The anatomy of risk assessment: Prelude

When you’re lost for words, it is the past masters who show their perennial relevancy. Plato once said: “Human behaviour flows from three main sources: desire, emotion, and knowledge.”

We thought that a rather brilliant definition of what it is to be human, which is to say, the quality of existing that separates us from the rest of the animals. It is by no means an absolute description, but one which is fairly comprehensive. It its terse compose, it manages to say a lot in but a handful of words.

“I’m not going to talk about checklists, compliance standard or the things you must assess…you can all go out and buy books for that,” said Thom Langford, senior manager, Global Security Office, Sapient, as he opened his presentation at the latest RANT forum in London last month. Here he abandoned technical jargon in favour of something more human; a fitting embodiment of Plato’s succinct thoughts on humanism.

Entitled the Anatomy of a Risk Assessment, Mr Langford stuck to his guns, delivering a talk that was not conventional at all. It was a breath of fresh air, engaging and most of all, as an antithesis of the textbook approach – very perceptive in its scope. In using the human body as an analogy of risk assessment, he was able to articulate ideas, observations and suggestions in a dynamic way.

As a slight aside from the topic at hand, can we just say that this is an approach we really admire. There is a body of educational philosophy that concerns itself with the need for more creativity in academic life – from pre-school right through to adult learning – which leads to and engenders a much more engaging environment. Mr Langford was exemplary of this.

Anyway, the structure of the talk was based on the constituent parts of the human body. The association of the two – that is the cadaver and the risk management sector – is, we think, a new one. Who else has thought to analogise the feet to an audit’s purpose? Or for the eyes to be used as a way to describe the importance of being vigilant from as soon as a risk assessment begins?

For those of you involved in risk assessments, there’s a lot that can be derived from this presentation in terms of delivery. For example, let’s say you’re tasked with a new client and you’re brainstorming ideas as to the approach you’re going to take. We accept that in some instances you will have certain templates and structures in place that allow you to answer questions effectively and efficiently. Brilliant; we’re not knocking this, but pause for a moment and allow yourself a moment to think outside of the box. How else can you deliver the same high standards, but in a way that is more engaging for both you and your client? It doesn’t have to result in a clear cut answer – that might come later. The merit is in allowing yourself to be innovative.

There’s a video of the talk online, where you can see for yourself Mr Langford’s foray into the anatomy of this continuingly evolving branch of work, which is advised viewing. Complementing that will be the second part of this blog, which will, to lend a metaphor from the medical world, get beneath the flesh of some of the central ideas put across. In the meantime, we do hope you enjoy this thoroughly comprehensive and brilliant way of looking at risk assessment.

Big Four Information Consultancy roles for the taking

Defining a manager is a difficult thing. The Oxford English Dictionary describes it as being a “person responsible for controlling or administering an organisation and/or group of staff”. We wouldn’t disagree with that description, but it perhaps doesn’t tell the whole story.

We particularly like the quote from Frederick W Smith, founder, chairman, and chief executive officer of FedEx, who said: “A manager is not a person who can do the work better than his men; he is a person who can get his men to do the work better than he can.”

Not bad eh? Responsibility, of course, is inherent in this position, as is leadership. A manager is much more than just a chief; s/he is an integral cog that keeps things steady while simultaneously charging ahead into the unknown. Hard work and management go hand in hand but so too does success and a feeling of ownership.

There are a couple of management jobs that have popped up on our radar that we thought we would direct your way. They are both in risk assurance, one of the most dynamic and versatile industries going.

Both require a sound grasp of risk management, which they are able to modify to adapt to fit particular client briefs. As such, strategies that identify, assess, prioritise and solve risk problems are bespoke. Good managers know that no one solution fits every box.

As ever, these management positions demand a depth of skill and expertise to be able to take charge when hitting the ground running. Take the Risk Assurance Senior Manager position, the employee is looking for a candidate who not only has financial services experience, but is also capable of delivering complex engagements.

