2012 in review

2 Comments

Blogging can be seen as a very inwardly focussed activity, it is all about me, me, me. I have always tried to maintain a fairly balanced online presence, keeping it professional if a little informal, striving to only blog, or tweet quality rather than quantity. On the whole this has worked for me. The downside to this though has been a slow increase in my online presence (or brand, whatever term works for you) and therefore Twitter followers and blog visits. For example one of the primary reasons for blogging this year has been to “practise” writing about my profession in a way that I don’t get in my place of work and not to gain fans and followers (although that would be a nice by product!).

That said, the automated report that WordPress sends out prompted me to consider what I have achieved over the last year and realise how positive I feel about my online presence. To put it into context here are some very quick (and totally unscientific) stats: In 2011 (when I joined Twitter) I had four blog posts in a self managed blog page, attended one conference (RSA), had less than ten followers and tweeted maybe ten times. I had publicly spoken once, for two minutes, at the Christmas RANT forum. In short, I had no idea what the community had to offer or indeed how to engage with it.

It was at the aforementioned RSA conference that two things happened; firstly I realised that 80% of the presentations I watched were of a quality that I felt I could reproduce. Secondly I met a few folks on the last night that in all honestly changed my perception of the industry and how I could participate in it, namely Brian Honan (@BrianHonan), Kai Roer (@kairoer), Alex Hutton (@alexhutton) and Aaron Barr (@aaronbarr) amongst others. They showed me (unknowingly) how they worked with the community, staying in touch through Twitter, communicating through blogs, articles, podcasts etc.. I have since stayed in touch with Brian and Kai, both of whom I respect greatly and would like to thank for their openness and friendliness to me back in October 2011!

Fast forward to today and my stats are a little better: 26 blogs posts, nearly 500 tweets (not all of them are rubbish either!), 111 followers, six public speaking engagements including one panel and the RSA conference itself, a video blog with the almighty Javvad Malik (@j4vv4d) and contributed to two articles (for Tripwire and (In)Secure magazine). I attended in one capacity or another nearly twenty events/conferences/forums. The best part is that these stats don’t do the experience itself any justice. I have made friends and met many people for whom I have the most deep respect for and who I genuinely like and enjoy their company. I have submitted a joint CFP for a conference with one of them, and hope to continue my relationship with Acumin and the RANT forum (@Acumin & @GemmaPats) who gave me my first big break in public speaking (thank you!). In short, 2012 has been awesome as both a learning experience and a source of fun and enjoyment as regards my chosen profession. The blog stats below are of course modest by most peoples standards, but they are interesting and encouraging to me nonetheless in the context of the above.

I tweeted over the Christmas holidays that my word for 2013 is “growth” both professionally and personally; while I hope that my 2013 “stats” will continue to “grow” more importantly I hope that my new friendships and opportunities to learn in this odd, frustrating, challenging yet ultimately rewarding industry and community continue.

And before you ask, yes, New Year, New Theme for the blog; I’ve grown out of my dark goth and emo phase and now it is time for some colour and class!

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,200 times in 2012. If it were a Dreamliner, it would take about 5 trips to carry that many people.

Click here to see the complete report.

Presentation Style IS Important

Leave a comment

Poor Presenter Type.004Just before Christmas I had an excellent opportunity to co present one of Javvad’s (@j4vv4d) eponymous InfoSec video blogs. In it we took a tongue in cheek look at the variety of styles of bad presentation that we have observed at various conferences and forums. I should of course stress that neither one of us claims to be keynote material with regards to our own presentation style, but we are constantly struck by how many presentations are unintelligible, difficult to follow, underprepared or any other myriad of things that dramatically reduce the impact and message a presentation is supposed to give.

The video blog (here) looks at ten different styles that we felt were the most heinous; there were a further ten left on the cutting room floor! Obviously it was a humorous view in order to best get the point across but it does underscore a serious point, namely that it is astonishing that for a so called professional industry the quality of presentations is often so low, even at events that you have to pay for. I for one expect more.

What I want to look at now though is not “what” we should be doing to improve these presentations because that has been done elsewhere (here and here); rather I will focus on the “why” because it is important to understand the reasons for improving our presentations and the positive outcomes it will have to our community.

