Because I finally have a way to stop IT vendors calling me
Category Archives: Uncategorized
The First Tuesday of the Week
Tuesday 3rd February
First Tuesday
I wonder if the young ladies who wear the black dresses to serve us (mostly) middle-aged, (mostly) middle-management, (mostly) middle-class chaps ever wonder what it’s like on the other side of the canapé tray. It’s not easy eating rubberised Chinese food and making small talk with people whose professional function is to stop their colleagues doing the things that they’d like.
Fair play to Verracode though. The usual low-sell from persistent chaps.
But what about the Nosh? Not enough I say. Not enough. And too much rubber.
Posted in Uncategorized
It’s dark and it’s a network. It’s the Dark Net
NED Darknet 30 January
I must confess that I liked this one. The indefatigable Greg Jones gave an excellent debrief on the Darknet using some weird font which made his presentation look like The Nightmare Before Christmas meets The Matrix. Well cool and well worth the trip into town. Greg did overrun somewhat though, but I think on balance it was worth it. Whatever lecture we missed can’t have been half as good as the exposition of the Darknet, TOR and various other vegetables. Most impressive as Greg always knows his onions. Particularly interesting was taking a peek at some of the actual sales and auction sites selling the various goods that most people want to own but don’t want to actually be caught buying, it made a refreshing change to actually see something on sale, rather than the usual platitudes implying that such-and-such is on sale for “fifty dollars”. A mistake that one of the later presenters made, unfortunately. Now I’m sure that the Security Architect who works for Visa also knows her Togaf from her Toga, but she fell into that rather obvious trap that tech-light presenters do and tried to befuddle her audience. She threw lots of arcane, unattributed statistics at us and while I’m sure that some must have been correct, I didn’t see any empirical evidence supporting the assertions about the “number of businesses who can’t recruit the right staff”. Dear heart, what is a business in the cold light of day? She also annoyed some of us by constantly referring to the cost of her favourites in “dollars”, presumably she can’t put the numbers into a spreadsheet to convert to cowrie shells which are God’s own currency. The we had more sales pitches dressed up as thought leadership by the usual anonymous crowd.
An informal little gathering of about fifty or so listened politely and then opined through the usual faux questions. At one point I felt myself wondering what would have happened if I had turned left out of the lift and gone to the Nursing Gastrointestinal Conference. I once had gastroenteritis so I think I am well qualified to attend such a conference and I am sure that we’d all have learned something interesting by swapping at least one of the lectures over.
I wanted to ask the police commissioner why the police simply don’t take financial crime seriously if the victim is not a corporation. For example, if you get your cheques forged, they simply won’t help. But I didn’t. Because I’m a craven coward. So I waited to the end at mid day and went back to the office.
The greats included:
- Commissioner Adrian Leppard, City of London Police
- Greg Jones, Director, Digital Assurance
- Rashmi Knowles, Chief Security Architect EMEA, RSA
- Martin Jordan, Chairman, NED Forum
- Paul Webster, Global Head of Technology Audit, Vodafone Group
- Ross Dyer, Technical Director, Trend Micro
- Dan Buckley, Director EMEA and APAC, Core Security
- Phil Huggins, Vice president, STROZ FRIEDBERG
But what about the nosh? The morning started very well with super little biscuits and pastries filled with custard and other such sugar and fat fests. Tea of course. But no lunch, which was a shame. Perhaps next time the sponsors could spring for bowl of crisps. I regret not jumping over to the nursing section as they had what looked like a lovely plate of salad, but I thought that as I don’t exactly look like an off-ward but on-duty nurse that trying to explain why I was snaffling a free plate of scran might not do my immortal soul any good.
Posted in Uncategorized
rant, Rant, RANT I SAY
28 January RANT Emerging Threats in Cybersecurity
I wonder what the future will bring? Well, the truth is, answering what is easy. It’s the when that’s hard.
I was none the wise after this event. Despite a hefty degree of heckling, the splendid Monica Salgado kept us all under control. What does the future bring? “Internet of Things” says one bright spark (internet of what, exactly? says me). “Stupid users” says another (shurely not this one, says me). Same old same old says I. But I am just Cassandra in another frock.
Difficult questions expertly dodged by
- Mónica Salgado, Senior Lawyer – Data Protection, Visa Europe
- Jason Creasey, Managing Director – Jerakano Limited
- Arthur Barnes, Principal Threat Manager EMEA – Pearson plc
- Morgan LLoyd, CISSP, Technology Evangelist – Cisco UK & Ireland
Usual crowd at top floor of The Counting House. I still think the Rant has outgrown the facility.
But what about the scran? Of course, the beauty is the free bar. Which is only any use if you drink alcohol. I’m cutting it out so my largesse was limited. The food was disappointing. Strange chicken curry, rice, chips and a rather odd vegetarian chickpea-and-pasta-tomato-paste. I don’t think the chef intended the pasta to turn into wallpaper paste, but the end result was a carbohydrate overload. I know that the Counting House catering team can do better as they have laid on Orange Food before. I had to come home and have an oatcake.