For the other role as a Risk Assurance Manager, what is desired is someone who can help identify clients who need help in developing their risk assessment plans, which involves establishing what these risks are, how to evaluate their level of threat, how to design controls to minimise their threat and how to put in place monitoring systems to ensure they do their job.

Even though he was speaking in the 19^th century, Samuel Wilson, a US meat-packer whose name inspired the national personification of the country’s government – Uncle Sam – made a very astute comment.

“As population susceptibilities are better understood, we will be in a better position than we are in today to make informed decisions about risk management,” he said.

Many years on, a job in risk management is one of the most exciting around, with a body of knowledge to boot. Be part of the generation that takes it forward. Be a manager that matters.

The new orthodoxy: Bring your own device

Even the most cynical of us are susceptible to advertising and foolhardy followers of certain brands. We’d like to think we’re immune to this, that we’re individualistic, capricious and that we choose our own paths. No sir, not the case.

Take for example baked beans. Now we’re not one to product place, but Heinz Beanz is a really rather tasty variety of beans. Some of us swear by it, even if we’ve never tasted the alternatives. I guess it’s just human nature; we have an experience and that becomes the defacto expectation.

In much the same way, brand identity has permeated itself in the technology we use in a personal capacity. Traditionalists might swear by Dell (and Microsoft) while creative types option for the coolness of Apple (and Mac OS X) instead. Generalisations, yes, but the fidelity towards a name, product or company is true. We like what we like.

In an age typified by daily change, the biggest shake up in human activity has been the division between work and leisure time. The boundary has been blurred, bringing with it a shaky balance of both positives and negatives. A downside is working longer hours and eroding any sense of pure relaxation.  A positive is that of flexible working that allows us to spend more time at home, looking after children or carrying our errands that otherwise would have been impossible.

Lately, the concept of ‘bring your own device’ (BYOD) has begun to take on a life of its own as companies scrap previously longstanding ways of operating.  BYOD is, self explanatory: employees bring their own devices into the workplace and/or operate from them remotely. It is characterised by movement, and typically the devices are portable (laptops, netbooks, tablets and smartphones).

It’s a win-win for both employer and employee. Employee’s get to work from devices which they both like and are most efficient on – brand loyalty at its best. While the employer saves money on purchasing the technology, troubleshooting, repairs and having to update machinery and software on a fairly regular basis.

As great as it is – and we are supportive of this flexible style of working – there are inherent problems attached with BYOD. Principally, as those involved in our industry will attest to, the security issues are plenty. With a plethora of devices native to any given organisation, the ability to provide appropriate data protection and security in a uniformed way becomes a challenge.

Every device and operating system is not only distinct in itself, but they also come with their own divergent vulnerabilities and malware. This leads to a complex array of networks which are difficult to monitor and keep protected.

We’re just beginning to realise the problem with many businesses only now catching up to the problems that can arise – i.e. protecting the company’s network and data when employees need access from their privately owned devices.

Not to mention the issues that employees may have around designating their device memory to work, sacrificing monthly data allowance and  battery life.  Device tracking is also an issue because the the device can be location tracked by the company at any time.

One expert, Graeme Batsman, director of Datadefender.co.uk, has put forward an idea of an automated approach (this allows for port and device control, while being capable of remotely locking or deleting data). It’s a good idea, and a suitable start, but as BYOD becomes more commonplace, more solutions will need to arise. After all, the more we get used to enjoying working on our preferred technological machinery, the better our work productivity will become – businesses don’t want to lose out on that.

The attraction of contract working: Part Two

  Our last post was a sort of preamble to contract working, putting its arrival in the modern world as a way of working against a wider historical context, of how work patterns and behaviours, expectations and attitudes have changed as the world began to open up to one another. The continents of the planet may no longer be together as they once were – Pangaea (supercontinent) existed some 300 million years ago – but we are, as a species, more connected than ever before. All thanks to globalisation.

This blog will discuss the pros and cons of contract work – often described as fixed-term employment (worth knowing if some jobs are advertised as such – in more detail.

Before we go into that, just one more point about contract work: a contract will usually include a full brief of the work required, responsibilities, the period of time in which it is expected the job to be completed, how money is arranged (lump sum, in stages and expenses) and notable contact.

