Monthly Archives: April 2013

A hint for technology salespeople

I’m very popular with vendors.  I get unsolicited mails or telephone calls from vendors who want to showcase their products.  This is reasonable:  I’m happy to spend ten minutes on the telephone to a vendor as it means that I keep abreast of some of the latest innovations and the poor vendors get to tick the box “told a new person about our product”.

Now that my Infosec 2013 badge has been spanked, I expect a few more in the coming weeks.

Sometimes it’s a link to a webinar.  Sometimes it’s a request that I read a whitepaper.  Sometimes it’s just rude.

Sending  a document that purports to be a whitepaper but is actually a piece of advertising for a specific product is, I think, a little deceptive and doesn’t make me want to do business with the sender.

More rude that that is the email that says “we are in your area, can we meet on the 14th?”.  Here is one I received a week ago.

Hi XXX,

How are you? I hope you don’t mind me contacting you directly. I’m looking to schedule a meeting with you within the week commencing 6th of May if that suits for a quick 15 minute visit. I’d like to discuss <OUR COMPANY> as an option for your office(s). Please let me know!
Thank you XXX.

In the meantime, please find a general overview of our services provided below for your information. <LINK TO URL>

All the best, <SALES MANAGER>

Of course I replied asking to meet.  They called, determined I wasn’t going to use their product and hung up.  I didn’t point out to them that the email didn’t even tell me what the product did, it just gave me a URL and they expected me to click on it.  I can only assume that when sales people go to sales school, they are taught to ask for a meeting on a specific date.  It’s quite amusing.

So, what should a sales person do?  Most vendors approach the pitch with the perspective of “look how great our tech is.  We are the best widget wiper in the business.  Use our tooling and all your problems will go away”.  This pitch is fine for an organisation that leads on technology and knows that it has a problem to solve, knows how to solve it and knows what type of solution is needed:  in this case the organisation will also have the budget.

In other organisations where budgets are important a better approach is to understand the business drivers and then address those.  For example, in an outsource environment projects and accounts are run against contracts where margin and revenue rule, not security features.  Where security is not business critical and where it is not a strategic business driver (which is most organisations, much to the chagrin of many infosec workers) then the business need should be addressed, not just the security risks that are being addressed.  In many cases the business leaders know perfectly well that they don’t live in a perfectly secure world:  but they know enough to manage that imperfection.

To sell product in this environment, security vendors should present the business case for the product.  What is the financial return on the investment?  How much will it cost to buy, to build, to implement, to run? Often vendors will offer a free proof of concept, ignoring the organisation’s costs to run that project which includes a project manager, technical architect, security architect, designs, change control, hardware, data centre routing and other costs.  Some useful answers might be that the product will reduce headcount, will bring in new additional revenue, will allow the same team to do more.

Simply showing that the tin is shiny and the tech is cool isn’t going to win executive approval and wastes everybody’s time.

I said that I am popular with vendors:  I am, until they realise that I’m not going to buy anything.

383a9602-59c5-4b98-854d-6f9515c58208

Advertisements

How your data was extracted

Data. Loss. Prevention.  Sounds wonderful, no? But in our cyber village every one of us is told that DLP will stop data loss.  The trouble is it’s predicated on people following the rules and the vendor’s pitch will be all about the normal conditions to stop email attachments (data and executables) and USB mass storage devices.

Here are a couple of scenarios to throw to the vendor during that presentation.

1.  I’ll build a LAN

Putty

Putty

Filezilla

Filezilla

Assuming that one is protecting the hard crunchy perimeter, a miscreant might simply decide to take the data out through a non-monitored channel.  They plug in a desktop switch and then map a drive, upload though PHP to a local web-server or use FTP (eg Filezilla) or SSH (eg putty) to extract files.  Job done.

2.  I’ll use the tools you’ve already given me:  Word

Microsoft Word will happily embed anything.  Simply embed an executable into the document and email away.  You may need to change the file extension but a miscreant can easily email an executable to themselves or data to someone else.  If the mail gateway blocks encrypted attachments, simply include inside a Microsoft Word container. Ba Boom.

3.  I’ll use the tools you’ve already given me: Winzip

Winzip is now a feature rich client.  It’s often installed in moderately secure environments and comes with two great features:

Winzip the miscreant's friend

“Split” and “UUencode”.

Split does just that.  It will split up the miscreant’s 200mb zip archive of their employer’s data into nice 5mb files that they can now easily fire through the mail gateway.

