“Compromise” is not a dirty word

1 Comment

compromise

If it wasn’t for the users we could secure the company much more easily.

or

They just don’t get it, we are doing this for their benefit.

We often hear statements like this being made, and sometimes even uttered by ourselves. In fact I daresay they are often made by people in very different support industries, not just information security, but it seems that we harbour these feelings more than most.

Effective security is security that is understood, adhered to and respected. Ineffective security is either too lax, or so tight that individuals do their level best to work around it. They are not working around it because they are subversive elements in our organizations, but rather because it is restricting them from getting their day jobs done; it has become a barrier.

Each organization will have it’s own unique requirements, and even within that organization unique requirements will come about. The finance and legal teams are likely to require a different level or type of security around their work than a creative or IT team. If you have ever observed a creative team in full flow you will understand that the concept of a “clear desk” policy is not only laughable but also extremely restrictive to the very fundamentals of their craft. That same policy however will be more easily understood and accepted by the aforementioned finance and legal teams.

So in this example do you enforce an organisation wide clear desk policy? Probably not. It may make sense to have a departmental one, although in some circumstances this would be harder to police. Or you could implement clear desk “zones”, i.e. areas where it is not necessary to have a clear desk because of other measures. The measure may be soft, such as background checks on cleaning staff or hard, such as supervised cleaning staff.

Variations to blanket policies always cost money, but if you ascertain the potential financial value of that loss and compare it to the cost of the measures you can help your business to understand, adhere and respect the measure you are proposing.

This doesn’t just apply to physical security (although it very frequently does!) but also to technical and administrative controls too. Policies have to be very carefully written and reviewed by the various stakeholder of your organisation to ensure the right balance is struck. Technical controls also have to have this balance. Data Loss protection (DLP) is a marvelous technology that when implemented correctly can reap huge rewards and avoided risks, but it is expensive and time consuming to install and run. Who should ultimately make that decision, you, or the business. (clue, it’s not you).

Don’t be afraid to compromise in your dealings with your organisation. If they disagree with your approach, they either get it and feel it is simply the cost of doing business, in which case go off and look at other ways to support them. Or they don’t get it, which means you need to do a better job of convincing them of the risk in which case, go off and look at other ways of making your point. A good compromise is made when each party respects and aligns to the other parties point of view, not when each party is on fundamentally different sides.

Help your business respect and align to the information security ideals you hold dear, and do the same for theirs and you will always get more effective security.

An open letter to Apple – a change of heart

1 Comment

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford

Flushing Risk at 44CON

3 Comments

logo-1I have just returned from two long days and two long nights of 44CON, the premier conference in London for technical InfoSec professionals (and even a few of us management types). It saw the debut of by “Flushing Away Preconceptions of Risk” presentation, an expansion of the my recent post for the Analogies Project.

The core messages of the presentation are not necessarily pleasant ones; the correct use of risk in any organisation is one of the most powerful tools in an information security programme, and yet it seems to me that very few of us understand it fully. Many of us struggle with not only identifying what the real risks are in the first place, but also how to measure them and even how to properly treat them.

Doing my bit to advertise 44CON

Doing my bit to advertise 44CON

Identifying risks at first seems like an easy think – identify assets, and then identify what could go wrong. I won’t elaborate the analogy much here (read it at the Analogies Project), but given how we regularly fail to identify risky behaviours correctly in our daily lives it should be no surprise we fail to do so professionally. The same bias applies to when we subsequently try and measure the risks; every mechanism we use introduces potential errors and even vagueness. I was quite proud to introduce the Langford/Malik Risk Model (ver 1.0), an approach that I evolved from one that Javvad Malik introduced in his book. Again, it uses an analogy although this time of a pub fight to not only describe levels of risk but also risk appetite. I do hope that not too many of you will find it useful next Friday and Saturday night.

ThomLangford_2014-Sep-08

The Langford/Malik Risk Model ver 1.0

Finally the effective treatment of risk was covered, and how we so often simply do what has been done before, not what is going to be effective now. Just because a risk hasn’t been realised doesn’t mean you have treated it effectively, it just means that an incident hasn’t happened (that you know of).

The slides are below, but since my presentation style has evolved more into storytelling rather than bullet point reading, by themselves they may say little to you, but the session was recorded and when it is released I will make it available here. Like any presentation it barely touches the surface of risk management and its issues, but it was intended to be thought provoking and prompt people to not assume that just because they have always done things in a certain way that it is the best or even correct way.

This slideshow requires JavaScript.

As for 44CON itself, well, any conference that has a “gin o’clock” on each day has to be pretty good in my books! It was a very well organised conference, with an excellent and highly motivated Crew to help support it. SpeakerOps were particularly good providing a personal touch I have not seen at any other conference. The quality of the talks and the speakers was also excellent, but as I alluded to in my introduction, many of them were technically beyond me!

The highlight for me however was a workshop I attended demonstrating the beta version of the Cyber CPR product. This is a virtual machine (that can also be deployed on ultra portable hardware if need be) that builds and entire incident management environment allowing for the discovery, gathering and analysis of evidence during an incident. It build a virtual “war room” environment, where multiple incidents can be tracked at once, in a secure and separate environment from the one that has actually just been breached. With tools built into the backend and access via a browser it even does away to have many of the tools on your own environment, making it great for remote and ad hoc use alike.