In my opinion, it comes down to three points:

Firstly (and in reference back to the video blog), I see so many people in the audience quite simply just turning off in the face of poor presentation style (be it the slide, the verbal delivery etc). All of us attend these forums and conferences to learn from other people, observe their real world experiences and look to see how we can apply the learning into our own professional lives. And yet the first message we get is that the topic in hand is dull, or inaudible or illegible. In any kind of information security conference all topics should be interesting to one extent or another to all attendees. It is the presenters primary responsibility to make the topic interesting, grab the audiences attention and maintain it throughout.

Secondly, it is a question of value for money. This is very apparent in the situations where an event costs money to attend; I expect a certain level of professionalism, content and delivery, and in too many cases it is simply not apparent. In free events, this is less obvious for the audience (who are often getting free beer and food at the same time), but the poor presenter is letting down the sponsor and perhaps sullying their name and reputation. Of course there is also the reputational damage to the individual giving the poor presentation!

Finally, it is a matter of professionalism for the industry and community. Not only do we need to be taken seriously amongst ourselves but we must ensure we can speak convincingly within our own organisations. If we cannot put across our thoughts, analysis, reasoning, proposals and perhaps most importantly our requests for budget in a convincing and professional manner the infosec industry (and your department) will never be taken seriously.

None of us are perfect, especially when it comes to standing up in front of a demanding audience, but I strongly believe we should be asking our trusted colleagues, peers and acquaintances for feedback each and every time we present. What we get back from them may make for uncomfortable listening, but as long as the feedback is given constructively, openly, without fear of reprisal and with good intentions we will all benefit, as individuals, as organisations and as an industry.

 

Probably not a serious breach, but definitely a serious failure

Leave a comment

The Twitterverse, online and traditional media worlds were if not alight then certainly smouldering with the news of a security breach as a result of pictures being published showing the Prince in a normal day at the office. At first I couldn’t work out why the press was saying that username and passwords were at risk, especially as the main photograph showed the Prince at a computer screen. Surely passwords are always obscured at a login prompt? Even the MOD can’t have such bespoke systems that they clearly show passwords on a screen? I even Tweeted that surely this must have been, therefore, a Post It fail rather than technology fail. Thankfully there were further Tweets and further analysis of the situation, and it was the Naked Software blog that finally made sense of it all.

Unbelievably it was a Post It fail… or at least a piece of A4 taped to the wall fail. 

My personal analysis of this may be a little different from most infosec professionals, in that what was exposed was probably not that serious. A username and password was effectively leaked for what was probably an unclassified part of the MOD network (or whatever the correct terminology is). This physical network is probably behind fences and locks and soldiers with guns (or heaven forbid, the MOD Police), and probably didn’t even have anything interesting on it. I do of course think those in charge were right to change the password and username though, as that is obviously  sensible precaution, but after that point, so what?

That said, what i think this does highlight is a dreadful failure of the security “attitude test” by the personnel and leadership of that base. How on earth it could have been deemed as acceptable to have a username and password, of any description, taped to a wall, no matter how secure the environment, is beyond me. Firstly, this means that a generic account is in use, a fundamental no-no in anyone’s book, but also it indicates that it is acceptable to do other things born of convenience. Share files on a USB between here and home – no problems! Carry printed flight rosters and contact details in your manilla envelope out of the base – of course! The mere act of allowing this to happen means there are already shoddy security practises at work in this base and their head of security should investigate immediately (and be slightly ashamed. As an aside I was also surprised at the Prince to be honest; here is someone who must have had security training to the nth degree given his position, and he is stood, smiling, right next to the picture.

It reminds me of why I make such a big deal of using lock leads in the office. The actual risk of having a laptop stolen from your own office in the middle of the day is fairly low (overnight the risk rises of course, but we don’t leave laptops out overnight do we?!). I often cite the example of a fire alarm and subsequent evacuation, and laptops being removed/stolen by the last person on the floor, but again, this is an unlikely event. my main driver for the lock lead is because the very physical act of attaching your laptop to a lock lead first thing in the morning is a strong reminder of the need for security, and puts that person into a more security aware frame of mind. If they take their laptop into a meeting room, again the act of unlocking it is a reminder again. I have argued before that security awareness training does not interact with people often enough to influence their behaviour in any measurable way, but if we can encourage the use of lock leads throughout the organisation much of the battle is won.

Really, if the MOD gets this wrong, what hope is there for the rest of us?

 

 

RSA 2012 Debate – Should You Train Your Employees On Information Security?

Leave a comment

Below are the slides, my argument and some photographs from the debate session at RSA that I was involved in alongside Acumin, Christian Toon, Geordie Stewart, Kai Roer, Rowenna Fielding and Javvad Malik. Obviously by posting it here I am only presenting one side of the argument, but if nothing else I hope to at least stir up the conversation as in reality there is no clear cut answer on this topic. The text itself was my first draft notes and attempt to build an argument; I presented it from memory on the day, so it is obviously not an exact duplicate. I felt I was in a challenging position of not only opening up the argument, but also had no one to put a rebuttal against… at least that is my excuse!

I would very much welcome your thoughts on this somewhat hot topic as well as hear about how you do things differently to ensure the effectiveness of your training programmes.


Being asked to open a debate of this nature is probably challenging enough, but having to tell people that their information security awareness programs don’t work is a bit like telling them that they have an ugly baby; however much it may be true it is not something you can get away with saying very often before someone takes offence… or you get asked to justify yourself in a large public forum.

My colleagues will be presenting their cases far more eruditely than I am about to do so, and given what I suspect the prevailing attitudes in this room are I would therefore ask that you keep an open mind, and ask yourself the awkward questions that our arguments will pose. My arguments stem from the perspective of a poacher turned gamekeeper, so I can confidently vouch for their truthfulness from observations on both sides of the table.

So why am I against information security awareness training? Well, I think the actual term itself is outmoded, and the mechanism by which it is delivered more so. I strongly believe there are three key behaviours that stop the effectiveness of security awareness in its tracks.

Fatigue


Ethics training, anti bribery training, how to submit expenses training, how to work the training system training and goodness knows how many other trainings, and all of these have to be done every year, and more often than not within the same few months during “compliance season”. Is it any surprise that the CBT’s are completed whilst listening to iPod’s, that the “time per slide” statistic is never more than a few seconds and that when it comes to the obligatory questions at the end the cheat sheets get handed out amongst people. People simply can’t take any more!

Do your reported security incidents really go up after your training? Because they should as people become more aware of theirs and others security practices. Or do you still continue to see the same number of malware breakouts, lost USB sticks and laptops “left on the train”, all of the stuff that was happening before. Take a closer look, and see what you can find.

Memory


And with all of this training going on, it would take a full time job to remember it all, let alone trying to retain it in conjunction with their day job. Any kind of training that is carried out needs to be reinforced through regular practice of what has been learnt. But how often do people consciously “practice” their security skills? How often do you hear at the water cooler “I stopped a virus today!”?

Even when this training is put into supposedly professional training packages aimed at companies, they bizarrely even admit that they are not going to be fully successful; in a previous talk I referenced a company that proudly declared that their course would reduce phishing click throughs by 75%. Their course, by their own admittance is ineffective in 25% of cases.

The information security industry has a habit of streaming facts, rules, laws and requirements at people, throwing questions at them and then expecting them to put into their daily work lives. If they are lucky they might get the odd article or even get talked at by someone from IT Security rather wishing they were somewhere else. The marketing and advertising industries clocked onto this years ago, and produce smart, impactful and “sticky” bite sized pieces of information., why haven’t we?

Around, Through and Under


So we now have a picture of people tired of taking yet another training, can barely remember what the training was about anyway, but are also continually under pressure to get their day job done on time and on budget. With these pressures, people are going to be doing whatever it takes to get the job done.

Transferring a large data file to a client at 10 o’clock at night and the IT department have gone home? USB stick or drop box. Having to deal with hundreds of emails day in and day out? Snow blindness to clever phishing emails. Constantly changing workforce due to rapid growth  (or contraction)? Let them in, they need to get their job done just like me. Printers constantly going offline because of under investment? Just keep sending that confidential print job to a different printer until it works, someone else can clear up the spare prints.

