Category Archives: Acumin

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on if you would like to be added to the guest list. We hope to see you there.


Q&A with Alan Edwards, Integralis

Integralis recently released the results of a survey into online data protection and trust. What was the key takeaway figure from that research? (
If you look at organisations today, many will have implemented a security strategy based on perimeter defence. The principal is simple, build a wall high enough to keep the bad guys out, and control the resources (people, processes and technology) that operate inside the firewall (perimeter).

However, many businesses have consumers who are connected to them in order to do business, which calls into question the original idea of the ‘perimeter’ or at least raises the question of where the perimeter now is. If I’m connected to my bank I am part of their network, and unknowingly have as much potential to introduce risks onto the bank network as one of their employees. My interaction with the bank could, inadvertently, create a problem for the bank in the same way that an employee could.

Maybe it’s time for organisations to consider the fact that the perimeter has gone and to treat customers who connect to them in the same way as they treat their staff, in terms of education  and making them  aware of the risks.

Banks seemed to do well in terms of trust online, with 63% of respondents trusting their bank with online transactions. Why do you think that is?
Despite what has happened recently, banks have historically been trusted and, in an online sense, banks do better at educating their customers. In my experience banks lead the way in communicating with customers in terms of which attacks they may be vulnerable to. They are also good at educating customers in what they can do to protect themselves, which in turn helps protect the bank from risks borne by online users.

Banks have also been proactive in terms of security measures like two factor authentication. That seems to be a conscious decision from the banks, who see their customers are part of their network and are therefore extending this level of authentication to them too.

Social networks came out bottom in terms of trust online – but that lack of trust doesn’t seem to stop people from using them.
Social networks top the overall usage charts, but rank bottom in terms of trust. It seems that in the online world people behave totally differently, and convenience overweighs any risks.

Turning to the RANT conference – these stats should worry attendees, if the vast majority of people simply don’t trust online businesses with their data.
The message to attendees is about how you start to bring trust into your risk or information security strategy. If the focus is just on the perimeter and not on the access consumers have to the network, then it is likely that your data is at greater risk, and that your users don’t trust you as much as you perhaps would like.

What is the message Integralis wants to deliver to the event?
The title of the discussion we’re running is ‘In banks we trust and in trust we bank’. Our message to CISOs is to start considering your customers as part of your network, and educate them and provide the tools to protect themselves just as you would with staff. In this way not only will your business be more secure, but your customers may even start to invest their trust – which must be worthwhile.



Debating the importance of security awareness

It goes without saying that in this open day and age, the importance of good practice when it comes to data and sensitive information, is more pressing than it has ever been.

From emails to tweets, USB sticks to smartphones, big bundles of paper tucked under your arm, printed here and there, remotely, across the digital highway, zip, zip and away, the ubiquity of information out there is pretty amazing.

With this sheer volume of information, transmitted, shared and downloaded on a daily basis, 24/7, all around the world, everyone always on the go, life has never been easier.

Add to that the fact that it is done through multiple devices, where one you’re minute writing a paper on your Blackberry, the next minute loading it to your Apple Macbook Pro, the next sharing it via Dropbox, it is almost inconceivable, that back in the day we relied heavily on transporting things via post.

With these radical changes comes danger. Where a lot of information used to be filed away and archived in a physical sense, under lock and key, today everything is in effect online or stored on a computer, which needn’t these days be access from one spot. You can, after all, check into your home computer remotely.

It can therefore feel as though data, however well protected, is always on the precipice of tumbling into the virtual world, like a £100 pound noted fluttering in the air for everyone to grab.

Which is why it is important for organisations, however big or small, to invest in training their staff in security awareness. A lot of time, effort and money can be saved if employees – employers as well – are informed about the latest happenings in the IT industry, like, for example, recent cyber crime trends.

However, interestingly, even if such training is delivered, is it actually having a positive impact? One line of argument is that the value of such training is negligible and it is constricted by certain limitations.

Take for example the recent study from the British Retail Consortium, which found that retailers were often unaware that a crime had taken place and didn’t think it normal to report every incident they were attentive to.

Or what about the Graeme Batsman’s comments last month, who had found that small businesses were almost lackadaisical when it came to data protection. The director of said: “Companies see the stories about leaks and hacks quite a lot, but the main thing is people think that it won’t happen to them. We know things will increase and get worse. More people are using computers and they have to wake up.”

At this year’s RSA Conference, whose theme is The Great Cipher Mightier Than The Sword, Acumin, the leading provider of information security recruitment and risk management recruitment services, will be delivering a special debate on the matter.

Showing a commitment to promoting good discourse, Acumin’s RANT (Risk and Network Threat) forum has assembled some of Europe’s leading thinkers in this area to push the debate further.

This includes Javvad Malik, senior security analyst at The 451 Group; Thom Langford, director of the Global Security Office at Sapient; Kai Roer, a freelance author, trainer and security consultant; Rowenna Fielding, information security manager at the Alzheimer’s Society; Geordie Stewart, managing director at Risk Intelligence; and Christian Toon, head of Information Risk at Iron Mountain Europe.

If it is going to be anything, then enlightening, thought-provoking and fascinating are just a few words that come to mind. It is great when we have multiple voices of authority and experience waxing lyrical about their ideas. Here is where great debate happens.

Acumin,  will be on call throughout the entire duration of the conference to discuss any questions pertaining to recruitment. It specialises in, among others information risk management, governance & compliance, penetration testing & forensics and executive management positions.

The RSA Conference at Hilton London Metropole runs from October 9th until 11th. Register here

Don’t be a needle in a haystack

“A winner is someone who recognises his god-given talents, works his tail off to develop them into skills, and uses these skills to accomplish his goals.”

Famous words from Larry Bird, a former NBA basketball player who was forced to retire from the game at the age of 36.

He’d had a seminal career though; part of the 50-40-90 Club, which in short means having had a “pretty fly season across the board”, a member of the Dream Team – the winners of gold at the 1996 Olympic Games – and to top it off, the only NBA basketball player to have achieved Most Valued Player, Coach of the Year and Executive of the Year.

Now while the idea that some of us are destined to be great is debateable – born to do it so to speak – the suggestion that we are able to shape something we seem to be naturally good at is self-evident. We might find painting a work of art, kicking a football or quantum mathematics easy to do, but it is dedication to a discipline that really makes something out of nothing.

For security consultants, chief information security officers and the like, in the midst of looking for a new career challenge, there’s a question that needs to be asked: “What sets me apart from my contemporaries?”

It’s an important question and should not be mistaken for conceit. It simply is a short and simple way to analyse how far you’ve come, what knowledge and talents you’ve acquired and how this all plays into where you want to go.

In the IT industry, branches of which include information security and risk management, business continuity, ethical hacking and penetration testing, what matters most is leadership, a specialism, a flexible way of approaching projects and business in general, and a willingness to adapt.

With regards to a specialism, this speaks for itself. Businesses are looking for someone who has a command over a typical area, be it cyber security, sales and marketing or in disaster recovery. What we’re talking about here is clout, unwavering technical knowledge. Though general knowledge is important, you can’t be a jack of all trades. To stand out, one requires a marker: “This is me; this is what I excel in.”

In reference to flexibility and adaptability, this is about being able to respond to change and possessing the ability to be reactive to new developments. The IT industry is currently undergoing transformation on a daily basis and constant change is almost the norm. You have to be willing and able to grow, to progress in a personal and professional capacity. Those who are happy to do the same old thing had better look somewhere else. Dynamic is what it is all about.

So take a leaf out of Larry Bird’s book and be the kind of person you want to be. This industry is growing all the time and as more and more people come into it, competition for positions, though plentiful, is going to be greater than it has ever been. Be a leader and step forward.

The funny thing about the bustling security industry

In this day and age, characterised by economic stagnation, dwindling spending power and limited opportunity – further compounded by the fact that it had seemingly poured cats and dogs since time immemorial – the idea that businesses might struggle to retain staff appears at first anomalous.

But it really isn’t. Even in the hardest of times, people still keep an eye on opportunities, be it for reasons that their current position isn’t just a means to an end; they’re looking for a promotion; or even a career change. Life’s an experience, after all.

Some industries buck the trend, like for example security, which, by the nature of its growing importance in society – it’s becoming an important facet of most people’s lives and of businesses – is expanding. Staff retention in this context takes on a different meaning.

Here’s a very apt example that has wider resonance. A new report from the Intelligence and Security Committee – a must read for CIOs, CISOs and the like – has observed that the UK’s Government Communications Headquarters (GCHQ) is at real risk of losing out on a generation of skilled professionals.

The reason is simple – they can’t keep hold of them (which we’ll come back to). The problem this results in, however, is very serious. Without this important, proficient and accomplished workforce, the UK’s ability to be at the top of their game and ensure that cyber crime is thwarted is at a real risk of crumbling. That’s not a pretty picture.

Iain Lobban, the director of the GCHQ, is very candid at the dilemma this reality poses. Because it’s a healthy industry and there is a growing demand for cyber security experts across the globe, professionals are simply doing what is normal – packing their bags and heading off.

When you’re presented with a great opportunity and a bump in pay, it’s logical. The government simply can’t match the salaries being offered. However it isn’t all bad. For one, it paints a very good picture of the private sector in this field and, in general, of the industry as a whole.

If, for example, you log onto Acumin’s website – a leader in information security recruitment and risk management recruitment services – what hits you is both the number of jobs available and the variety. This is an industry that is on the precipice of serious activity.

So, while the picture for the government isn’t going to change in the interim, there is a business model that can work to a satisfactory level, Mr Lobban has explained.

“One of the things that I’m looking at is whether or not we can recruit people, train them and then employ them with the expectation … of losing them at the end of that period,” he said.

“And, as they move into industry, for them to be useful for us. If they’re working with some of those companies that we work very closely with, perhaps there is a benefit that we can get from them.”

It’s not perfect, but neither is the weather or the economic situation. So, we do what we do best and we adapt, always optimistic. That’s called character and Brits have plenty of it. And hey, even Carol Kirkwood, the BBC’s popular weather presenter, says that there is sunshine around the corner. Let the good times roll.

Acumin rocks into the USA

Acumin, an international information security and information risk management recruitment specialist, which has been delivering expert advice and assistance since 1998, is now expanding its operations into the US market.

The recruitment agency, which is comprised of a number of specialist consultants, delivers a comprehensive range of services across a number of platforms, catering for all sorts of professionals looking to enter the industry, change direction or move up.

This includes governance and compliance; penetration testing, forensics and intrusion analysis; technical security; business continuity management; sales engineering and executive management. Inclusive it most certainly is.

One of the things that distinguish Acumin as a quality recruitment specialist is its experience in the business. Let’s take the US director Jeff Combs as a case in point. With a decade of personal and professional development at Alta Associates in information security recruitment to boot, Mr Combs knows the business inside and out. He spreads his knowledge wide and fair, regularly contributing to CSO Online, the ISSA Journal and SC Magazine’s Skills in Demand.

As such, you can be confident that you’re going to get tailored, accurate and thorough advice, with jobs that are, in a sense, bespoke to what skills you have and where you want to go.

Below is a list of some of the positions waiting to be snapped up by either US residents or Brits looking to move abroad. As you can see from this selection, there is breadth and depth in the jobs available. For more information, visit the website.

Software Services – Product Manager (Chicago, Illinois)

Candidates who are looking to lead the charge in developing software to the exacting needs of a client, will surely agree that this position is one that will interest them greatly

One of the absolute requisites for this position is knowledge and ability to produce a product backlog, with experience in delivering quality assurance procedures.

Along with the skills to engage and work with a wide group of people – from clients to managers to team members – it is essential prospective applicants have a knack of developing swift prototypes and concepts accurately.

IT Security Architect (Sheboygan, Wisconsin)

This brilliant position will suit a talented, proactive and energetic individual looking to add vigour to their career.

You have to be a go-getter, enterprising, with the skills to find, track and manage a variety of security risks and shortcomings that can compromise the integrity of a network.

Ideally, the candidate will be a seasoned pro with a degree to boot. The employer is looking for someone who has spent at least ten plus years in the business, a decade of becoming rather au fait with IT security systems and networks.

Senior Security Consultant (San Francisco, California)

Can you add a tick to the following: CISSP certification? SANS GIAC (GREM, GWAPT) certification? Certified Ethical Hacker certification? Well then, you might be interested in the following job in the fantastic city of San Francisco.

You’ll be working with the crème de la crème of the business, delivering mobile assessments, network and penetration tests and source code reviews, among other things.

As such, the client is seeking a professional with a minimum of three year’s worth of mobile assessment experience; to be savoir-faire in scripting and tool development (for example, Python and/or Ruby); and experience in consultancy in information security.

Would you believe, employees are the biggest cause of data breaches

It’ll be interesting to gauge, statistically of course, the difference between the level of investment that goes in developing strategies, performing regular audits of procedures and investing in security systems aimed at reducing data management breaches coming from outside sources, than those which originate from within.

In other words, are we in the risk management and information security industry more inclined to place a potentially unnecessary emphasis on snubbing out cyber attacks and viruses from non-native sources, than on mistakes made by ‘our own’?

The question may be construed as provocative, but its purpose is not to assail organisations – or for that matter staff – but to understand what the status quo is. We only ask because a new study done in collaboration with Symantec and the Ponemon Institute has revealed that in the US, “negligent insiders” have been found to be the top cause of data breaches. And some of these are deliberate, or malicious, to use a more accurate word.

So, the details: 39 per cent of organisations that took part in the study said data breaches are a result of carelessness; malicious or criminal attacks account for a third of all breaches; those who employ a chief information security officer (CISO) can reduce cost of data breach significantly; and, positively, fewer customers jump ship when such a breach occurs: they stay loyal.

With regards to employing a CISO as one of the key staff members of an organisation, we reckon this is something that will become a lot more prevalent in the foreseeable future. Like, for example, hiring someone to look after finances fulltime, which many businesses already do, CISOs will become part of the norm. This is the information age.

The report estimates that if an organisation appoints an expert and gives him responsibility for protecting data, the average cost of a data breach can be reduced by an astonishing $80 (approximately £50.7) per compromised record. Even hiring via contract – i.e. outsourcing – is highly cost-effective.

“One of the most interesting findings of the 2011 report was the correlation between an organisation having a CISO on its executive team and reduced costs of a data breach,” commented Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “As organisations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.”

In the meantime, it is worthwhile up-skilling and educating those about the importance of best practice, highlighting shortcomings that can lead to data breaches and advising staff on how to be careful with the way they deal with data. After all, not every business has the luxury of being in a position to be able to afford hiring a specialist.

The attraction of contract working: Part One

Contract work is, these days, a growing phenomenon. More people than ever before, especially in the Information Security industry, are considering shifting to this unique style of working. And it appeals to both individuals and organisations, principally because it is a flexible, easy and productive way of working.

So just what is contract work? Although there is no fixed, universal definition, it can perhaps be best described as being an agreement between an organisation and individual to hire that said person for a finite amount of time – variable to the specifics of the contract of course. It’s that basic. It can either be long-term or short-term. In the context of our field of work, it is understandably a popular way of working.

The best way in to this kind of work is to sign up with an established agency that has a history of success in this field. The benefits are palpable. As specialists with knowledge and experience of our business, agencies have the knack, the resources and contacts to make highly-focused contract work a reality.

For example, let’s say you are a CLAS consultant with current DV Clearance. An agency can, on talking with you and going through your CV – which, by virtue, implies detailing your skills and work history – filter out irrelevant contractors and narrow down potential clients that might appeal to you. Moreover, in having developed relationships with such organisations, they will be able to best assess whether your appointment will be a productive one for both you and the contractor. The end result is to produce a harmonious working relationship that leaves everyone smiling.

The development in contract work can be seen as a natural by-product of a globalised world and how, every day, it is impacting on the ways in which human beings organise themselves with regards to work. It’s all post-industrialisation, chiefly post-World War Two.

Whereas 9-5 has long held the post as the most natural and sensible way of working, the more connected nations became with one another, in terms of trade and communications, the more it began to impact on how various organisations, companies and buildings came to work with one another. 9-5 began to feel too rigid, when, for example, your customer operated in India. India is five and a half hours ahead.

Consequently, habits and longstanding ideas, once deeply entrenched, began to transform. Hours changed, flexi-time was introduced, and people worked and finished earlier (8-4) or worked later (1-4). Others realised that some jobs were superfluous to their operations and staff rosters were streamlined. It wasn’t all fun: it meant making difficult decisions and it meant people were made redundant. To be blunt, it was collateral. Contract working and indeed flexible working – the big buzz of the moment – emerged.

A new year, a new you and a new opportunity

At the start of a new year there is a certain impulse to start afresh. Not so much from square one, that would be quite absurd, but from a certain, how can we put it, stage in one’s life? So, as is customary, one will choose to go on a diet after a period of indulgence, we will promise to be more charitable – the older we get so suggests some research – and we’ll give our jobs some deliberation.

With the latter, this is very much a characteristic trend in workplaces up and down the UK, of which our business, the Information security industry, is not exempt. It’s not that we lament our current role – though that can certainly be the case – more that we have a psychological impulse to consider change, to mull over how we can progress in our careers.

“A key issue to consider is whether you will feel more motivated and rewarded by seeking a new challenge in your current role or company than risking a move in uncertain economic times,” John Salt, director of, told the Telegraph recently.

“Remember competition for jobs has never been more fierce so if you are going to move companies be certain the role you want is available and you can clearly show why you should get it.”

His thoughts are most astute – this is a challenging time, regardless of where you work and who you work for. Indeed, some of you reading may well be in the unfortunate position of being unemployed. It’s not that you’re without skills or experience, or the lack of impetus to find work. Whether you’re a professional in cyber security, information security or risk management, the current economic environment makes finding work, well, harder than ever before. There are jobs; it’s just that a lot more people are fighting for them.

Companies are also on the lookout for new staff in 2012 and are adopting exciting ways of advertising positions. Take for example an offer of a job for the position of Senior Network Design and Implementation Engineer. The salary is £70,000 to £90,000 (based on experience). The location is London. The client “designs, implements and manages complex IT infrastructures and platforms where it is critical to the customer that their infrastructure has the maximum possible availability”.

So far so good, yes? Well there’s more. If you yourself possess the skills that suit this excellent job, or perhaps know of colleagues, friends and/or associates who would suit this position, then you can bag yourself a cool £500 referral fee (so long as that person is chosen). Not bad eh?

If it piques your interest, the details follow:

The ideal candidate will require the following skills:

Significant experience with Checkpoint/Cisco firewalls and some exposure to switch and load balancer configuration gained in a customer facing business

  • Strong design knowledge and experience of network and security solutions
  • Strong implementation experience of network and security design solutions
  • Strong communication skills and client facing experience

The client lists as responsibilities “design, configuration, implementation of all elements of the managed Network Security service”.

For more information contact James Foster on 020 7510 9042 or email

A New Year, a new you, a possible new career (or for a good friend of yours) and £500 to celebrate with…it could possibly be the start to a great 2012.

The denial of good conversation

The dissemination of information is something we often take for granted but it hasn’t always been like that. A long time ago, long before computers, the internet and 24-hour interconnectivity, in a pre-digital age, information used to belong to a small group of individuals. Whatever doctrines or ideas they spoke of were held to be the truth – though this didn’t necessarily imply it was accepted as such. History has always had its rebels after all. Nevertheless, large swathes of the population, through illiteracy or poverty, didn’t know any better. And that remained the model for quite a long time.

Today, however, that’s a whole different story – we have more freedom to obtain information than ever before (well, in democracies we do). This greater access to content has been further amplified by the coming together of highly sophisticated digital technologies and the fruition of the internet as a useful medium through which to do, well, everything.

In the security business, how we go about disseminating information – whether it is to do with developments in the industry, job opportunities, networking opportunities – and accessing that information has been a bone of contention for quite a while now.

Remember a few blogs ago we mentioned the security industry and the lack of definition it can afford, for example, job titles, well, similar problems can occur in broadcasting, sharing and receiving information. This is something one of our RANTers recognises and spoke about at the last Risk and Network Threat Forum.

“The problem is the mode in which we communicate security awareness to our users is generally very poor,” says Javvad Malik. “We need to be a bit more creative, engaging and genuine in our security awareness efforts,” said Javvad during his 2 minute RANT where we had a Christmas Special of ‘Who’s RANT is it Anyway?’

He’s onto a very good point. Perhaps this information isn’t so much deficient as it is not properly communicated or accessed. The fault can be two ways – either employees, both longstanding and new, are not aware of where to go to find content and/or those security professionals holding, for example, training sessions, are not putting out details via the correct channels.

What this creates is ambiguity, ignorance – by way of being denied information – and a culture which is far from collaborative, but fractured. Everyone operates within the industry, but in their own hubs, like disparate planets in a solar system with no means of connecting.

It doesn’t have to be this way – in our next blog, we’ll discuss how to foster a communicative culture. Our industry might be predicated on tightening security, but we could do with being more open about how this can be achieved.