Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.


May I Ask YOU A Question Or Two…?

The iPhone5 launch is very exciting for many people, and I have to admit myself included. Whatever your opinion of that particular can of worms, one thing is for sure, and that is many people will be parting with a lot of money in the next week or two in order to get hold of the latest piece of geek chic.

When there is a likelihood of a money changing hands, scammers and criminals will never be far behind.

I took a phone call (from a UK 0845 number) on my mobile phone on Saturday from someone claiming to be from O2, with an offer to get the new iPhone5 on the day of release without having to queue for hours at my local O2 store. They would even honour the lower retail store price compared to the order online price; on my tariff that meant £70 for the handset rather than £100 because I was a good customer (which I am). What an offer!

Without thinking, I confirmed the first line of my address… and then thought “Oh crap, shouldn’t have done that”; I got a bit carried away. They had called me, not the other way around, I really had no idea who they were!

Cast your mind back a few years ago, and there was a semi legal scam whereby people would take calls from “a representative from <insert mobile provider here>”. They would entice the individual with early upgrades and a new phone, get the verbal agreement, and then shift the contract to a new, third party provider. The downside was that this provider had many hidden charges and an average £25 bill would become £125 overnight partnered with a legally binding contract. This was soon clamped down upon, but this example starting to ring through my mind!

It was at this point that I had verbally agreed that I wanted the new iPhone delivered to my door on a new and cheaper contract this coming Friday… Oh dear God, Have I just committed professional suicide here?!

I turned on my professional brain, and then asked the person at the end if she really was from O2, and obviously she replied “yes!”. So I asked her if she would mind if I asked her a few security questions “of course not, I would do the same!”. i logged onto my O2 account and asked her for my account number, last bill amount and how long I had been a customer. She had all of the information to hand, I was happy, and I am now looking forward to a new phone on Friday (either that or this blog will be closed down on Saturday!).

It did occur to me however that I felt a little awkward asking these questions. How many other people in a similar position, offered an enticing deal would do the same thing? And how often would someone be ripped off as a result. We receive phone calls all the time from our service providers, and very often just asking for innocent information or making sure you are happy with their current deal, but sometimes the first question they ask is a “security” question to confirm you are the correct person. This normal procedure is easily hijacked by social engineers who could over the course of a few months gather a vast amount of information just from phoning you and asking you outright!

Has anybody else experienced this kind of thing? Have you missed some great deals because you missed the opportunity to grab it because you were too suspicious or have you thrown caution to wind only to regret it later, if only for a short period of time? How cautious do we need to be in these circumstances?

One thing I learnt however is that in the middle of a conversation, it is very easy to forget who called who; remembering that if you answer the call you haven’t confirmed their identity and therefore need to ask some security questions of your own is probably  the best way of keeping you out of trouble!

Where is Outlook for iPad?

The prevalence of the “Bring Your Own Device” (BYOD) concept as an acceptable, if little rushed, approach to empowering employees at work has resulted in many different types of devices being used in the workplace now. Arguably, these are split into two camps, Android & iOS (I don’t believe Windows Mobile has made many inroads into the enterprise… yet… watch this space as their new devices come off the production line).

The prevalence of Exchange Servers in the enterprise is also arguable, but in my own experience it is the number one mail server around, and with it of course comes Outlook. On the whole, I love Outlook; it has a few quirks (especially on the Mac) but by bringing together my email, calendar, contacts and notes into a tightly integrated package, which in turn integrates with my enterprise email/messaging/scheduling platform means it is probably the number one application I use.

Why then has Microsoft not capitalised on these two facts and marketed Outlook for mobile devices with the promise of integration, functionality and security? There are apps on the various app stores that claim to offer Outlook style experiences, but the feedback on these speaks for itself.

I can’t say I would care much for Word, Excel & Powerpoint on my tablet that much, I tend not to edit or annotate these documents on these devices much anyway. But Outlook would change how I interact with work over my iPad, but only if they implement it properly!

Given one of the core tenets of Outlook is to integrate email, contacts, calendar and notes from the enterprise, I strongly believe it should NOT integrate with the same apps on the device. By this I mean its database should be entirely separate, and ideally, encrypted to retain a certain degree of security. Because of this separate installation, the application itself can handle all of the ActiveSync profiling (e.g. encryption, password protection, password retries, remote wipe and the such like) that on existing devices causes an infinite amount of pain. Having had personal experience of rolling out a one size fits all ActiveSync profile to thousands of of BYOD devices with different hardware and firmware because they are by definition “personal” devices, I know too well of the amount of noise, frustration and lost hours this brings to the end user.

Of course, this kind of application, sold on the app stores for £10GBP/$15USD, could also be purchased by the individual owner and expensed (or not, see your expense policy) and is the one, and only, barrier the enterprise puts up to mobile BYOD adoption. Have the latest Outlook for iOS? Then gorge yourself on your work email to your hearts content! The enterprise has full control over the data, including rules of what can be forwarded, printed etc because it does not integrate with the devices native apps, and if the employee leaves or is fired, then ZAP! on the next connection and authentication the data is gone.

This approach may put companies like Good out of business, or may even drive them to greater innovation (where do you think I got the idea for the above anyway?!), but my experience of bolting on third party products onto Exchange has never been “good” anyway.

In my limited experience I know there must be some pretty major road blocks to this, otherwise why haven’t they done it already? If you are more educated in this area than me then please do comment and let me know your perspective. in the meantime, I shall dream of my iPad/Outlook nirvana and the increased amount of sleep I will get overnight not worrying about all that data flying around on peoples personal devices.

RSA Europe 2012

I am very excited to be going to RSA Europe this year, and not only that I am thrilled be taking part in a debate.  The topic of the debate is “Should you train your employees on security awareness?” on Tuesday October 9th at 13:10hrs. It takes place with five other folks in the information security field;

  • Christian Toon, European Head of Information Risk,Iron Mountain Europe;
  • Javvad Malik, Senior Security Analyst, 451 Research;
  • Rowenna Fielding, Information Security Manager, Alzheimer’s Society;
  • Kai Roer, Senior partner, The Roer Group;
  • Geordie Stewart, Principle Consultant, Risk Intelligence.

I am partnered with Geordie and Rowenna against security awareness training. I could well have argued either side of the debate, but I seem to be constantly disappointed even in cases where common sense should prevail and that is what swayed me in the end. Either way, it should be informative and above all fun, especially given those that are involved.

The official synopsis is as follows:

Training your staff in security awareness is an accepted and often mandated requirement of compliance in any organisation. Its effectiveness however has been increasingly questioned and its limitations highlighted. The Acumin Risk and Network Threat (RANT) community brings together six thought leaders from across Europe to debate the conflicting and opposing views of this challenging topic.