A late start back to 2014

Leave a comment January 20, 2014 Thom Langford

This time last year I posted a WordPress summary of my blog and stated I was going to focus on “growth” for 2013. Fortunately WordPress sent the same summary as last year and so I am very pleased to say that I have achieved that, certainly in regards to posts, content and followers.

It was a hugely busy year as regards me and this growth, with just some of the highlights including;

* Establishing Host Unknown alongside Andrew Agnes and Javvad Malik, and making a start in showing that security education really doesn’t have to be dull.
* The opportunity to be a mentor to Gavin Holt for the Rookie track at BSides. Gavin is an extremely talented and intelligent InfoSec professional and I was thrilled to have been able to help him present.
* The inaugral RANT conference and being able to play a part in the day for the lovely people at Acumin.
* Presenting at RSA Europe again.
* Getting involved with The Analogies Project, curated by the very talented Bruce Hallas, in addition to being asked to be a regular contributor to the Iron Mountain Information Advantage blog.
* Winning Best Personal Security Blog at the inaugral European Security Bloggers Awards.

Combine the above (just the tip of the iceberg) with a dramatic increase in followers of the blog and of Twitter and an increase in the number of requests to present I am extremely pleased with 2013.

The word for 2014 therefore is “maintain”. Much as I would like to grow last years levels of activity it did cut into my day job quite considerably so I need to be a little more selective in my activities. That said, I have already presented at Securi-Tay3 in Dundee and have another one for the 451 Group in a few weeks. I will post something about Securi-Tay3 in a few days time when the videos have been published.

There are so many people to thank for the success of 2013, some of whom are mentioned above, but there are many others out there to whom I thank; I have very much been fortunate enough to stand on the shoulders of giants, allowing me to grow as a professional in the infosec field.

(View the full WordPress blog report here)

Moving forwards I have plenty of thoughts for content for this blog over the coming months so stay tuned for more details, and thank you for following me in 2013!

Sailing the High Seas at 44CON

Leave a comment September 16, 2013 Thom Langford

I have just returned from 44CON, a technical infosec conference that is held in London and in its third year. As with any multi day conference you come back tired but educated, and happy but deflated that it is over. A speaker party, a conference after party, two gin’o clocks, a conference bar and some fabulous presentations makes for an exhausting two days.

Organisationally it is extremely well run; the crew are are friendly, knowledgable AND efficient (it’s rare to have all three), the venue is of a high quality, the sponsors are low key but available, SpeakerOps is excellent, and with the exception of myself and two others the attendees are amazingly smart and technical. I was able to chat to a number of the speakers at a reception on Wednesday night, and the level of detail they went into for their research was simply mind-blowing; one person even decided to write his own 3D presentation language instead of using PowerPoint or Keynote, just for this one presentation!

I spent the first day mostly at the InfoSec track rather than the technical track, learning about “Security lessons from dictators in history” and “Surviving the 0-day – reducing the window of exposure”, both very good. I did attend a technical talk in the afternoon along with two friends (the two mentioned above!), and to be honest he could have been speaking a different language with what he was talking about; to make it worse he apologised at the end for not making it technical enough! It was a fabulous talk though, wonderfully presented, and let down only by my lack of technical knowledge of the subject.

As a backup speaker for the infosec track I thought I was off the hook at this point as nobody had dropped out, but it was announced at this point that there would be a “hidden track” of talks, of which I was one of them. This hidden track would take place at an undisclosed location and you had to talk to vendors and other con goers to find out where it was. It was at this point I excused from the after party to add a little more content to my slides.

Sailing the Cs of Disaster Planning 44Con.001

Sailing the High C’s of Disaster Planning – Click for PDF

The following morning, after the opening presentation I was second in the hidden track. My talk was entitled “Sailing the C’s of Disaster Planning”, and the main drive of it was of a simple “framework” that allows you to be be able to not only test the effectiveness of your disaster/business continuity planning, but also help to communicate the key elements of the plan upwards to the board and down through the key players in the organisation. This was the first time I had given this talk, and to be honest some of the ideas have not quite been fleshed out, although the concept is sound. It was well received by about 20 people (not bad given it was a hidden track) and there were some good questions and conversations afterwards. Feedback received later in the day was both encouraging but also useful in highlighting areas that need to be improved.

A copy of the slides are above; if you take a look at them please provide feedback as always (caution, 12.5Mb PDF).