Pros

Let’s not waste any time hiding behind that subject matter that most people find uncomfortable bringing up: money. Contract workers, especially those in Information Security Roles, tend to have reasonably high day rates. However, it is worth noting that although such rates are sizeable, all self-employed people have to be aware that this includes “future taxes” payable after you’ve submitted your returns.

Flexibility is another major draw. Although specific contracts will have particular deadlines and requirements, in general, as in the case of being self-employed, contract workers can work to their own timetable. Equally, they can choose how much work they want to take up. You are, so to speak, your own boss.

Being a contract worker opens you up to a number of businesses and organisations and gets your name established. The more contracts an IT security professional does, the more people he gets to know, and likewise, employers are able to identify candidates they would like to hire again for future jobs. Hence, being a contract worker offers professionals an opportunity to network, albeit subtly. Talk about perks of the job!

Cons

There can be the assumption from outsiders looking in that contract work is a “swell gig”, and indeed it is, but, as any self-employed person can testify, it requires people to be superbly organised in the way they go about working.

For example, contracts are fixed, after which, you can find yourself without work. In full knowledge of this, contract workers have to plan ahead and secure work before a start date. This way of operating has to be consistent if professionals want to keep working (although naturally we assume you will factor in your own holidays).

You lose out on some of the benefits that can (i.e. not universal) that come with working with regular jobs – pensions, medical care, career progression. The lack of such things and its impact varies from individual to individual. The pros can, for example, far outweigh the cons.

And so there we are…contract work. It is as much a way of living as it is working. It’s not everyone’s cup of tea, but for those who swear by it, it can be a very rewarding and fun way to work. Isn’t that the dream?

The attraction of contract working: Part One

Contract work is, these days, a growing phenomenon. More people than ever before, especially in the Information Security industry, are considering shifting to this unique style of working. And it appeals to both individuals and organisations, principally because it is a flexible, easy and productive way of working.

So just what is contract work? Although there is no fixed, universal definition, it can perhaps be best described as being an agreement between an organisation and individual to hire that said person for a finite amount of time – variable to the specifics of the contract of course. It’s that basic. It can either be long-term or short-term. In the context of our field of work, it is understandably a popular way of working.

The best way in to this kind of work is to sign up with an established agency that has a history of success in this field. The benefits are palpable. As specialists with knowledge and experience of our business, agencies have the knack, the resources and contacts to make highly-focused contract work a reality.

For example, let’s say you are a CLAS consultant with current DV Clearance. An agency can, on talking with you and going through your CV – which, by virtue, implies detailing your skills and work history – filter out irrelevant contractors and narrow down potential clients that might appeal to you. Moreover, in having developed relationships with such organisations, they will be able to best assess whether your appointment will be a productive one for both you and the contractor. The end result is to produce a harmonious working relationship that leaves everyone smiling.

The development in contract work can be seen as a natural by-product of a globalised world and how, every day, it is impacting on the ways in which human beings organise themselves with regards to work. It’s all post-industrialisation, chiefly post-World War Two.

Whereas 9-5 has long held the post as the most natural and sensible way of working, the more connected nations became with one another, in terms of trade and communications, the more it began to impact on how various organisations, companies and buildings came to work with one another. 9-5 began to feel too rigid, when, for example, your customer operated in India. India is five and a half hours ahead.

Consequently, habits and longstanding ideas, once deeply entrenched, began to transform. Hours changed, flexi-time was introduced, and people worked and finished earlier (8-4) or worked later (1-4). Others realised that some jobs were superfluous to their operations and staff rosters were streamlined. It wasn’t all fun: it meant making difficult decisions and it meant people were made redundant. To be blunt, it was collateral. Contract working and indeed flexible working – the big buzz of the moment – emerged.

Some things never change: Part two

If you haven’t been hiding in a cave this month or guilty watching Celebrity Big Brother – testament to the saying “it ain’t over till it’s over” – you’ll have been hooked by two major stories that have emerged – one is Wikipedia’s one-day blanket blockade of its English-based content and the other is the somewhat dramatic shutdown of Megaupload.com.