Posted in Uncategorized
It was twenty years ago today …
Wednesday 14th January
IET Royal Institute
We’va all seen the Royal Institute Faraday on the telly. It’s the one where a load of children ohh and aah about flashy science. It’s sort of famous in its own, quaint, way.
Well, let me tell you: it aint half uncomfortable. Tonight’s little pontificum featured a splendid panel of experts. We had a couple of Big4 consultants, someone who works in Government and business bloke. I presume that the Big4 are still enforcing “public speaking” in their staff non-billable objectives: there’s money in the old infosec rope. The Department for Business and Something Assistant Director gave a good overview of the Government’s Cyber Security Essentials, though it probably covered old ground for some. She gave an impressive list of her credentials in her introduction, I’m not sure exactly what and Assistant Director does but is certainly sounded good. The chap from the rail told us how information is important and how it’s important to secure it. Can’t say I envy his much.
- CHRIS POTTER, Partner at PwC (co-author of the UK government survey on information security breaches over the last 15 years),
- ORLA MACRAE, Assistant Director of Cyber Security at BIS
(The Department for Business Innovation and Skills); - PETER GIBBONS B.E.M, Head of Cyber Security at Network Rail
- RICHARD HORNE, Cyber Security Partner at PwC UK
The usual self-aggrandising audience questions, lightened by the observation from one individual questioning the veracity of some of the statistics relayed by the Big4 chaps, who had the good grace to admit to their failings and to claim that it was intentional, but not misleading.
The room seemed pretty full, a couple of hundred of the old guard British Computer Society types along with some younger chaps talking about how much code they’d written. Nice.
But what about the nosh? Unusually the pre-speaking scran was better than the after-event. We had lovely little pastries, all sugar and fat with teas of course. Afterwards we were given wine with peanuts which left me feeling a little deflated.
Posted in Uncategorized
Gartner Security Summit 2014
Gartner Security and Risk Management Summit 2014
8-9 September 2014
http://www.gartner.com/technology/summits/emea/security/
I went so you don’t have to and put the photos on facething
Excellent two days with the geeks-in-suits. At least two presenters referred to Gartner analysts as “cats” as in “herding”. Something about them being independent types who don’t like to be told what to do.
It’s quite a full-on couple of days with minimal free time: perhaps a few minutes between the teas.
We started with key points about your policy
Why Your Policy is Broken and How You Can Fix It Jay Heiser
Jay explained the benefit of strucuture
Posted in Uncategorized
Anti-spam for the CISO
We had a flurry of spam messages get through the mail scrubbers. The natural response is that the cyber security team should deal.
But, despite vendors selling to the CISO, is spam a CISO issue?
These people think it is
- http://www.infosec.gov.hk/english/yourself/soans.html
- http://www.cisoplatform.com/profiles/blogs/top-solutions-available-for-anti-spam-security
But I am not sure.
Why it is:
- Er, it’s IT and it needs to be stopped. Securely
Why it is not
- Spam, per se, does not affect the integrity of your systems
- Spam, per se, does not affect the availability of your systems
- Spam, per se, does not affect the confidentiality of your systems
The effect of someone clicking on a dodgy link might well be a compromise to your information. The disclosure of personal details might be a security incident.
But the anti-spam engine not working: is that really a CISO matter?
Posted in Uncategorized
ISO 27001 Grinds On
What’s the first step?
- Create the manual
- Create the scope
- Create the SOA
Write the policies. There has to be a minimum set. Here are ones that worked.
- Information security policy
- Acceptable use policy
- Clear desk policy
- Data policy
- Password policy
- Management committee terms of reference
- System and Asset security procedure
- Risk assessment procedure
- Information classification procedure
- Incident reporting procedure
- Audit procedure
- Legislation procedure
And then it’s just the evidence
Posted in Uncategorized
Beware the Cloud Subpoena
Cloud’s great, it’s easy and it’s secure … right?
Well, probably, ish. One of the issues that we need to consider is that a competitor could subpoena your cloud service provider to hand your data over to them. Perhaps your competitor thinks you are breaking a law in their country. Perhaps your competitor can bribe their country’s courts.
Many companies use Salesforce to store highly confidential information. This information is non privileged and is discoverable. Rule 26 of the federal rules of procedure could be used to disclose information to competitors.
Salesforce say that they will comply with any legal request …
if we are required to disclose your information by subpoena or in any other due process of law by a properly authorized government agency we would have no other choice but to fully comply
You need to check your contract to see if Salesforce will tell you about it. Normally they will.
Here’s what facebook do
The likelihood of a competitor requesting your data is probably pretty low: most other companies have the same risk. The first time it happens, I suspect Salesforce’s business model falls. It’s high impact though.
To mitigate this risk:
- Decide if you can accept the risk of a competitor getting a court order to disclose your data
- Determine if there is anything in the contract where Salesforce will give you the opportunity to challenge the request.
The financial advantages outweigh the risks … so continue to use it, but monitor.
Posted in Uncategorized
InfosecChap 