the monitoring is done for specific purposes, in the same way a child will have a level of trust that a parent monitoring contacts and online activity is doing so not to harm the child but to protect them from needless abuse and worse.

This parallel is not a clear one I understand; there have been abuses of power, and the politics of government is a dirty business at the best of times, but I pay taxes and participate in my community for the benefit of the greater good and therefore expect a certain level of protection from the powers that be. I chose to live in a somewhat paternalistic society because it benefits me and I get to enjoy a largely violence free lifestyle as a result.

Were you surprised by these revelations? Angered or resigned to them? I will continue to encrypt my most personal of data and practise good information security next time i do my banking in a Starbucks; not to protect myself from the government but from the criminals. I will leave the criminals to the government.


Amsterdam has them now: RSA Europe 2013 and playing the Game of Thrones

IMG_2991As usual it was a great week at RSA Europe, as much for the hallways track as all the other tracks on offer. Whilst it may not be as large as it’s bigger brother in San Francisco the move to Amsterdam from London seems to have given the conference a new sense of purpose and scale. The potential to grow in this location is obvious. But I hope it doesn’t grow too much more; there was always a sense of knowing what was going on and when, and where you were in relation to the auditoriums and speakers. I am sure that sense of perspective is more than lost in the scale of RSA San Francisco.

It still had it’s challenges, all minor. For instance, tea and coffee points that seemed perpetually shut throughout the day, a distinct lack of activities on Wednesday even after a 17:00hrs close, and perhaps the location did not lend itself to the kind of out of hours socialising that London had to offer. For me the Novotel bar became the centre of my networking experience, no bad thing, but I would wager there were a few more hotel bars doing the same thing meaning the networking was seriously fragmented.

The usual suspects were there for me to socialise with as well as some new faces, such as Tor and Kjetil from Norway who were both intelligent and hilarious, a combination I always enjoy. I managed to meet a few more of our industry “luminaries” as well which is always interesting (never meet your heroes!), as well as catch up with others I had met previously and enjoyed their company and insights.

IMG_2998For me the whole conference was focused upon 14:40hrs on the Thursday when I presented “Playing the Game of Thrones: Ensuring the CISO’s Role at the King’s Table”. Not only was I presenting in my own right but I was also presenting content and an approach that I had synthesised from a variety of sources and my previous thoughts and theories. The session went extremely well, was watched by a number of people I know and respect, and was fully attended (with even a couple of people having to stand). Questions at the end were thin on the ground although I had noticed that throughout the conference, but the feedback has been phenomenal. I haven’t had the formal feedback from RSA yet, but their newly introduced conference app allows me to see a certain degree of feedback on both me as a speaker as well as the talk itself.

RSAC Europe 2013 GRC-R08 THOM LANGFORD.005

The slides are above in PDF format, and are also available in Keynote format here. My good friend and evil twin brother Kai Roer kindly filmed the talk as well, and as soon as that is available I will be publishing that on YouTube. One of the key reasons for doing so is to invite more comments on the material itself, as I made a few bold statements that I am sure not everyone would agree with. For instance, the less influence a CISO has, the more prescriptive (and lengthy) the policies are, in turn making them less effectives. This is based on my observations only rather than research, so getting feedback on points such as this helps inform everybody more.

All in all it was a great week, making new friends and meeting old ones and always learning new things almost every hour. Here is my honour roll of folks from the week that made it as memorable as always:

Javvad, Brian, Kai, Kjetil, Tor, David, Dave, Bruce, Tor, John, Dwayne, Quentyn, Neira, Josh, Martin, David & Olivier (my apologies to anyone I left out, it is the fault of my memory and not how memorable your were!).


Announcements, Presentations and Work!

Banyan tree, Bangalore, India

Banyan tree, Bangalore, India

It has been an incredibly busy five weeks since 44CON, with a lot of travel, projects coming to fruition, conference talks and preparation as well as more writing than is reflected in this blog.

I have spent three weeks (over two trips) in India carrying out five security risk assessments and hosting one three day client visit, and all I can say is that my India based colleagues continue to impress and amaze me with their knowledge, analytical skills and above all friendliness. I had the good fortune to spend some time with them at a team outing, discovered a mutual friend in London and also hit the dancefloor with them (if you have never danced in an Indian nightclub, you haven’t really danced!).

I was also able to spend an evening with the lovely folks of the Delhi chapter of NULL in Noida, and had a great couple of presentations (WAF and compliance) as well as an engaging conversation on interviewing in the infosec world. I had struggled for the last couple of years to find good conferences and forums in India, but apparently I missed an incredibly vibrant and widespread community. I’m glad to ay that is no more the case and I look forward to attending more in the future (along with my India based colleagues). On my return I attended the IT Security Forum and spoke on “Throwing Shapes for Better Security Risk Management” covering three ways to manage your security programmes more effectively.

A project I have been working on with my good friends and colleagues @sirjester and @j4vv4d finally came to fruition with the help of @jimshout, called Host Unknown. I am extremely proud of this project and we have spent many hours agonising over the details, honing the performances and getting website, YouTube and social media coordinated; in fact it was a lot more work than we expected! There is so much more in the pipeline, and if you would like more information please contact us, I promise you will only be mildly disappointed! (I am also legally obliged to point out that it was all my idea, despite what some of you may have heard.)

My other piece of news is that I have been asked to be a guest blogger for Iron Mountain, something I am absolutely thrilled by! I have already posted my first article, and I am looking forward to writing many more. As someone who can often struggles to  get down to the process of actually writing int he first place, (once I am started I seem to be OK!) I see this another incentive to flex that particular creative muscle more frequently, as well as getting used to writing on specific subjects, somewhat to order. I will of course be cross posting back to this blog, but I would encourage you all to head over and see what they have to say. My particular favourite is @christiantoon who is certainly one of the more prolific writer on the site (and a great guy to boot!).

It’s the RSA Europe conference next week, and I have been busy preparing my presentation “Playing the Game of Thrones: ensuring the CISO role at the King’s Table”. While there is an element of content that I have covered in other presentations before, this is nonetheless a new presentation with plenty of new content, somewhat more research based (although by no means academic) and very much pushing me out of my comfort zone. That said I think it is going to be a strong presentation which should generate some good discussion; here’s a podcast where I explain what I am going to be talking about, and I will of course be covering the conference in my next blog.

With all of this going on I haven’t been able to post as regularly as I would have liked, but I am building up a great stash of content that should see us through the winter months. Winter is coming after all!