Probably not a serious breach, but definitely a serious failure

Leave a comment

The Twitterverse, online and traditional media worlds were if not alight then certainly smouldering with the news of a security breach as a result of pictures being published showing the Prince in a normal day at the office. At first I couldn’t work out why the press was saying that username and passwords were at risk, especially as the main photograph showed the Prince at a computer screen. Surely passwords are always obscured at a login prompt? Even the MOD can’t have such bespoke systems that they clearly show passwords on a screen? I even Tweeted that surely this must have been, therefore, a Post It fail rather than technology fail. Thankfully there were further Tweets and further analysis of the situation, and it was the Naked Software blog that finally made sense of it all.

Unbelievably it was a Post It fail… or at least a piece of A4 taped to the wall fail. 

My personal analysis of this may be a little different from most infosec professionals, in that what was exposed was probably not that serious. A username and password was effectively leaked for what was probably an unclassified part of the MOD network (or whatever the correct terminology is). This physical network is probably behind fences and locks and soldiers with guns (or heaven forbid, the MOD Police), and probably didn’t even have anything interesting on it. I do of course think those in charge were right to change the password and username though, as that is obviously  sensible precaution, but after that point, so what?

That said, what i think this does highlight is a dreadful failure of the security “attitude test” by the personnel and leadership of that base. How on earth it could have been deemed as acceptable to have a username and password, of any description, taped to a wall, no matter how secure the environment, is beyond me. Firstly, this means that a generic account is in use, a fundamental no-no in anyone’s book, but also it indicates that it is acceptable to do other things born of convenience. Share files on a USB between here and home – no problems! Carry printed flight rosters and contact details in your manilla envelope out of the base – of course! The mere act of allowing this to happen means there are already shoddy security practises at work in this base and their head of security should investigate immediately (and be slightly ashamed. As an aside I was also surprised at the Prince to be honest; here is someone who must have had security training to the nth degree given his position, and he is stood, smiling, right next to the picture.

It reminds me of why I make such a big deal of using lock leads in the office. The actual risk of having a laptop stolen from your own office in the middle of the day is fairly low (overnight the risk rises of course, but we don’t leave laptops out overnight do we?!). I often cite the example of a fire alarm and subsequent evacuation, and laptops being removed/stolen by the last person on the floor, but again, this is an unlikely event. my main driver for the lock lead is because the very physical act of attaching your laptop to a lock lead first thing in the morning is a strong reminder of the need for security, and puts that person into a more security aware frame of mind. If they take their laptop into a meeting room, again the act of unlocking it is a reminder again. I have argued before that security awareness training does not interact with people often enough to influence their behaviour in any measurable way, but if we can encourage the use of lock leads throughout the organisation much of the battle is won.

Really, if the MOD gets this wrong, what hope is there for the rest of us?

 

 

RSA 2012 Debate – Should You Train Your Employees On Information Security?

Leave a comment

Below are the slides, my argument and some photographs from the debate session at RSA that I was involved in alongside Acumin, Christian Toon, Geordie Stewart, Kai Roer, Rowenna Fielding and Javvad Malik. Obviously by posting it here I am only presenting one side of the argument, but if nothing else I hope to at least stir up the conversation as in reality there is no clear cut answer on this topic. The text itself was my first draft notes and attempt to build an argument; I presented it from memory on the day, so it is obviously not an exact duplicate. I felt I was in a challenging position of not only opening up the argument, but also had no one to put a rebuttal against… at least that is my excuse!

I would very much welcome your thoughts on this somewhat hot topic as well as hear about how you do things differently to ensure the effectiveness of your training programmes.


Being asked to open a debate of this nature is probably challenging enough, but having to tell people that their information security awareness programs don’t work is a bit like telling them that they have an ugly baby; however much it may be true it is not something you can get away with saying very often before someone takes offence… or you get asked to justify yourself in a large public forum.

My colleagues will be presenting their cases far more eruditely than I am about to do so, and given what I suspect the prevailing attitudes in this room are I would therefore ask that you keep an open mind, and ask yourself the awkward questions that our arguments will pose. My arguments stem from the perspective of a poacher turned gamekeeper, so I can confidently vouch for their truthfulness from observations on both sides of the table.