Unless their environment is stable, and helps control their actions, or asks them the questions they need to be asked to make an informed decision, people will do whatever it takes to get their job done; the consequences can, and will, be dealt with tomorrow.

In Summary

Until such a time as companies and the security training industry cotton onto this, all your thousands of pounds, dollars or rubles spent on training courses will buy you one thing and one thing only, a tick in the box of your compliance checklist. Is that enough for you, or do you want more

This slideshow requires JavaScript.

(Photos courtesy of David Turner)

That was the week that was – RSA Conference Europe 2012

Leave a comment

Having arrived at the Hilton Metropole on Monday lunchtime and finally left the hotel (virtually for the first time) on Friday morning, I am left with a sequence of mad, fascinating, zany, intriguing, bizarre, educational, alcoholic and downright enjoyable experiences. I knew what to expect having attended last year. In no particular order (except by which they fall out of my head) here are my high points, and occasional low points.

Meeting Wendy Nather (@451wendy) of the 451 Group  at last and having lunch with her and Kai Roer (@kairoer, and a constant and welcome companion throughout the week);Dinner at The White Swan with my fellow panellists/debate team, Christian Toon(@christiantoon), Geordie Stewart, Rowenna Fielding (@InfosecGeekLady), Kai Roer, Javvad Malik (@j4vv4d), Gemma Paterson (@GemmaPats) and Chris Batten (@Acumin), and supposedly talking about our debate the next day but actually just sharing inapproriate jokes (mostly led by Chris…); The actual debate itself, not a massive attendance although not only were we up against stiff competition numbers were down somewhat anyway; meeting my first bona fide infosec journalist John Leyden (@jleyden) of The Register as well as my second, Dan Raywood (@DanRaywood) of SC Magazine; Meeting James Lyne (@jameslyne) who is not only a genius but also has the audacity to be charming, funny and an all round lovely guy, goddamm him; Watching Christian Toon bluff his way into the Media/Analysts party on Tuesday night, and watch Javvad have to do nothing to get into the IOActive party on wednesday night because everyone knows him; spending nearly an hour chatting with Javvad talking about blogging, public speaking, charlatans and heroes and being very pleasantly surprised at how much we have in common on these topics; walking out of Bruce Schneiers keynote because I found it dull and unengaging which was a real disappointment; finally making my mind up about Ira Winkler after watching his presentation; wishing I wasn’t late for Josh Corman’s (@JoshCorman) keynote, watching Hugh Johnson again, a master of working the room and engaging his audience, and marvelling at what a thoroughly lovely guy he was; spending time with Brian Honan (@BrianHonan) again and always enjoying his funny yet surprisingly modest company; Eating Schawama’s with Javvad and @sirjester, and subsequently meeting the aforementioned James Lyne and Dan Haywood; failing to win a single thing in any of the prize draws, yet still coming back with five t-shirts and a bag of booty; Watching Javvad and Emma Tweet each other whilst standing side by side; Being amazed, yet finding myself also tweeting almost every 10 minutes in synchronisation with everyone else you happen to be with – what has this world come to?; getting beered up with Chritian Toon on Tuesday and not being able to work out why I feel so drunk and he seems so fresh. The next day it turns out he is nearly 15 years younger than me! I obviously look young for my age, and he the opposite!; Spending a fascinating 90 minutes with Josh Corman on Thursday night and being impressed with how genuine, non judgemental and actually concerned he is about our industry; receiving my first ever Friday Five’s in Twitter and seeing it suddenly explode with activity as everyone joined in, for 10 minutes!; Watching Javvad being awarded his RSA Rockstar t-shirt.

There are many other people I met, chatted with and discussed topics raised in the presentations that are just too numerous to mention. If I have missed you out I apologise profusely and blame my poor memory and being inundated with great times.

The photos throughout this article barely scratch the surface of the fun and educational experience of the week, and I am already looking forward to RSA 2013 in Amsterdam next year!