Are you the most thrilling ride at the theme park?

emotional-rollercoaster-53445I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old enough to be able to go on almost all of the rides now. Much excitement was expected.

Yes, we had a good day overall, but not as good as it should have been. The first two rides we tried to get on as soon as the gates swung open were closed because of technical faults; both these rides were at opposite corners of the park, so after 30 minutes not only had we not even had one ride, we hadn’t even got in the queue for one. This somewhat set the tone for the day. At the fourth closed ride my wife gave some unfortunate teenaged park assistant an earful (he was rescued by a senior colleague). At the fifth we could only laugh and accept our fate. And so it went on; the photo booth to collect photos from one ride was closed after we had staged the perfect family shot on the ride, the hand dryers in the toilets all blew cold, cold air on a cold day, vending machines were out of order, and so on. The more we looked the more we found fault.

We still had a good day, but we won’t be going back any time soon, and conceded that in the theme park area at least, the Americans have by far the best theme parks compared to Britain.

The whole experience reminded me of some security groups I have experienced. We very often promise a world of smiling, excited faces, a world made better by our presence and an experience that will surpass your expectations. The reality is often a little more drab than that.

We often see security functions that allegedly “enable your teams to work more effectively”, or “allow you to leverage your creativity while we drive your competitiveness” and so forth. In our drive to be seen to be a benefit to the business (good), we often set ourselves up for failure as we establish these grandiose statements (bad). “Leveraging security to be a differentiator in the marketplace” is great, but only if you can deliver on it. An ISO27001 certification may help your business get more work initially, but if the basic principles of good security practice in your delivery teams is not there, that work will soon be lost. Your company workforce working securely and in harmony is the best way of supporting your business, not having a “security strategy that differentiates us to our clients”.

Let’s focus on getting the rides running properly in your security programme before marketing ourselves in a way that ultimately shows even our hand dryers don’t work.


Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.

 


Why do we put brakes on cars? Perhaps not for the reason you think.

Bosch Predictive Emergency Braking System

I have never liked the analogy;

Why do we put brakes on cars? So we can go faster. Therefore we put security controls in place so we can do riskier things.

I mean, I get it, the analogy makes sense, but like many analogies, if we are not careful they are likely to become a little too one dimensional. We also have brakes on cars to slow down for traffic lights, to ensure we don’t go too fast and run into the back of  the car in front, and also to stop the car quickly to avoid someone crashing into us. I am sure with a squeeze and a shove we could fit these analogies into an infosec analogy, but why bother?

I was reminded of this particular analogy and why I don’t like it this morning as I read my paper. The headline really resonated with me;

‘Living rooms’ on wheels put drivers at risk

The Times, Monday 23rd February 2015

The Times, Monday 23rd February 2015

The article discusses how the increase in technology in cars has actually led to an increase accidents in recent years. The anti-lock brakes, stability control etc. is creating complacency amongst users, and putting them and others at risk.

If we are not careful we are shifting towards this in our industry. It is of course a good thing to focus on secure coding practises, OWASP, secure by design etc., because that is as important as a seat belt and an air bag in a car (oops, see how easy it is?!), but if we try and put everything into those particular controls, we are abdicating responsibility away from the user more and more. By creating an insulated and isolated environment in which they operate there is no positive/negative feedback loop, no opportunity to learn from mistakes, near misses or even dumb good luck. They quite literally are on their own being guided only by what their immediate vicinity is reporting to them. Another quote;

They are as uninvolved in the process as they can possibly be

This could be describing our users and clients who we are removing more and more responsibility from when it comes to making sensible, thought out decisions about basic security. We are removing their perceived responsibilities as they say to themselves “if the system is letting me do this, it must be alright” as they download malware specifically designed to undermine so called built in security. (Actually the quote is from Peter Rodger, chief examiner for the institute of Advanced Motorists commenting on cars being turned into living rooms.)

Let us continue to understand how mature our security development framework is, let’s observe the OWASP top ten, but let’s also continue to establish clear guidelines, education and expectations of our people at the same time. If we don’t, we may be congratulating ourselves little too early for running a good security programme.

If we do that, we risk going back over a century in time, and putting the cart before the horse, let alone putting better brakes on the car.

(If you want good analogies however, that can help your people truly understand the information security environment they are operating in, head over to the The Analogies Project.)

Securi-Tay IV

TransparentLogo1-e1423236103647I will be spending the end of week with the Abertay University Ethical Hackers at their Annual Securi-Tay conference in Dundee. It’s a great conference so if you are at a loose end for Friday and in the area make sure you rock up and say hello to the lovely folks up there!


“Compromise” is not a dirty word

compromise

If it wasn’t for the users we could secure the company much more easily.

or

They just don’t get it, we are doing this for their benefit.

We often hear statements like this being made, and sometimes even uttered by ourselves. In fact I daresay they are often made by people in very different support industries, not just information security, but it seems that we harbour these feelings more than most.

Effective security is security that is understood, adhered to and respected. Ineffective security is either too lax, or so tight that individuals do their level best to work around it. They are not working around it because they are subversive elements in our organizations, but rather because it is restricting them from getting their day jobs done; it has become a barrier.

Each organization will have it’s own unique requirements, and even within that organization unique requirements will come about. The finance and legal teams are likely to require a different level or type of security around their work than a creative or IT team. If you have ever observed a creative team in full flow you will understand that the concept of a “clear desk” policy is not only laughable but also extremely restrictive to the very fundamentals of their craft. That same policy however will be more easily understood and accepted by the aforementioned finance and legal teams.

So in this example do you enforce an organisation wide clear desk policy? Probably not. It may make sense to have a departmental one, although in some circumstances this would be harder to police. Or you could implement clear desk “zones”, i.e. areas where it is not necessary to have a clear desk because of other measures. The measure may be soft, such as background checks on cleaning staff or hard, such as supervised cleaning staff.

Variations to blanket policies always cost money, but if you ascertain the potential financial value of that loss and compare it to the cost of the measures you can help your business to understand, adhere and respect the measure you are proposing.

This doesn’t just apply to physical security (although it very frequently does!) but also to technical and administrative controls too. Policies have to be very carefully written and reviewed by the various stakeholder of your organisation to ensure the right balance is struck. Technical controls also have to have this balance. Data Loss protection (DLP) is a marvelous technology that when implemented correctly can reap huge rewards and avoided risks, but it is expensive and time consuming to install and run. Who should ultimately make that decision, you, or the business. (clue, it’s not you).

Don’t be afraid to compromise in your dealings with your organisation. If they disagree with your approach, they either get it and feel it is simply the cost of doing business, in which case go off and look at other ways to support them. Or they don’t get it, which means you need to do a better job of convincing them of the risk in which case, go off and look at other ways of making your point. A good compromise is made when each party respects and aligns to the other parties point of view, not when each party is on fundamentally different sides.

Help your business respect and align to the information security ideals you hold dear, and do the same for theirs and you will always get more effective security.


An open letter to Apple – a change of heart

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford