A Christmas Public Service Announcement

I have known the good folks of Twist and Shout for a few years now and think their approach to information security awareness and education is spot on. Using good production values, great scripting and where appropriate some humour they have made some great short films. I have been fortunate enough to use some in my own presentations as well.

I am thrilled to be playing a part in their latest Christmas viral in collaboration with another project I am involved in, Host Unknown. I hope you enjoy it.

(It also explains why I have been sporting a beard for the last few weeks.)


What’s this security stuff for anyway?

I am currently sitting in the BA lounge in Heathrow awaiting a flight to Delhi, and as I look around at the number of laptops lying around it reminded me of something I saw a few years ago at Delhi International Airport as I was waiting to fly back to the UK. It was so shocking I even used it as an example in a security article I wrote for my company on my return. Regular readers will know that I have a thing about unattended laptops anyway as it  has the potential of negating all of the technical measures put in place in certain circumstances. Anyway, I decided to write it up here as an example (and of course to kill the time in the lounge!).

It was about midnight, and I was in the BA lounge (sometimes shared with other airlines), and it was quite a busy evening so most of the seats were taken.

I was sat next to a gentleman who opened up his laptop and switched it on. It immediately asked for a password, I presume for the on disk encryption. He then had to log into his account, and then finally he connected his own data card (no local WiFi and inherent insecurities for him!) and subsequently connected to his corporate VPN using a username, password and an RSA two factor authentication token. All good stuff from a security perspective.

I noticed from his wallpaper logo right in the centre of his screen that he worked for an aeronautics defense contractor, so the level of security didn’t surprise me. What he did next however did…

After successfully connecting, he placed his laptop on on the table in front of him and went to the toilet… without even locking his laptop. He was away for 15 minutes.

I was so shocked I even took a photo of his laptop which is attached – this is honestly the laptop in question! If you look carefully you can see the window with his VPN connections in the middle of the screen

image

It summed up to me that even though there was all of this security on his laptop, it was rendered useless by his carelessness and utter disregard (or utter lack of awareness) of the security of the contents on his laptop. He entered the passwords that protected his data because that was what he needed to do to get his job done, not because he understood what it was for.

When we overcome scenarios, attitudes and understanding that results in this kind of thing being played out the world over, we will have addressed a huge amount of risk in our industry.

Bon voyage!


Why I am an Analogies Project contributor

Bruce_Hallas-300x286That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)

Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.

In the words of the Project itself;

The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.

Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.

The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.

So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.

It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be.  The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.

TAP-Contributor-Semi-Transparent-250x160

If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.


We turned around, and there he was… gone!

This is a picture taken in Starbucks, just a few minutes ago. Can you guess what’s missing?
Why the owner felt it was a good idea to go to the toilet (while carefully taking his iPhone with him, because otherwise it might get stolen!), leaving his laptop in a busy room where it could be easily removed is beyond me. It was made worse because when I peeked around the screen, it was also not screen locked.
With so much noise and argument going around the infosec community at the moment around security awareness the lazy conclusion would be that all users are idiots and need their hand holding all the time before they hurt themselves with their private data. Of course it is never that simple but it is no less infuriating to see this kind of attitude in practise. Where do we go from here in trying to avoid these situations?
I have a colleague who likes to highlight that we should consider our laptops and tablets and other various devices as “bathroom buddies”. I didn’t like this term at first (my knee-jerk reaction against the American use of the term bathroom), but it really does make sense. When in a public place such as a cafe, train etc and you need the toilet or a break, take your equipment with you! It is a simple alliterated phrase that sticks in the mind, makes you smile and therefore might actually make someone change their behaviour.
On the subject of humour, there was an XKCD cartoon very recently that summed this up perfectly.
The point is that this individual who left himself logged in could have had untold damage done to his personal and professional reputation if I was so inclined. Facebook posts, Tweets, work emails, Amazon orders etc could all potentially have caused him grief. Sure, after the fact he could probably “tidy up” the mess, but why put yourself in this position?
In the security awareness debates, system design is often touted as the way ahead, and in actual fact I think this may have come to the aid of our hapless coffee drinker, if he was lucky. The laptop itself looks like a new MacBook Pro, possible a Retina given the new style charger. That would mean he would be running Lion or Mountain Lion, which means FileVault is installed, although not enabled by default. If it was enabled and I ran out of the cafe with his laptop chances are when I sat down at the nearest park bench to check my prize the laptop would have locked and required a password. There is a good chance there that his data would be secure and encrypted. The same would be true if it was a Windows 7 or 8 laptop. The problem here though is that the key phrase above is “not enabled by default”. It’s great these operating systems now come with encryption built in, but there aren’t even annoying prompts a la Microsoft that, for instance, I don’t have an anti virus program installed; it is left entirely to the user to be educated and security savvy enough to enable it. I have joked on this blog before that encryption today is at the same level of anti virus of twenty years ago (Dr Solomon’s anyone?). Today, I would wager virtually everyone knows about anti-virus, and in fact it is often bundled and enabled by default on new laptops. (I am not going to take this opportunity to talk about the efficacy of anti virus as an endpoint protector!). When will encryption become such a commodity that you are an oddity if you don’t have it?
This isn’t a particularly racy topic, but it is one that is played out every day in cafes around the world. As every teacher will tell you, when you get the fundamentals right, the rest will follow far more easily. This person really should have known better, but when will we be at a point that he wouldn’t have had to?


Lies, Damned Lies, and Statistics

Pac-ManOriginally attributed to Mark Twain, who subsequently attributed it to Benjamin Disreali (although no evidence has been found that he actually said it), the above quote sums up how the use of statistics can blur the lines between powerful argument supporter and simple use of numbers to confuse and deceive.

When used properly, statistics in your risk management programme help support your recommendations, allow you to build effective business cases and even allow for a certain amount of self-analysis and performance reporting. When used badly, you run the risk of undermining the credibility of your entire risk management programme.

Consider the following two statements made by security awareness training companies:

Reduce phishing click-throughs by 75%!

KnowBe4 Internet Security Awareness Training

…successfully trained over 7000 employees”  (Fox Entertainment)

TerraNova Security Awareness

In the first instance there is a bold claim in that click-through rates reduce by 75% which on the face of it sounds great. When reading in details there are some more impressive results but I can’t help thinking of the somewhat artificial nature of the test, i.e. “I have just taken anti phishing training and I am suddenly getting five phishing type emails, hmmmmmm”. Perhaps a more suitable test would have been to wait two months before sending the test emails? (The time between training and testing is unfortunately not specified however). There was also no mention of any feedback given in between each test. Security awareness training is such a hot topic however that I will leave that well alone for now!

In the second case the banner across the top of the website proudly announces how many people have been successfully trained; unfortunately it makes no mention of the other 5,500 employes who were not trained in Fox Entertainment (headcount checked at 12,500).

Now this is just standard sales patter and I certainly don’t mean to pick on these two companies specifically, but both statements illustrate the point perfectly. In both cases the products are probably very good in their own field, but when you “reverse” what it is they are saying they speak volumes. Some foods for instance are labelled as 90% fat-free, but in reality that means they contain 10% fat, and so here therefore there is still a 25% sized group of people who did click through and there are still 5,500 people who were not trained (and why not?). This is related to the fear, uncertainty and doubt that is often touted in the industry and can be used to scare and subsequently encourage people to buy products.

As risk professionals we need to take a more balanced, calmer route. We need to use statistics more carefully and responsibly, especially when what it is we are presenting makes its way into the core of the business, the leadership, the board, and ends up being used to make business decisions with serious implications. We can’t take sales statistics for instance on face value and use them to recommend a product or emphasise a point.

A Google search of “risk management statistics” produces over a billion results (in of itself a bad and useless statistic to present) so there is plenty of work out there on how to present your work, so I won’t be suggesting anything specific here. There are also plenty of other issues with statistics, for instance causation and inference which can be looked at in more detail at a later date.

i will however close on three key points I use whenever I am producing statistics for anything that comes out of the data gathered by a risk management programme:

  1. “Reverse” the statistic (see above). If you don’t like what you see, don’t use it.
  2. Be careful of your sample size; too small and the statistics are meaningless, too big and the resulting statistic you are focussing on is still a big and scary number even though you are potentially trying to emphasise quite the reverse.
  3. Look at what you come up with cynically; is it a lie, or a damn lie?

And to underscore how statistics can mess with your head, statistically there are six Popes per square mile in the Vatican; go figure.