Sailing with the 451 Group

Leave a comment

Last thursday, 20th February saw me take a day of work and attend the Enterprise 451 Information Security Executive Summit and also present there in the afternoon. Although I didn’t make it until lunchtime (due to meetings about another conference later this year) it was still a cracking afternoon, with plenty of opportunities to chat to the analysts, see some of their latest research and also have roundtable discussions with the vendors.

Often these roundtables can be quite hard work as the vendors can pitch quite hard to get their moneys worth from sponsoring the day, but the ones I attended were handled very well and actually put the focus on the attendees discussions rather than the products. Of note in this regard was Palo Alto, and I enjoyed the vigorous discussion, despite it running over by 10 minutes as we all rallied to make our own points!

I presented on “Sailing the C’s of Disaster Planning”, a heavily rewritten and much improved presentation from its first outing at 44CON in September. I have noticed a step change in my presentation style since 44CON as I grow more confident in what it is I am saying and less reliant on the slides and bullet points. This results in a more engaging slide deck and a more fluid style of presentation. informal feedback has been good so far, although I am looking forward to getting mor formal feedback if it becomes available.

The after conference dinner and drinks were also excellent and resulted in me almost missing my last train home.

This week sees me at RSA USA for the first time which is hugely exciting; it is a huge conference (one of the organisers told me up to 24,000 people) and even on the soft start day is incredibly busy. I will no doubt write up my eexperiences here in th enext few days.

An Englishman Abroad – Securi-Tay3

Leave a comment

Securi-Tay logo - webGavin Holt, who I was fortunate enough to be mentor to for last years BSides London Rookie track, invited me to submit a talk for Securi-Tay3, the third annual security conference hosted by the University of Abertay and run by the Abertay Hackers Society. He is the Vice President of that society and responsible for drumming up trade for the conference. Securi-Tay has a reputation for being Scotland’s biggest security conference, and this year attracted something like 170 people putting it well on a par with many ‘professional’ conferences.

I duly did as I was told and submitted into the CFP.

The day was great; the conference was well managed and run, there were always plenty of volunteers in distinctive blue (and not black for once!) T-shirts who were friendly and willing to help. Vitally there was always a cup of tea available in the reception area, throughout the day, something so many conferences miss when you are working the hallway track rather than the advertised tracks. This is one Englishman who has traditional standards…

As expected there was a very strong technical slant to the presentations (many of them given by people called Rory it seems as well) and some of them were beyond me. In fact I tweeted the following day saying that the one downside to the conference was that I often felt like the dumbest person in the room.

I was able to present on “Throwing Shapes for Better Security Risk Management”, a wholly revamped version of a talk I did at the IT Security Forum late last year. When I first gave it I had some great feedback  from Jitender Arora which I tried to address, as well as the formal feedback from the session (basically “good content but not what was promised”). Securi-Tay kindly recorded the talk which I will post shortly, although with the microphone cutting out there is only so much you can hear. Feedback afterwards was very positive, and I had some great conversations with people not just about risk management but presentation style generally.

Two other presentation also stood out for me; Ritesh Sinha and Paco Hope‘s “The Colour of Your Box: The Art and Science of Security Testing” and Rory McCune’s “Crossing the Mountains of Madness – How to Avoid Being a Security Cultist”. These will also be available at the Securi-Tay YouTube channel shortly.

This was a great conference, attended by people who truly wanted to learn and engage rather than just get out of the office for the day, and who are actively pursuing a career in the infosec industry. What did surprise me though was the number of people from the day who wanted to get more involved with risk management as a career option rather than the more technically focussed, ethical hacking option which at first glance would appear to be the defacto choice. The honesty and passion of all of the students there was very refreshing, and I thoroughly enjoyed chatting to everyone at the after party, all the way through the inevitable kebab on the way back to the hotel.

A big thank you to Gill Chalmers, Gavin Holt and all of the members of the Abertay Ethical Hacking Society for running an educational and excellent day.

An Approach to Risk Decision Making – a Review

1 Comment

Public expenditure

I decided to write a review of a paper submitted to wired.com on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!

In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved.  With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.

This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.

In summary, the model is as follows:

Figure1_660

Figure 2 in the model requires an analysis of controls required to address a risk.

Figure2_660

This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.

Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.

Figure3_660

Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.

These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..

There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.

The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.

Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.

Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.

Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.