So why am I against information security awareness training? Well, I think the actual term itself is outmoded, and the mechanism by which it is delivered more so. I strongly believe there are three key behaviours that stop the effectiveness of security awareness in its tracks.

Fatigue


Ethics training, anti bribery training, how to submit expenses training, how to work the training system training and goodness knows how many other trainings, and all of these have to be done every year, and more often than not within the same few months during “compliance season”. Is it any surprise that the CBT’s are completed whilst listening to iPod’s, that the “time per slide” statistic is never more than a few seconds and that when it comes to the obligatory questions at the end the cheat sheets get handed out amongst people. People simply can’t take any more!

Do your reported security incidents really go up after your training? Because they should as people become more aware of theirs and others security practices. Or do you still continue to see the same number of malware breakouts, lost USB sticks and laptops “left on the train”, all of the stuff that was happening before. Take a closer look, and see what you can find.

Memory


And with all of this training going on, it would take a full time job to remember it all, let alone trying to retain it in conjunction with their day job. Any kind of training that is carried out needs to be reinforced through regular practice of what has been learnt. But how often do people consciously “practice” their security skills? How often do you hear at the water cooler “I stopped a virus today!”?

Even when this training is put into supposedly professional training packages aimed at companies, they bizarrely even admit that they are not going to be fully successful; in a previous talk I referenced a company that proudly declared that their course would reduce phishing click throughs by 75%. Their course, by their own admittance is ineffective in 25% of cases.

The information security industry has a habit of streaming facts, rules, laws and requirements at people, throwing questions at them and then expecting them to put into their daily work lives. If they are lucky they might get the odd article or even get talked at by someone from IT Security rather wishing they were somewhere else. The marketing and advertising industries clocked onto this years ago, and produce smart, impactful and “sticky” bite sized pieces of information., why haven’t we?

Around, Through and Under


So we now have a picture of people tired of taking yet another training, can barely remember what the training was about anyway, but are also continually under pressure to get their day job done on time and on budget. With these pressures, people are going to be doing whatever it takes to get the job done.

Transferring a large data file to a client at 10 o’clock at night and the IT department have gone home? USB stick or drop box. Having to deal with hundreds of emails day in and day out? Snow blindness to clever phishing emails. Constantly changing workforce due to rapid growth  (or contraction)? Let them in, they need to get their job done just like me. Printers constantly going offline because of under investment? Just keep sending that confidential print job to a different printer until it works, someone else can clear up the spare prints.

Unless their environment is stable, and helps control their actions, or asks them the questions they need to be asked to make an informed decision, people will do whatever it takes to get their job done; the consequences can, and will, be dealt with tomorrow.

In Summary

Until such a time as companies and the security training industry cotton onto this, all your thousands of pounds, dollars or rubles spent on training courses will buy you one thing and one thing only, a tick in the box of your compliance checklist. Is that enough for you, or do you want more

This slideshow requires JavaScript.

(Photos courtesy of David Turner)

10 Rules of Risk Management… In 10 Movie Quotes

3 Comments

I had an absolute blast last night presenting at the Acumin RANT forum (https://www.rantforum.com) on the topic of “10 Rules of Risk Management… In 10 Movie Quotes”. The premise was simple – people don’t remember rules or dull facts, but they do remember things that emotionally touch them in some way. Each quote and movie opened up a conversation on an aspect of risk management (although the term “rule” was a little inaccurate of course). Given it was the RANT forum, and I was competing for the attention of the audience against the allure of a free bar, there was plenty of opinion and discussion flowing around the room throughout. Hopefully a few of the points I was trying to make will have stuck as a result of quotes such as “You’re gonna need a bigger boat” or “I see dead people”.

I felt the audience engaged and participated throughout with lots of very verbal agreement and disagreement throughout, and it was exciting to be right at the centre of the maelstrom. If you have never been to a RANT before just imagine one person being surrounded by a large number of people only a few feet away; with your back to the projector screen, there is no lectern to hide behind and no stage to stand on. It’s do or die, and a  #Fail never far from your thoughts!

