Monthly Archives: December 2011

The denial of good conversation

The dissemination of information is something we often take for granted but it hasn’t always been like that. A long time ago, long before computers, the internet and 24-hour interconnectivity, in a pre-digital age, information used to belong to a small group of individuals. Whatever doctrines or ideas they spoke of were held to be the truth – though this didn’t necessarily imply it was accepted as such. History has always had its rebels after all. Nevertheless, large swathes of the population, through illiteracy or poverty, didn’t know any better. And that remained the model for quite a long time.

Today, however, that’s a whole different story – we have more freedom to obtain information than ever before (well, in democracies we do). This greater access to content has been further amplified by the coming together of highly sophisticated digital technologies and the fruition of the internet as a useful medium through which to do, well, everything.

In the security business, how we go about disseminating information – whether it is to do with developments in the industry, job opportunities, networking opportunities – and accessing that information has been a bone of contention for quite a while now.

Remember a few blogs ago we mentioned the security industry and the lack of definition it can afford, for example, job titles, well, similar problems can occur in broadcasting, sharing and receiving information. This is something one of our RANTers recognises and spoke about at the last Risk and Network Threat Forum.

“The problem is the mode in which we communicate security awareness to our users is generally very poor,” says Javvad Malik. “We need to be a bit more creative, engaging and genuine in our security awareness efforts,” said Javvad during his 2 minute RANT where we had a Christmas Special of ‘Who’s RANT is it Anyway?’

He’s onto a very good point. Perhaps this information isn’t so much deficient as it is not properly communicated or accessed. The fault can be two ways – either employees, both longstanding and new, are not aware of where to go to find content and/or those security professionals holding, for example, training sessions, are not putting out details via the correct channels.

What this creates is ambiguity, ignorance – by way of being denied information – and a culture which is far from collaborative, but fractured. Everyone operates within the industry, but in their own hubs, like disparate planets in a solar system with no means of connecting.

It doesn’t have to be this way – in our next blog, we’ll discuss how to foster a communicative culture. Our industry might be predicated on tightening security, but we could do with being more open about how this can be achieved.


Making it along the security highway

How does one succeed in anything, let alone in the information security & risk management industry?

Through CAD?

CAD is, as we understand it, is an acronym for computer aided design, which security professionals might agree makes no sense in the context of progressing in their respective careers.

However, here it stands for something altogether different. Simon Hember, Managing Director of Acumin Consulting recently presented at a well known conference, on the Development of the Information Security Professional, in which he described CAD as:

Clarity – how clear is it in your own mind what it is you want to achieve?

Awareness – is your currency as a professional valuable?

Direction – are you positive that you are heading in the right direction?

Who would have thought that three simple words, backed by three relatively straightforward questions, could be used to weigh up what it is you do in life.

In an age of uncertainty – general economic malaise and the so-called crisis of capitalism – these words take on an ever greater significance.

As security professionals, whether it is working in forensics, cyber security or ethical hacking to name but a few, the choices you make now can have a real lasting impact…for good and for bad.

One of the biggest realisations for such individuals is the pace of change affecting our industry. The choices you make – and indeed, the choices you can make – are affected by what is going on.

In the space of 30 years, we have gone from the introduction of ARPAnet (1969) to the creation of the first computer worm (1979) to the first computer virus (1983) to the invention of the web (1989) to 51 million people globally banking online (2008).

What this highlights is the continuous and in some cases unpredictable changes that affect the industry but also the dualistic quality of things. With every bit of progress – ARPAnet and the web – there’s always an underbelly of wickedness – computer worm and virus respectively. That hasn’t changed – it never will.

As such, you as a professional, well, you’ve never been so in demand. Sure job opportunities will increase, but so too will the competitiveness of securing high-quality, career defining jobs. The kind of work you can look back on when you retire with fondness. “I did some good,” you’ll say reflectively.

Consequently, CAD becomes a part of your philosophy that ensures you know what you’re doing and that you stand out. It’s getting tougher.

“Back in the late 90s when we started recruiting in information security you folks were a scarce commodity,” said Mr Hember.

“You only had to have the word security on your CV and employers were queuing up to hire you. As times have changed, this is not so special anymore.”