A late start back to 2014

Leave a comment

YEAR+IN+REVIEW1This time last year I posted a WordPress summary of my blog and stated I was going to focus on “growth” for 2013. Fortunately WordPress sent the same summary as last year and so I am very pleased to say that I have achieved that, certainly in regards to posts, content and followers.

It was a hugely busy year as regards me and this growth, with just some of the highlights including;

* Establishing Host Unknown alongside Andrew Agnes and Javvad Malik, and making a start in showing that security education really doesn’t have to be dull.
* The opportunity to be a mentor to Gavin Holt for the Rookie track at BSides. Gavin is an extremely talented and intelligent InfoSec professional and I was thrilled to have been able to help him present.
* The inaugral RANT conference and being able to play a part in the day for the lovely people at Acumin.
* Presenting at RSA Europe again.
* Getting involved with The Analogies Project, curated by the very talented Bruce Hallas,  in addition to being asked to be a regular contributor to the Iron Mountain Information Advantage blog.
* Winning Best Personal Security Blog at the inaugral European Security Bloggers Awards.

Combine the above (just the tip of the iceberg) with a dramatic increase in followers of the blog and of Twitter and an increase in the number of requests to present I am extremely pleased with 2013.

The word for 2014 therefore is “maintain”. Much as I would like to grow last years levels of activity it did cut into my day job quite considerably so I need to be a little more selective in my activities. That said, I have already presented at Securi-Tay3 in Dundee and have another one for the 451 Group in a few weeks. I will post something about Securi-Tay3 in a few days time when the videos have been published.

There are so many people to thank for the success of 2013, some of whom are mentioned above, but there are many others out there to whom I thank; I have very much been fortunate enough to stand on the shoulders of giants, allowing me to grow as a professional in the infosec field.

(View the full WordPress blog report here)

Moving forwards I have plenty of thoughts for content for this blog over the coming months so stay tuned for more details, and thank you for following me in 2013!

Really Silly Attitude? Ropey Sales Approach?

Leave a comment

cashRSA has had a tough few years; the subject of a high profile phishing attack in March 2011 resulting in the loss of information related to their SecureID product. They denied it was an issue until three months later when information gained from that attack was used against other companies, including Lockheed Martin, and had to subsequently replace a large number of the tokens.

In September this year they recommended that customers of their BSafe product should stop using the built in, default, encryption algorithm because it contained a weakness that the NSA could exploit using a backdoor and therefore would be vulnerable to interception and reading. How very open and forthright of RSA I thought at the time. Despite the potential damage they may be doing to their brand by giving this information freely out, they are doing so in their customers interests and at the same time offering secure alternatives. It reminded me of the early nineties and the pushback against the Clipper chip, with RSA at the forefront protecting client interests and pushing back against the spooks of the three letter agencies of the USA. Here is what D. James Bidzos said at the time:

“We have the system that they’re most afraid of,” Bidzos says. “If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.’s interests that it’s driving them into a frenzy.

Powerful stuff. The newly formed Electronic Frontiers Foundation would have been proud.

 Now this is where it gets interesting and has raised the shackles of many in the Twittersphere and internet echo chambers. A few days ago it was revealed that the real reason for RSA to have used a flawed products for so many years was because the NSA paid them to. It wasn’t a huge amount of money although it possibly helped save the division that runs BSafe in RSA that was struggling at the time.

Businesses change. Leadership changes. Market forces steer a company in different direction to one a degree or another. To my mind though, to deliberately weaken your own product for financial gain is extraordinarily unwise. By taking the money, RSA have declared that profit is above patriotism, whatever your view of patriotism is. If they took no money at all, there would be a good defence that the decision was taken in the national interest and to work harmoniously with the governmental agencies that protect the USA from danger. Unfortunately organisations that have relied on RSA’s products to secure their data have been let down simply to make a fast buck,

In October this year Art Coviello spoke about “Anonymity being the enemy of Security” at his Keynote at RSA Europe. That statement takes on a very different viewpoint now.

The response has been fairly unanimous, but here is one that got me thinking about my relationship with RSA:

Mikko RSA

I personally wouldn’t go this far as I go to network with friends, peers and colleagues, as well as listen to folks from the industry talk and present; I don’t necessarily go to listen to RSA as such. However this kind of reaction is going to have an impact on RSA that is likely to be felt for a number of years to come. Most security people I know are somewhat distrusting in the first place (hence why they are in security very often!). To have these revelations is going to have an impact both in their mainstream business as well as their conference business, so often seen as the gold standard of conferences globally.

If the last few years were tough for RSA, what is the next few years going to be like for a giant in our industry?