Not everyone agreed with the points I was making of course but that just generated further conversation. I had some excellent follow up conversations with a number of people, including a great idea for my next presentation which a stated up front I might shamelessly steal – I think i got his agreement that doing so was OK! I had some very positive feedback afterwards as well for which I am very appreciative of; if you are reading this and want to provide more feedback, of both kinds, then please do. Without wishing to sound too “new age”, feedback is a gift you can give someone that will allow them to grow and improve. Without it we continue to make mistakes and miss the opportunity to learn.

Gemma (from Acumin) and I tried something new this time as well, filming the presentation with two cameras. It will take me a few days to splice the footage together, but as soon as it is done I will have it posted here. I know some of those who attended were interested in both reviewing and sharing the footage, as well as the slides; these are below, as well as a slideshow of the deck. I use Keynote  for my presentations, so the PowerPoint conversion is never a true representation. If in doubt, use the PDF. Someone mentioned last night that they may want to link to the content here too. I have no objections to this, just credit me and don’t muck about with the content!

My thanks to Acumin for hosting the evening, and thank you to all of you who took part, especially the very lucky prize winners! (If you wanted a pen but didn’t get one let me know and I will do my best to send one to you).

This slideshow requires JavaScript.

Files for download:

PDF – 10 Rules of Risk Management

PPT – 10 Rules of Risk Management

Keynote – 10 Rules of Risk Management (native)

Movie from the evening – Coming Soon

“An Anatomy…” at the BCS

Leave a comment

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).

Style vs Content – Getting the Point Across Effectively

1 Comment

I have just had to present to a team on their information security responsibilities whilst they are on their current project. Their client has very specific requirements, and for a variety of reasons it was important to reinforce the key requirements again.

This was at short notice, and so I spent every spare moment I had throughout a long day last Thursday creating the presentation from scratch. After reviewing Master Services agreements, security schedules and other documents relating to the project I had to try and consolidate all of this into a meaningful presentation. I even Tweeted about my experience:

This is a battle hardened and very creatively talented team, working stupid hours and closing in on an important milestone of work. The last thing they wanted was to listen to the “corporate security guy” for twenty minutes, but for all the right reasons it was important that it was done today, and with the client present.

So I had: 1 – a disengaged audience, 2 – 24hrs notice, 3 – a client present, 4 – strong interest from HQ (“send us the presentation when you finish it so we can check it through” and finally, 5 – changes to be incorporated two hours beforehand (see 4).

Pop Quiz – do you use the corporate deck, smart and extensive bullet points, approved imagery and and a shirt and tie? Or do you focus on getting key message across, come what may?

And this is the crux of my point – the moment you try and deliver a corporate message in a corporate format your audience is going to switch off. One suggestion I received from a well meaning executive was to basically provide a list of the twenty requirements of the client in the presentation and then hand out copies to be signed by each team member. In this instance people would remember the first two, last two (at best!) and just blindly sign the rest. While this would technically meet the objectives (everyone must agree they understand the security requirements) they really wouldn’t absorb the message.

My approach? Simple, high impact and memorable. As the example below shows, not many words and a memorable picture (in the actual presentation Borat merged to Simon Cowell showing a thumbs down and back and forth). In this way, the image hits them first (thumbs up/thumbs down), the message (check X when doing Y), and that’s it! (The message has obviously been sanitised to protect the innocent).

 Of course, there were many other slides along this nature – I also used references to The Oatmeal, Dilbert and Defcon 18 amongst others. And each slide put across a very specific point.

At first glance, the deck looks awful, plain and badly designed. However, the simplicity of it ensures the message very clearly comes across with the imagery ensuring that message remains memorable.

Three things came across very strongly at the end. Firstly, the questions and comments at the end were engaging, sensible and eminently relevant. This made me very confident that the message was put across and understood, and that this approach was the correct one in this circumstance.

Secondly, the client saw this engagement, and has since requested a copy of the presentation to demonstrate how the team had been successfully “trained” and and updated on security practices.

Finally, in front of this creative audience it became crushingly obvious that I really have to up my game when it comes to clip art…