Although we plan on discussing both of these respective stories in upcoming blogs, it is worth mentioning them within the context of this blog. The outcome of the Stop Online Piracy Act and the case against Megaupload.com will have an impact on our industry, with particular regards to how professionals in our industry operate online as well as how fraudsters are able to navigate the world wide web. Some things will never change, that much is true, but if the parameters in which they exist transform, well, the arena no longer is the same.

This could be a theme this year – taking the old and making it new. Ash Patel, Stonesoft’s country manager for the UK and Ireland, figures that hackers will be entering a more sophisticated age in the way they go about their criminal business. It’s not a different way of operating per se, just a more developed way of carrying out operations. The sentiment is shared by Graeme Batsman, director of Data Defender, who believes this increased refinement of methodology will lead to greater problems.
“At present we are at stage two and three,” he said.

“[Stage one is the] intent to infect computers and wreak havoc. [Stage two is for] monetary aim – cyber gangs are based in various countries and some even take credit cards to ‘remove’ viruses or give you ‘protection’.”
Stage three, he added, is state-sponsored cyber attacks, which target both state and defence contractors. What is most worrying is the scale of such attacks – prolific like a dazzling in-season footballer at the prime of his career.

While we’re used to this in our business, the workload is set to become a lot harder, creativity is going to be pushed to the limit and our capacity to react to situations in a cool and efficient manner will be more important than ever. In short, we’re going to have to maintain the quality of our work and step it up a gear.

Which is why, according to Stonesoft and Amichai Shulmanm, chief technology officer and co-founder of Imperva, 2012 will be a year where there will be more policing of online activity than ever before. The message to criminals is “we know you’re out there, so hear us loud and clear – we will find you and punish you accordingly”.

It’s a move in the right direction, recognising that as we move to a world that is deeply embedded in a digital landscape, crimes committed within this virtual environment should be one) monitored and regulated to a degree similar to that of the real world and two) those found guilty of crimes within this interface should be punished as they would outside of it.

As we said above, although some things will never change, the world in which cyber criminals and security professionals exist, keeps on evolving. If we accept that, we’ll be alright.

Something phishy is going on in Facebook

What would a world be like without Facebook? The mere question sends an icy shudder down our collective spines. It has become so embedded not only in our personal lives, but has rooted itself into the identity of different facets of society. From political parties to charities to big corporate giants, Facebook has become integral to their message.

Of course there are other social networking sites out there, all of which are user-friendly, engaging and full of interesting features – note, Google recently revealed that its own social offering, Google+, now has 90 million registered users – but none of them have had the same impact as Facebook. Heck, it even got made into a movie and a very good one at that too.

This all adds up to making Facebook particularly vulnerable to exploitation and cyber attacks. With that many people connected and overly candid about their private lives, perceptive criminals have been able to, for example, break into homes, steal identities and gain access to bank details. The worrying thing is that this openness is a sign of the age.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people – and that social norm is just something that has evolved over time,” Mark Zuckerberg, the co-creator of Facebook once said.

One thing to be aware this year is a new phishing scam unique to the social networking site. The basic premise is that fraudsters are posing as Facebook security in chats. David Jacoby, a Kaspersky Lab expert, warns that not only are these scammers attempting to steal identities, but credit card information and security questions. Moreover, the move highlights a new approach to phishing.

“This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website,” he wrote. “It will reuse the stolen information and login to the compromised account and change both profile picture and name.”

Once an account has been hijacked, the profile is modified and all contacts are sent a message warning them that their account will be deactivated. It asks people to click a link which redirects them to a sham Facebook page where it asks for key login details. After which comes the ‘juicy bit’ asking for credit card details (including your security code).

Not only is it all so sophisticated, it exudes authenticity. This scam and others like it showcase the product of, dare we say it, extensive research and hard labour. The disturbing thing is that they’re becoming more popular, and unfortunately capturing people off-guard.

