eCrime and Information Security Congress

2 Comments

IMG_0002I presented at the eCrime and Information Security Congress on Wednesday, and had a terrific time presenting on my thoughts around making risk assessments more effective for the business. It was probably the largest audience I have presented to, and the stage and AV set up was suitably impressive. I had the support of two fine upstanding members of the infosec community (as well as @j4vv4d and @sirjester…) throughout the day and was fortunate enough to get some great feedback from both the organisers (in the form of @jonhawes) and Javvad after the event.

The key points I was making were:

  1. Ensure your risk management programme is producing the quality data that subsequently becomes business information.
  2. Know how to present your information in a compelling manner to ensure your message (and business information) gets across to the right people.
  3. Understand the connection between your activities and your organisations primary purpose, whatever that may be.

The presentation ran to just under twenty minutes but unfortunately the house style appeared to be not to field questions at the end. I felt I engaged well with the audience and had some unsolicited feedback to that effect afterwards, but I would have welcomed the opportunity to chat around the ideas and cocepts I was putting forwards. If anybody who watched the presentation reads this post please don’t hesitate to ask something!

IMG_0001

As usual I have posted the slides below; I also intend to post a movie of the slides with a voiceover, but those of you who are still waiting for the footage from an event I did in September will know how prompt I am in creating these film. Javvad I am not!

The event itself appeared to be very well attended by both the public and sponsors, in fact a huge number of sponsors compared to even RSA Europe last year. The break out session were apparently very useful (I was unable to attend any as i arrived only for the last half of the second day, but heard good things about them), and above all the food was excellent!

Thanks to the folks at AKJ Associates for inviting me to speak, and especially to Jon Hawes. With a bit of luck I will be doing more of this in the coming months.

CIA Triangle eCrimes Congress PDF

Risks, Risks Go Away, Come Back Another Day

2 Comments

rain34Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?

The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:

  1. Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
  2. Avoid, or basically just stop doing the thing that is causing the risk.
  3. Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
  4. Accept, or just face facts that this risk is the price you pay for doing business in this area.

So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.

Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.

With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.

The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level.  All of this is going to have an impact on your risks and how they impact  your organisation.

Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;

You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.

This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.

Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.

(Artwork by Peter Spier from his book, RAIN.)

Wash Out Your Ears – The importance of listening during risk assessments

2 Comments

listening-ears1I can’t tell you the number of times I have sat on the other side of the table during a risk assessment or audit and not only been talked at by the auditor but also not even listened to. Unless what I or my colleagues are saying are a part of the accepted script the auditor expects to hear it can often fall on deaf ears.

It doesn’t matter if what I am saying is germane to the topic in hand, explains in more technical detail, or even if it addresses a number of questions old or yet unasked, the auditor blindly continues, or even just appears to switch off. How can this lead to a successful audit or assessment? To some, an audit or assessment is a sequence of activities to be completed in a set order and a set pace, and that will never result in quality findings. Approaching an audit or risk assessment from a less mechanical perspective will often derive results in unexpected ways.

Simply listening will give you at least two things:

  1. More information. It may not always be immediately relevant, but at some point in the day it will help you form a larger and more complete picture.
  2. Unprepared auditees will sometimes talk themselves into trouble! Nerves can make people do very silly things, and letting people engage their mouths before their brains can lead to some startling insights.

When you combine the above points you can often find what I call the “over specific response” occurring. What this means is that people will also sometimes be very specific in their responses, for instance when asked if a particular procedure has been tested, the response “Yes, this procedure has been tested” gives rise to so many other questions such as “when, where, and by whom?”, and yet at a casual listening it is a very positive response. Listening to the exact response and unpicking the precise verbiage is vital.

Additionally, there is one other aspect of listening that should be observed; that is, carrying on listening even when the other person has stopped talking. Just as nature abhors a vacuum, human beings as social animals abhor a silence. Staying silent for longer than is comfortable (at least to them) very often produces more talking and more information than they originally intended. When I first presented this thought just over a year ago in a risk forum a member of the Metropolitan Police in the audience later asked me if I had ever had interrogation training, as this was exactly one of the approaches they used! I would certainly never suggest that an audit or assessment is an interrogation, but there is very much an art to getting the maximum amount of information out of someone trying to give you the absolute minimum.

One rule of thumb to take away in this instance is a quote I first read in The Leaders Workbook by Kai Roer (@kairoer):

Try to keep in mind that you have twice as many ears as you have mouth, implying you should spend more time listening than talking.

That’s a pretty good ratio for any risk assessment or audit I think.

Probably not a serious breach, but definitely a serious failure

Leave a comment

The Twitterverse, online and traditional media worlds were if not alight then certainly smouldering with the news of a security breach as a result of pictures being published showing the Prince in a normal day at the office. At first I couldn’t work out why the press was saying that username and passwords were at risk, especially as the main photograph showed the Prince at a computer screen. Surely passwords are always obscured at a login prompt? Even the MOD can’t have such bespoke systems that they clearly show passwords on a screen? I even Tweeted that surely this must have been, therefore, a Post It fail rather than technology fail. Thankfully there were further Tweets and further analysis of the situation, and it was the Naked Software blog that finally made sense of it all.

Unbelievably it was a Post It fail… or at least a piece of A4 taped to the wall fail. 

My personal analysis of this may be a little different from most infosec professionals, in that what was exposed was probably not that serious. A username and password was effectively leaked for what was probably an unclassified part of the MOD network (or whatever the correct terminology is). This physical network is probably behind fences and locks and soldiers with guns (or heaven forbid, the MOD Police), and probably didn’t even have anything interesting on it. I do of course think those in charge were right to change the password and username though, as that is obviously  sensible precaution, but after that point, so what?

That said, what i think this does highlight is a dreadful failure of the security “attitude test” by the personnel and leadership of that base. How on earth it could have been deemed as acceptable to have a username and password, of any description, taped to a wall, no matter how secure the environment, is beyond me. Firstly, this means that a generic account is in use, a fundamental no-no in anyone’s book, but also it indicates that it is acceptable to do other things born of convenience. Share files on a USB between here and home – no problems! Carry printed flight rosters and contact details in your manilla envelope out of the base – of course! The mere act of allowing this to happen means there are already shoddy security practises at work in this base and their head of security should investigate immediately (and be slightly ashamed. As an aside I was also surprised at the Prince to be honest; here is someone who must have had security training to the nth degree given his position, and he is stood, smiling, right next to the picture.

It reminds me of why I make such a big deal of using lock leads in the office. The actual risk of having a laptop stolen from your own office in the middle of the day is fairly low (overnight the risk rises of course, but we don’t leave laptops out overnight do we?!). I often cite the example of a fire alarm and subsequent evacuation, and laptops being removed/stolen by the last person on the floor, but again, this is an unlikely event. my main driver for the lock lead is because the very physical act of attaching your laptop to a lock lead first thing in the morning is a strong reminder of the need for security, and puts that person into a more security aware frame of mind. If they take their laptop into a meeting room, again the act of unlocking it is a reminder again. I have argued before that security awareness training does not interact with people often enough to influence their behaviour in any measurable way, but if we can encourage the use of lock leads throughout the organisation much of the battle is won.

Really, if the MOD gets this wrong, what hope is there for the rest of us?

 

 

CSARN Organisational Resilience Conference

Leave a comment

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.