Which is not say pack up your bags and exit the building – it’s a wake-up call to take control of your career. Of your destiny if you want hyperbole. In our next blog we discuss how you can start to do this, but for now, a quote to meditate on, from the classic sci-fi movie Terminator 2: Judgement Day.

“The future is not set. There is no fate but what we make for ourselves.”

A lack of definition denying organisations top professionals

When one cannot define something it poses a problem of sorts. Without definition, which would suggest clarity, boundary and form, something which is indefinite is, by its nature, vague, ambiguous and hazy.

While this may sound obvious, it is said in response to some reading we came across recently. A report from the Government Accountability Office (GOA) revealed that various federal organisations in the US were, to all intents, in the dark as to how many people they had under their wing with regards to cyber security. A lack of definition at this level as to what constitutes a cyber security workforce is most worrying indeed.

“With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cyber security workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology,” the report stated.

“Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies.”

Let us reiterate the problem here – technically these federal agencies, including the US department of defence – are unable to put an exact number of the number of people it employs in matters pertaining to cyber security.

What it highlights is the need for lucidity in defining how security of this kind fits into any organisation working in information security & risk management. Is it a departmental thing? Is it integrated into other positions?

These things need to be known not just for the sake of making things clear, but to ensure that important facets of an organisation are visible. In matters of national security for example, knowing ‘what is what’ so to speak is essential in maintaining an effective level of professionalism.

Furthermore, not knowing or having a dedicated cyber security team and/or framework can be – and is – a massive hindrance to one) progressing as an outfit in terms of skill development and acquisition of knowledge and two) a colossal barrier developing a focused workforce. How can, for example, professionals and experts in various fields like forensics or ethical hacking apply for positions in relevant organisations?

This in itself is a misleading predicament because while there actually are jobs out there, they are, ironically, hidden in a swathe of unintentional encryption. Though this report focused on the US, the problems it identifies is nonetheless universal. When such failures lead to a shortage of staff whose skills are needed, a lack of definition as we stated from the outset, does pose a problem of sorts. A big problem we’re sure you would agree.

That old new

It’s always the case that the latest gadget, fad, instrument of innovation, touted as being brand new and state-of-the-art, is, technically, if we are to be a bit pedantic about it, ‘old’.

It may appear to be an anomalous statement, because, if we take the iPad 2, when it first came out, it was indeed the latest iteration of what is surely going to be a longstanding series of products. It was ‘as new as new can be’.

But, if we take a wider look at the picture, the technology used in developing the multimedia tablet, the blueprint for its design, the research and testing of it, occurred well ahead of that.

A prototype no doubt would have been in place months before its release, if not a final product. Professionals working in the information security & risk management industries will no doubt agree that real world perceptions of time are not what they seem. We’re either behind or kept in the dark. Not maliciously mind you, it’s just a matter of fact of how life is.

So, it gives context as to why the government’s intelligence agency GCHQ, laden with expertise and knowledge and technical savvy, keeps information about its operations hidden, encrypted if we want to use our language. National security is, of course, a very pressing matter. The more people know about any given subject the wider the likelihood of its dissemination when the opposite is desired.

However, judging the time is apt; the GCHQ has decided to share such information and technology with various businesses, as it seeks to adopt a more collaborative – open source approach if you will – in the fight against cybercrime.

As the BBC notes, as well as being a routine exercise in promoting better security, the decision is also economic. Internet business generates about six per cent of the government’s GDP. To give it greater whammy, that figure outstrips agriculture or utilities.

On a more relevant note to those of us working in and around cyber security, this greater access to information will help many people develop defences against the surreptitious threat posed by criminals operating in the virtual landscape. It’s up there on a level with international terrorism so the BBC story reads.

That we can appreciate and we wait with baited breath as to what fascinating developments have been made. And with that information we will develop our own solutions, independently and collaboratively, or at least discuss them at events like the RANT forum each month.

So, though that information may in fact be ‘second-hand’, what we do with it, is new. Magic, no?