Although Facebook is fully aware of the security threats it faces on a daily basis – “We have spent several years developing protections to stop spam from spreading and have sought to cooperate with other industry leaders to keep users and their data safe,” it said in a recent statement – more needs to be done to educate users about how to keep their data and personal information secure. We as professionals can do our best to develop strategies to negate the impact of such scams, but to truly succeed; we need vigilance from those outside of the industry as well. Together we can make Facebook a virtual home as comfortable as that of our tangible abodes.

Some things never change: Part One

The New Year doesn’t necessarily mean change. It becomes accepted wisdom that once the seconds begin ticking away past midnight on January 1^st, things are suddenly different. That the world changes. That we change. If you really look at it hard it’s just a symbolic act. Time, as we know, is relative. Nothing is absolute and some things never do change.

We were thinking about this, back in the office after a well-earned break – though security professionals will know that in our industry we find it hard to switch off our respective gadgets full stop, let alone for Christmas. In particular, the topic of conversation was the continuing persistence of security threats to the information security & risk management sector.

Now, although this is an area we would like to see undergo dramatic change, namely a reduction in the amount of illicit behaviour that goes on – the eradication of it being wishful thinking perhaps – the sad truth is that security threats, on a huge scale, will continue to pose a challenge to everyone.

Hence the importance of what people like yourself do – be that working in government & compliance, in cyber security, or as an ethical hacker. Our work is inherently valuable to the fabric of society, to a degree that is not that well understood. Like Batman, we don’t do what we do for the applause (though respect from our peers is always welcome). We do it because we believe in our work.

So, what should we be looking out for in 2012? A simple glance backwards helps identify three continuing strands: drive-by downloads, mobile malware and shopping security. With the latter, it’s the authenticity of fraudulent websites that was and will continue to be a big problem. Bogus shopping sites look the part.

With regards to mobile malware, smartphones and tablets, the fashionable choice these days, are open to attacks not necessarily because of the lack of protection out there, but because many consumers are one) not so au fait with security systems, two) unaware of how open their devices are to corruption and three) having quite a nonchalant attitude to all.

Drive-by downloads, a somewhat exotic catchphrase, saw a sizeable increase in 2011. It can occur in three ways – downloaded by a user but without full knowledge as to what the implications are; downloaded without any knowledge; and the download of a virus, again without knowledge. Once downloaded, a website is “hijacked” and users susceptible to being targeted. This is one to watch out for in particular this year.

Part two will follow soon, but in the meantime, think about your own experiences as to what you saw over the course of the last 12 months and how that was similar and dissimilar to the previous year and the one before that. Post a comment below and we’ll see what trends we can identify. Some things never change, but then again, the world is full of surprises. Humans are always capable of producing new concepts, ideas and software…good and bad.

A new year, a new you and a new opportunity

At the start of a new year there is a certain impulse to start afresh. Not so much from square one, that would be quite absurd, but from a certain, how can we put it, stage in one’s life? So, as is customary, one will choose to go on a diet after a period of indulgence, we will promise to be more charitable – the older we get so suggests some research – and we’ll give our jobs some deliberation.

With the latter, this is very much a characteristic trend in workplaces up and down the UK, of which our business, the Information security industry, is not exempt. It’s not that we lament our current role – though that can certainly be the case – more that we have a psychological impulse to consider change, to mull over how we can progress in our careers.

“A key issue to consider is whether you will feel more motivated and rewarded by seeking a new challenge in your current role or company than risking a move in uncertain economic times,” John Salt, director of Totaljobs.com, told the Telegraph recently.

“Remember competition for jobs has never been more fierce so if you are going to move companies be certain the role you want is available and you can clearly show why you should get it.”

His thoughts are most astute – this is a challenging time, regardless of where you work and who you work for. Indeed, some of you reading may well be in the unfortunate position of being unemployed. It’s not that you’re without skills or experience, or the lack of impetus to find work. Whether you’re a professional in cyber security, information security or risk management, the current economic environment makes finding work, well, harder than ever before. There are jobs; it’s just that a lot more people are fighting for them.