I will be using this blog to flesh out those ideas and gather feedback over the next couple of months, firstly by looking at the high level concepts of this approach, and then subsequently break down the five elements of the approach into further blog posts.

The remainder of the second day at 44CON was taken up with more talks, as well as a bit of filming with my two colleagues, the two unknown hosts you could say, for something we hope to release in the next few weeks.

I would like to thank Steve and Adrian and the entire crew of 44CON for an excellent event, and I am certainly coming back for next year, at a new, larger yet undisclosed location.

Why I am an Analogies Project contributor

1 Comment July 24, 2013 Thom Langford

That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)

Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.

In the words of the Project itself;

The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.

Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.

The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.

So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.

It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be. The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.

If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.

And they say security awareness training is working?

3 Comments June 20, 2013 Thom Langford

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

They are able to afford expensive looking laptops or have been issued an expensive looking laptop
Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

Now you see it…

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.

Taking RANT to New Levels

4 Comments June 12, 2013 Thom Langford

Noise Next Door giving conferences a new twist

For a variety of reasons I have been unable to post here as frequently as I have liked, but the great advantage of attending a conference is that it does spur one into action to get something written down. Tuesday Jun 11th saw a new kind of conference come to town, the RANT conference. Based upon the monthly RANT forum there were only three individual speakers with the rest of the sessions effectively panel debates but with significantly more audience interaction encouraged.

There were a number of highlights for me, not least all of the people I met there, new friends and old. One of the big surprises for me was the opening keynote from Mark Stevenson of the League of Pragmatic Optimists. I thought it an odd choice of speaker, a futurologist, but very much enjoyed his talk once I got over myself. he looked at (amongst many other things) how the digital revolution is changing our lives daily. What it came down to though is that despite the massive amount of change that has gone before us, the digital revolution is merely the cocktail sausage of dinner; we cannot begin to imagine what is around the corner.

I also enjoyed watching Javvad play up to his InfoSec rockstar status alongside Neira Jones and the irrepressible Stephen Bonner. It was unfortunate that the final panellist, Ed Gibson, killed the dynamic of the panel dead, changing what should have been an upbeat and funny session into a monologue of personal dislikes that crossed the line into embarrassing. I thought Javvad played to his RockStar persona very well, but also presented how he made his way to the level of industry notoriety he currently enjoys and the benefits it actually brings to the industry. The serious point of them actually being ambassadors for infosec was quite rightly made. Unfortunately Ed did the same for the next panel on state sponsored espionage, killing what should have been a powerful insight into the topic given his background. I understand Ed is a very highly rated speaker, but on the evidence of yesterday I won’t be rushing to see him speak, and how he handled himself was unfair on the other panellists and indeed on us as an audience.

The Boy Band Strikes back

The rest of the day went very well though, with plenty of laughs with the University Challenged pitting the grey hairs of the industry against the students of Royal Holloway, and a session on security awareness that I was invited to participate in alongside Geordie Stewart, Charles Clarke, Christian Toon and my old mate Bruce Hallas. The reaction from the audience was very positive, with some great questions and opinions. We didn’t all agree, which is exactly what needs to happen; if we all agree, nothing changes, but if there is dissent then that can finally lead to actually driving change in the industry. On the whole it was well received and moderated nicely by Jim Shields, although someone did tweet that he thought the conversation was “same old same old re training me thinks” which is actually fair enough; I do think however that we can only stop talking about it when it is “fixed” (whatever that means!).

Stephen Bonner’s presentation was a distinct improvement upon what he presented at BSides, and was a thoroughly enjoyable rant, replete with chocolate missiles for the audience.

The excellent Twist and Shout were managing the video and photography, and shared many of their corporate training videos in the breaks between sessions that not only gave a very polished and slick feel to the whole day, but also some light relief.

Networking drinks were copious and enjoyable, and the dinner was excellent with after dinner entertainment from Jim Shields in his stand up comedian alter ego and an improv comedy troupe Noise next Door. A fuzzy head this morning tells me I had perhaps a little too much fun.

It was an awesome conference overall, and I hope to see it grow and become part of the established circuit. The format can only get better as while there is a place for the traditional presentation of one person delivering content and then taking some questions has its place, there is a huge advantage to the RANT approach. It allows the audience to engage far more effectively and I would hazard a guess that the audience actually retains more than the standard 20% of content afterwards. Huge congratulations to Acumin for not only making it happen, but also for ensuring it was as free from the commercialisation of so many other vendor driven events, a hugely refreshing approach. The biggest congratulation of the day though must go to Gemma for making it happen.