The product is in Beta at the moment, and does lack a few features, (they described it as not ready for active duty), but what i saw  was very polished and useful even in it’s beta configuration. Commercially it will be available for free with up to three users, and only $5k GBP for up to twenty (please don’t quote me on these figures though). I would strongly recommend you take a look at this excellent environment that for very little outlay will significantly improve many current incident response teams, and their over use of Excel. The team expects it to be commercially ready by Spring next year.

ThomLangford_2014-Sep-13

Obligatory selfie with Jonathon Schiefer

The final highlight was to be able to meet Jonathon Schiefer  the director of the film Algorithm  which had its European debut at 44CON on Wednesday night. It was fascinating to hear about the backstory of the film, his challenges and even how he made the film financially and technically. He was an absolute pleasure to chat with, and I thoroughly regretted my decision to have a curry instead of watching the film. At a stretch you could say we are kindred spirits when it comes to our film making, but he is without a doubt in an entirely different league to me!

44CON will be back next year, but we were also enticed with the news of another 44CON spring conference being planned as well. I would strongly recommend anyone who can get to London to attend both of these conferences. Congratulations to Adrian and Steve and the many people in the crew for putting on a fabulous conference.

Not All Risks Are Bad (even the bad ones…)

1 Comment

Keep_Calm_Big_ThinkThe very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.

Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying  and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.

Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment  we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.

For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.

All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.

tiger__extIt’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.

A more secure cashpoint/ATM transaction?

Leave a comment

skimgallery1There has been much written and talked about over the years about the use of skimming devices and cameras being installed on cashpoints (ATM’s for my international readers), their increasing complexity and ability to seamlessly blend into the cashpoint itself. With the card being entered and read, and the PIN code either intercepted with lay on keypads or filmed with cameras, the criminals ability to clone cards is quite significant, and the financial rewards high. Most of us, if we were honest, would struggle to see a sillfully crafted and installed skimmer on an average ATM.

Why are we still so reliant on this kind of security? Sure, it is technically two-factor, with the card that I have and the PIN that I know, but as my previous statements show very clearly, this security can be bypassed very easily.

The Royal Bank of Scotland (RBS) quietly announced a new feature last year to their mobile app that allows cash to be removed from an RBS or NatWest cashpoint without a card. Given there has been much research on the fact that people were no more likely to forget their wallets and purses than their phones, and actually become more distressed at not having their phone over their wallet, the bank could see a shift in how people were becoming increasingly reliant on their smartphones.

The process is straightforward; after logging into the (already downloaded) app, and pressing  “Get Cash” one simply types in the amount of money they would like to withdraw, and is then presented with a six digit, one time use PIN. This PIN can also be texted or sent to someone else if need be. (VERY useful to help out friends and family in distress.) One then uses an RBS or NatWest cashpoint (unfortunately other banks do not participate in this scheme) , presses enter on the keypad, and then enters the six digit PIN number twice followed by the amount of money that was originally requested. The cash is then dispensed. If more money is required, the process is repeated and another, different, six digit PIN is issued.

To my mind this is an excellent innovation, and other thought so too, with the creators behind the enhancement, SapientNitro being awarded a Cannes Lion at last years show. A slightly cheesy advert follows…

(Note: at this point it is worth me declaring my interest, as I am an employee of Sapient, the parent company of SapientNitro. That said, I was using the service before I realised it was Sapient that came up with the idea in the first place!)

This works in many ways:

  1. 1: The pin is only used once, so it doesn’t matter if a skimmer is in place, it is recording only a one time password.
  2. 2: Your card cannot be cloned as it is never used.
  3. 3: It is convenient because nights out only involve looking after your phone, not you phone and cash card and cash!
  4. 4: Even if you phone is lost, it is password protected, tracked, and you r banking app is also PIN protected with more than a four digit pin code (it is, right?). You can also wipe your smartphone remotely in most cases.

pizzaexpressA UK food chain, Pizza Express, did a similar thing last year as well, whereby on the bottom of the receipt is a unique code that allows people to pay with PayPal; again this is smart (your misgivings about PayPal aside) as your card cannot be taken around the back and cloned without your knowledge, as the payment is sent directly from PayPal to the restaurant and notification received on the till. Of course every time I have tried to use it the code has always been misprinted stopping me from doing so! Lovely idea nonetheless…

So what is the upshot of this? Most importantly I think it shows how with the judicial use of technology we can keep one step ahead of the criminals. Of course they will catch up, and of course there are other security implications (a rise in smartphone theft perhaps?) but RBS has shown that a relatively small change in their systems can result in a huge change in the security of their transactions. As of writing I am not aware of any other UK bank having this capability (they seem to be focussing on the ability to send payments to friends rather like PayPal than anything else), but this kind of approach should become the new norm.

It is this application of security alongside the ability to truly understand their clients and their needs that in this case has allowed RBS to steal a march on their competitors. I know this simply because of the looks on the faces of my friends when I take cash out of the cashpoint without using my card; it is magic, and they like it…

This is truly a case over security versus convenience… but with added convenience.