Companies are also on the lookout for new staff in 2012 and are adopting exciting ways of advertising positions. Take for example an offer of a job for the position of Senior Network Design and Implementation Engineer. The salary is £70,000 to £90,000 (based on experience). The location is London. The client “designs, implements and manages complex IT infrastructures and platforms where it is critical to the customer that their infrastructure has the maximum possible availability”.

So far so good, yes? Well there’s more. If you yourself possess the skills that suit this excellent job, or perhaps know of colleagues, friends and/or associates who would suit this position, then you can bag yourself a cool £500 referral fee (so long as that person is chosen). Not bad eh?

If it piques your interest, the details follow:

The ideal candidate will require the following skills:

Significant experience with Checkpoint/Cisco firewalls and some exposure to switch and load balancer configuration gained in a customer facing business

• Strong design knowledge and experience of network and security solutions
• Strong implementation experience of network and security design solutions
• Strong communication skills and client facing experience

The client lists as responsibilities “design, configuration, implementation of all elements of the managed Network Security service”.

For more information contact James Foster on 020 7510 9042 or email jfoster@acumin.co.uk

A New Year, a new you, a possible new career (or for a good friend of yours) and £500 to celebrate with…it could possibly be the start to a great 2012.

The threat to modern vehicles in the digital age

The German Karl Benz is the man who invented the modern car. Starting a blog with such a statement is bound to provoke some criticism because it can be easily argued that he wasn’t. For example, Ferdinand Verbiest, a Flemish Jesuit missionary from the 17^th century is a legitimate contender as the modern car’s founding father. You can go even further back and make the case that Guido da Vigevano, an Italian inventor came up with the original concept in the 14^th century.

Whatever your sentiments, from wind powered four-wheeled devices to engine-powered open top vehicles like the Benz Velo Model to today’s computer-powered behemoths, the evolution of the car has been unpredictable.

For computers to have ever been associated with vehicles in the way they are today would have been thought unimaginable both from a technical and aesthetical point of view. But normal laws do not bind technology so to speak – it develops in a fashion that is often hard to predict. Where will we be in 20 years time? We can estimate, but chances are it’ll be different.

“We are living in a world of incredible modern conveniences,” begins McAfee’s 2011 report Caution: Malware Ahead – An analysis of emerging risks in automotive system security.

“Computer chips, embedded in all aspects of our daily lives, have made it possible to have access to all kinds of information when and where we need it. Through internet protocols, these once dumb devices can now communicate with you and with each other in amazing, unprecedented ways.

The report goes on to discuss embedded systems and how historically information would only travel in one direction. Today it’s a two-way structure and these systems have become part of the very fabric of modern motors.

Consequently, they need security measures, which by natural deduction, implies they can be hacked into. It’s an unfortunate by-product of an era defined by gadgets, technology, the digitalisation of all sectors and the want to be connected. Convenience too is a big driver – pardon the pun – in the technological modifications made to cars.

We want to have the ability to start up a car using a smartphone, to have GPS systems integrated and hooked up to the web to provide ongoing, real-time updates and for our cars to have intuitive programmes that can respond to incidents quicker than us. What we want is what we get.

The worry, McAfee’s report states, is that little has really been done to provide security to these modcoms. When someone else can control your car, the risks become all too clear.

“The first remote keyless entry systems did not implement any security and were easily compromised: a regular learning universal remote control for consumer electronics was able to record the key signal and replay it at a later time,” the report says.

Security professionals working in information security and risk management will agree that these kinds of shortcomings need addressing. Indeed, as research has categorically pointed out, this allows for malicious software and hardware manipulation to become a regular feature of car crime and car theft.

It’s a fascinating area that is becoming evermore pressing the more sophisticated cars become and thus, the need to develop complex and secure safety systems to protect vehicles will become a bigger area of responsibility for some cyber security professionals.

Technology has had the ability to transform the one-time, wind powered vehicle into a titan of comfort, entertainment and drivability. Let’s keep it that way with in-car and remote security modernisation now and in the foreseeable future.