A Christmas Public Service Announcement

1 Comment

I have known the good folks of Twist and Shout for a few years now and think their approach to information security awareness and education is spot on. Using good production values, great scripting and where appropriate some humour they have made some great short films. I have been fortunate enough to use some in my own presentations as well.

I am thrilled to be playing a part in their latest Christmas viral in collaboration with another project I am involved in, Host Unknown. I hope you enjoy it.

(It also explains why I have been sporting a beard for the last few weeks.)

What’s this security stuff for anyway?

2 Comments

I am currently sitting in the BA lounge in Heathrow awaiting a flight to Delhi, and as I look around at the number of laptops lying around it reminded me of something I saw a few years ago at Delhi International Airport as I was waiting to fly back to the UK. It was so shocking I even used it as an example in a security article I wrote for my company on my return. Regular readers will know that I have a thing about unattended laptops anyway as it  has the potential of negating all of the technical measures put in place in certain circumstances. Anyway, I decided to write it up here as an example (and of course to kill the time in the lounge!).

It was about midnight, and I was in the BA lounge (sometimes shared with other airlines), and it was quite a busy evening so most of the seats were taken.

I was sat next to a gentleman who opened up his laptop and switched it on. It immediately asked for a password, I presume for the on disk encryption. He then had to log into his account, and then finally he connected his own data card (no local WiFi and inherent insecurities for him!) and subsequently connected to his corporate VPN using a username, password and an RSA two factor authentication token. All good stuff from a security perspective.

I noticed from his wallpaper logo right in the centre of his screen that he worked for an aeronautics defense contractor, so the level of security didn’t surprise me. What he did next however did…

After successfully connecting, he placed his laptop on on the table in front of him and went to the toilet… without even locking his laptop. He was away for 15 minutes.

I was so shocked I even took a photo of his laptop which is attached – this is honestly the laptop in question! If you look carefully you can see the window with his VPN connections in the middle of the screen

image

It summed up to me that even though there was all of this security on his laptop, it was rendered useless by his carelessness and utter disregard (or utter lack of awareness) of the security of the contents on his laptop. He entered the passwords that protected his data because that was what he needed to do to get his job done, not because he understood what it was for.

When we overcome scenarios, attitudes and understanding that results in this kind of thing being played out the world over, we will have addressed a huge amount of risk in our industry.

Bon voyage!

And they say security awareness training is working?

3 Comments

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

  1. They are able to afford expensive looking laptops or have been issued an expensive looking laptop
  2. Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

 

Now you see it...

Now you see it…

Can you see it?

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.

RANT Panel Debate: “Should You Train Your Users on Security Awareness?”

Leave a comment

I spent last night with five eloquent, passionate and above all opinionated colleagues arguing the pros and cons of security awareness training. We were doing this at the monthly Acumin RANT forum to a packed crowd who, as always, were not shy in holding back on their opinions.

The Crowd, who make RANT what it is!

The Crowd, who make RANT what it is!

We had two stand ins replacing Christian Toon and Kai Roer in the form of Bernadette Palmer and Andrew Agnes both of whom bought a huge amount of experience, opinion and humour to the evening. The lineup therefore was:

 For:

(The Award Winning) Javvad Malik, @j4vv4d

Bernadette Palmer

Andrew Agnes @sirjester

Against:

Myself

Geordie Stewart

Rowenna Fielding @infosecgeeklady

We did a standard pre vote just before starting (we garnered no votes and a lot of good natured laughs as expected!) and then we went straight into the standard For and Against cycle with me kicking off. Nobody had briefed me (or perhaps I hadn’t listened…) that we were reducing our standard six minutes each down to three! A quick reshuffle in my head and we were off. The photos may look like I am singing Karaoke, but beneath the entertaining exterior was my serious message!

I have posted my core arguments to this blog before so I won’t rehash them here again but what followed over the next eighty minutes was hugely interactive, passionate, thought provoking and hilarious! With a few dongle and fork gags thrown in this debate had everything! Of course there was no real conclusion but at the closing vote there was a small but very definite swing in our favour, hooray!

The Karaoke King!

The Karaoke King!

What I found the most interesting however was that on the whole our arguments converged; we all acknowledged that information security training as it stands now is simply not working. What we do with it however, was where the real debate lay. Do you throw the whole lot out and start form scratch or do you continue to try and fix what we have? I think this is the dilemma we need to face up to sooner rather than later in the industry, once of course we accept that our training programs don’t work. That part is where the industry needs the most help.

I normally try and stay around after these kinds of events and listen to other peoples opinions, gather feedback and generally mingle. Tonight however I had dinner with a few folks (@jimshout, @j4vv4d, @sirjester, @jee2uu) to discuss an upcoming project. More on that in the next few months but it was a productive and exciting evening overall.

Finally, there was some footage taken of the evening by Gemma of Acumin; like all my footage if it ever sees the light of day I will get it posted here as soon as possible! As always a huge thank you to Gemma, Simon, Chris et al from Acumin for not only making this happen but asking me to be a part of it.

Andrew Agnes

Andrew Agnes

Geordie Stewart

Geordie Stewart