UUencode is even better.  It will turn a zip file of data or of a binary into plain old text.  The miscreant can then simply paste the text into a word document and fire that through the mail gateway.  There’s nothing to stop because there’s nothing to pattern match against.   As an example of how useful this is, let’s pack up Notepad and send it by text.

First we add Notepad to Winzip

Notepad in Winzip

Then we UU Encode it

UU Encode Notepad

Then we open it in Notepad (change the extension to TXT to make life easier)
Notepad.exe as text

The text for this starts as:

M4$L#!!0``@`(`.T4[CKEO?/]*AH"``#T`@`+````;F]T97!A9"YE>&7L_0E\
M3=<;,`KO3,00)X9#@A`$B1A"4!$AAQ/.X80@).9$!@F9).<0!(DDB.V82LVJ
MK9:VVM)J2VC%&/,\ST4Y$4,T571:W_,\:YTAP?]]W_O>[W[W?O=_\MMY]EYK

So now it’s a simple matter to either send or receive the text and then to use Winzip to assemble it back again.

Just what the doctorer ordered.

Make sure your DLP vendor has an answer to these scenarios.

(And a final word about USB mass storage devices.  If your DLP vendor relies on the USB firmware, USB-vendor ID, serial number or other token from the device to allow or deny access to the USB hardware, then it’s already game over.  With sufficient cunning one can overwrite the USB firmware or one can program one’s own EPROM to masquerade as an allowed device, while actually being something else. )

I know, let’s exhibit our wares at #infosec13

And now Infosec is done, and so I face the final curtain (er free pen).

But the big question has to be “did the vendors get a return on their investment?”

I hope they did and I’m sure the people on the day had a ball.  Let’s do the maths.

  • The cost of the space (£530 m/s2; shell scheme £140 /m2)
    • £0 for some charities
    • £5k for a small space
    • £45k for a large space
    • £60k for huge space
  • The cost of the stand materials
  • The cost of “entertainment”
  • The cost of the booth babes/boys
  • The cost of the giveaways
  • The cost of opportunities lost
  • The cost of people’s time
  • The cost of your reputation when a keen buyer speaks to a junior geek who give a poor account of him/herself

That’s anything from £30K to £120K for a reasonable stand or probably about £5k for the budget approach.

Each company will make its own decision on whether to exhibit and how much to spend.  I do wonder how the biggest booths justify the cost, but they do.  I assume that the good-will generated and the demonstration of competence is a sufficient return and that some of the people who wander past will one day turn that memory into a sale or a strategic alliance.

The best way to get the best return must surely be for all the vendor’s staff to focus on the task at hand: promoting their product.  I assume that the marketing strategy includes KPIs for the event and that the vendor is clear about what they want to achieve and why they are there.  I saw some interesting behaviour.  I personally get quite irritated when a post-teenage girl in micro skirt and pouty chest tries to engage me in conversation and then doesn’t know the first thing about the product.  It’s a little cynical for the vendors to think that simply because I’m a bloke, I’m going to be impressed by a bit of flesh.  It doesn’t do them any favours and it certainly isn’t the way to encourage women into IT.  Some of the other interesting behaviours I saw included:

  • Ignoring me as I walk past (er, I don’t mind real employees talking to me and I’ll be polite if I’m not interested)
  • Not scanning my badge when I pick up the free pen (er, don’t you want the leads)
  • Chatting to your colleagues (er, perhaps do that at the office … you are here to work?)
  • Head down tapping out on the mobile (er, perhaps making a sale is more important?)
  • Sitting down writing/reading/eating/filing your nails (er, perhaps if you want to do that you shouldn’t be on the stand)
  • Telling me “I hate this, I’m just a geek” (er, thanks I’ll go away then)
  • Having an events person (eg magician) not working (er, they are there to generate leads not chat up the booth babes)
  • Not letting me have the promotional gift (er, I’ll remember that and I’ll make sure I never select your product)

Magicians are great for the Infosec show.  That and children’s parties.  But if you are going to have a magician, make sure that they have seen Marc Paul‘s excellent video on trade show performances.  He explains how to make the trade show work:  it’s not about the effects it’s about the people.

But before you do hire a magician, bear in mind that Marc says that one year he was replaced … by a lizard in a glass case.  It’s just something to get the crowds, not to entertain them.

How much is that doggy in the window?

It’s a very peculiar thing, salaries.  Everyone wants to know how much everyone else earns, but no-one wants to say what they earn. At least in the UK.  Some other cultures aren’t quite as reluctant, but full disclosure is often only a recipe for discontent.  The Daily Mail often has articles about salaries (it’s possibly a middle class thing).  Many employers demand that employees don’t share salary information, but open salary information is essential if someone thinks that they are being paid less because of their gender.

What is the effect of salary disclosure?  The (US) National Beauru of Economic Research at Berkeley has published research that higher earners don’t always have more job satisfaction.  But finding out how much your peers are paid can be a double-edged sword:  they are paid more (which is depressing); they are paid more (and this stimulates because it means that there is scope for a pay rise); they are paid less (which may be uncomfortable); they are paid less (which means there is little scope for a pay rise).  The workers at Pimlico Plumber who had their salaries disclosed on a Channel 4 television programme had mixed reactions to plumbers being paid £90k while the sales team were on £19K, however CEO Charlie Mullin states in his blog that it was a worthwhile exercise even if certain lawyers disagree while the comments under The Sun‘s article about the programme are illuminating.

The UK national average full time salary is around £26K, reported in The Guardian. But this excludes the self employed such as IT contractors and television talent.  The Daily Mail reported that Carol Vorderman was paid £1.2m per year, which makes even pen testers look cheap.

So, what about the talented information security professionals?  Fortunately Acumin and Computer Weekly produce an annual salary survey.  The results are edifying.  Empirical data for various IT security roles show a broad range:

  • Big Four:  £40k (consultant); £80k (managing consultant); £150k (director); £500k+ (partner)
  • Major system integrators: £60 – £75k (managing consultant); £130k (associate partner)
  • CLAS consultant: £60k – £80k, contractor: £700 per day (rates here and here)
  • Security Architect contractor: £400 to £800 per day (£150K per year …)
  • CISO: £80 – £120k


The Acumin/Computer Weekly survey shows the top roles are:

  • Project management (£97k)
  • Check Team Lead (£85k)
  • Sales (£170k)
  • Professional services lead (£210k)
  • Security architect (£90k)
  • CISO (£200k); Security director (£120)
  • CTO (£180k)

All of which compare pretty well with getting a job in the real world. (And here are some salaries of civil servants )

KPMG and IBM Thought Leadership

KPMG released their excellent thought leadership piece “The five most common cyber security mistakes“.  These are:

  • We have to achieve 100% security
  • When we invest in best-of-class technical tools we are safe
  • Our weapons have to be better than those of our attackers
  • Cyber security compliance is all about effective monitoring
  • We need to recruit the best professionals to defend ourselves

IBM’s piece

Presenting the six keys to effective reputational and IT risk management.  The six keys are:

  • Put someone in charge
  • Make the compliance and reputation connection
  • Reevaluate the impact of social media
  • Keep an eye on your supply chain
  • Avoid complacency
  • Fund remediation: invest in prevention

That virtual slug

… we leave our trail.

When signing up to a social site, it gives you the option to sign in with a Twitter or Facebook account. It even says

“Don’t want to remember another password? Use your Facebook or Twitter account to sign up for Photobucket. It’s quick and easy!”

That’s great.  One doesn’t need to give much personal information away when creating a Twitter account.  Let’s have one of those.

Except the next screen is interesting

photobucket option for twitter photo photbucket3_zpsbcb726ec.png

And the question about birth date.  Even when signing-up with a Twitter account, this site requests a user name, password, date of birth and location.
Photobucket Register Screen photo photbucket2_zpsb22d919c.png

Now, I can understand why an organisation wants your data.  The service may be free at the point of use, but the Faustian bargain is that one provides information.  Presumably this information has some commercial value to someone.  Fair enough, caveat emptor and all that.

But, the birth date control seems a little ineffective.  Photobucket says it “assures us you are at least fourteen years of age“.  I suggest that the birth date does no such thing:  it only assures that the person entering the data is smart enough to enter a date older than fourteen years. An equivalent security enforcing control would be a check box “are you older than fourteen years?“.

Entering one’s real date of birth into websites is something one should do with a healthy dose of caution.  Given that the date of birth is used as an identity check by many financial organisations, allowing this to leak out is something that should be resisted.  Moreover, it behoves us to encourage those organisations that do collect dates of birth to think about what they are collecting and why:  more appropriate data to collect would simply be age.  This would  be in line with the UK Data Protection Act which requires that data collected is “adequate, relevant and not excessive“.  Societies and sports clubs would do well to bear this in mind.

IISP Congress and Crest Con

Wednesday 20th March 2013 saw the IISP and Crest organisations have their first joint conference. Details 

Agenda for stream 1.  Agenda for stream 2

Continue reading