Be the muscle for the digital age

Neelie Kroes, European commissioner for digital agenda, said in a speech recently to the European Parliament Committee on Industry, Research and Energy that her ambition is to “reinforce” the European Network and Information Security Agency (Enisa) as the world moves to even greater connectivity. Globalisation in a trade sense of the word was step one of two of making the world a smaller place. The digital age is step two. To add a bit of magniloquence to the blog, the revolution to bring humanity together is on the precipice of being achieved. World peace will be the final chapter to that story.

Anyways, that’s a digression. Ms Kroes outlined two ways in which this can be achieved.

“First, ENISA must be able to attract and to retain the very best IT security experts in Europe. Second, ENISA staff and stakeholders must have the best conditions for networking. This is essential for the Agency to carry out its mission successfully,” she told colleagues in Brussels.

What her comments highlight is the simple fact that this is an important age for professionals operating in governance & compliance and the information security & risk management industries and all affiliated sectors. What she wants is for robust defence mechanisms to be in place by 2015, which experts like yourself can help make a reality. The European Commission wants digital security to be more “muscular”, language which suggests a move towards being more proactive – swift and thorough reactive approaches are brilliant, but preventative is always preferable to damage limitation.

Interestingly, in her speech Ms Kroes suggested that powerful countries like those in the eurozone, China and, of course, the United States would benefit from working with, cooperating and up-skilling so-called “third” countries – by which we deduce she meant third world/emerging countries.

The truth is, in order to minimise their chances from being caught, punished and reprimanded by the authorities, cyber criminals attempt to lose themselves in a digital and physical maze within these respective countries. Cross-collaboration, the sharing of information and a genuine multi-disciplinary approach has positive outcomes for all stakeholders.

This has already been touched upon in the idea of Pefias – a pan-European framework for electronic information, identification, authentication and signature. Can you contribute to this? What ideas do you have? One place to share your thoughts and ideas is at our monthly RANT event. Be part of the conversation. Be the change Ms Kroes is looking for.

Innovative protection for Android devices

Things move apace and before you know it you’re living and working as an information security & risk management professional in a city from a futuristic Hollywood movie. The kind where you work with documents virtually, scanning them in the open air with your fingers. The kind where everything is voice activated. The kind of world where face recognition technology unlocks doors, cabinets and vaults – digitally and real.

That world, so to speak, is now, or at least we’re on the periphery of a new digital age as imagined many years ago by thinkers, futurologists and philosophers.

In terms of protection, on Android devices specifically, we’re already somewhere exciting. As we discussed in a previous post, the threats to Android smartphones are very real, and threats to cyber security are an ongoing risk which must be met with innovative ideas.

Take for example Google’s new ‘face unlock’ feature on the latest Android devices packing Ice Cream Sandwich (4.0), a self explanatory phone locking system which fundamentally does away with pin numbers and replaces it with the owners face. While it is still in its infancy, it is a system which is yet to be fooled – photos of the owner return a negative response.

Unless you are inclined to get the lasest Nexus however, you won’t yet be privileged to ICS and such features. In the meantime then, let’s discuss what security measures are out there right now.

One of the most interesting developments is using GPS to track a stolen smartphone and not only remotely trace it, but allow for important and sensitive data to be wiped. Consider the free app Remote Phone Lock&Track, which allows you to do a range of things including wiping all internal memory, memory from an SD card and help locate it. HTC have built a similar function in to their Sense overlay.

Another free app is the LBE Privacy Guard (root required), which helps negate the weaknesses that come with an open source platform. It works in a similar vein to an interactive firewall, whereby every app you install is thoroughly scanned and then listed by the number and types of permissions it requests – thereby giving you the power to block those which are unnecessary.

Encryption – a powerful word in information security, forensics and governance. One such platform is WhisperCore, which basically encrypts all the data on your device, so should it go missing you can rest assured that your data is safe. And because WhisperCore integrates with Flashback, you can send your data to the cloud – encrypted.

As with the levels and amounts of threats out there, this is only a brief introduction to the kinds of security measures available to everyone and every business operating off smartphones that come with Android as its operating software. It’s an exciting new age for anyone involved in technology. For every malicious piece of software out there, there’s an equally stringent defence mechanism to counter it.

The battle lines are drawn.

Read more about LBE Privacy Guard and Android security in general in the Acumin white paper: