Category Archives: Uncategorized

Upcoming RANT Forum to focus on communication and collaboration

Last month’s RANT Forum was one of the best attended so far, and saw Sarb Sembhi, director of IncomingThought, present on EU Data Protection Regulation.

This month’s event will be held at The Counting House, London on Wednesday August 28th 2013 and is set to be just as interesting, with a new speaker and an engaging topic.

Darren Hodder, vice-president of cyber fraud intelligence at the Centre for Strategic Cyberspace & Security Science, will give a talk about just how important the crossover between information security and anti-fraud is, entitled ‘Different Disciplines, Same Goals: Where is the Communication & Collaboration?’.

Mr Hodder has attended RANT previously and was surprised to find he did not know many of the attendees personally, especially considering he is so well connected and spoken at numerous industry events.

“Perhaps we need to get better at communication, rather ironic since our disciplines facilitate global communication on an unprecedented scale! In order to be better understood by the board we need to get back to what is at the heart of all the problems we are trying to solve and in my view it is all about people.”

He believes IT security professionals can get so caught up in the latest technical trends and challenges that they may forget there is always a human behind these threats and that technology is simply a facilitator for age-old crimes and scams.

Mr Hodder wants IT professionals to get to know one another better in order to reach their overall goals more effectively.

RANT is certainly the perfect location for this subject as the event encourages interaction and engagement by making the whole thing a little less formal.

The idea of the event  is to put people at ease so that key issues can really be explored in an open forum. It gives a great opportunity for people to network and get to know each other, something Mr Hodder would like to see more of in the coming months.

There are many threats facing the IT security industry and many of these will be discussed at the next RANT Forum on August 28th.

What are the biggest challenges when sourcing information security professionals?

During each RANT forum and conference information security professionals gather together to talk about some of the most pressing issues in the industry.

One of the topics that often gets brought up is recruitment and how organisations in both the public and private sector go about bringing in the most talented individuals.

During the latest conference, some of the industry’s top professionals gave an insight into what they thought about the process and how it has evolved over the years. We asked them what they perceived as the biggest challenges when sourcing information security professionals.

Tom Salkield, professional services director at Integralis, said: “We need to attract more people into this industry sector … there are some big problems that we actually need to solve.”

According to Mr Salkield the industry must integrate more with the education system to get people interested in IT security.

“We need to be working much more closely with schools, colleges and universities to entice the new leaders of the future to come and enjoy the big debate we’re involved in,” he added.

Many other professionals gave their opinions on the industry and their thoughts on the matter can be seen in the video below.

For example, Javvad Malik, senior analyst at 451 Enterprise, believes it’s about more than just the technical skills that are required, he thinks it’s also about personalities and “people who can fit into the mould”.

The stereotype of having information security professionals all come from hacking origins is now gone and individuals are constantly emerging from a range of backgrounds and this diversity can only be a good thing.

Acumin has been hosting the monthly RANT events for the last seven years and encourages everyone to get involved with the discussion and lively debate.

Each forum and conference sees hundreds of information security professionals join in and share their ideas on the future of this ever-growing industry.

Attending RANT is a great way to broaden your thoughts and expand your network and the next event will be held on August 28th in London.

Upcoming RANT Forum to focus on EU Data Protection Regulation

Next week’s RANT Forum will certainly feature one of the hottest topics in the IT security industry right now, as Sarb Sembhi, director of IncomingThought and chair of the ISACA GRA-SC3, will be presenting a talk on the EU Data Protection Regulation as well as other areas such as the state of the privacy policy in the US.

Prism has been a word on the lips of many an IT security specialist over the past month, with former National Security Agency (NSA) worker Edward Snowden revealing its methods of spying on citizens from all over the world.

Sarb is a well-renowned speaker and delivered an interesting talk at the RANT Conference earlier this year, which saw much interaction with the audience. It’s likely that this new talk will get the same reaction, with many professionals having a different point of view on the whole matter.

Since before the EU Data Protection Regulation was made available to the general public in January 2012, all the major US Service providers have been lobbying the EU to water down the provisions to protect EU citizens. Their point of view is that the costs to implement the provisions will hurt the consumer in the long-run.

This lobbying has been one of the most heavily funded of all time and makes you wonder how in light of the Snowden revelations that this might have actually been because it would make things difficult for the NSA, rather than just the providers.

Mr Sarb suggests that if the EU Data Protection Regulation is watered down, then there is no need for the service providers at all as the NSA will be able to store all the data.

This will naturally create a lively debate over the issue and people will be able to express their own opinions on what should be done, or not done, in an open and informal environment.

You can join us for the next London RANT Forum on Wednesday 31st July and as usual there will be plenty of food and networking opportunities on offer.

Those interested in attending this fantastic event should email Gemma Paterson on gpaterson@acumin.co.uk to be added to the guest list.

Hundreds of security professionals flocked to the RANT conference in June

Acumin has been running its monthly RANT events for the last seven years and it all started from humble beginnings.

IT forums are nothing new, but when attending the ones available at the time, Acumin founder and managing director Simon Hember and the team noticed the real value in these gatherings was found afterwards in the bar where everyone would chat and really get to the hard truths in the industry.

As a result RANT was born, a conference that would create a relaxed atmosphere to allow every attendee to get involved, bring forward their ideas and challenge the views of even the highest ranked security professionals.

Like the IT security industry itself, RANT has grown substantially over that seven year period and now sees hundreds of professionals turn up to network with one another and enjoy a few drinks afterwards – some things never change!

The last RANT conference featured some fantastic keynote speakers including Mark Stevenson from the League of Pragmatic Optimists and it even had some quirky aspects thrown in like a University Challenge competition, which saw the Royal Holloway University bring some of its brightest and best students to face off against the industry’s best professionals in a battle of wits.

Bruce Hallas, information security and risk management specialist at the Analogies Project, was in attendance and spoke of the reasons why he chose to be part of it.

“The whole concept of flipping it around so that you have the bar discussion on the stage I think was innovative, it’s unique, I haven’t seen that before and that was one of the reasons I was compelled to get involved,” he said.

Some of the hottest topics in the information security industry were discussed and debated upon at the event, in what was a wonderfully relaxed setting in London.

Gemma Paterson, marketing manager at Acumin, said: “RANT offers a completely different take on the standard security conference. We want people to feel relaxed, we want people to feel like they have the power to be able to stand up and say exactly what they’re thinking.

“So you might have a panel on stage of the most senior security professionals and you still want the audience to be able to feel like they can challenge those views and put their opinions across.”

The RANT forums and conferences are expanding at a staggering rate and with the sector changing so rapidly there’s always something to rant about. It brings together some of the best thought leaders from around the world and opens up massive networking and learning opportunities for professionals within the industry.

To see more from the event, you can check out the video content from the event here.

IT industry facing some hefty challenges

The IT security industry is going through some of the largest changes in its history with several different phenomenons shaping the sector.

One of the biggest innovations in recent years has been the implementation of cloud computing. Since its inception it has boomed and now many organisations are using it to make drastic savings and – in some cases – simply keep up with the competition.

This rapid leap to cloud is causing IT departments plenty of headaches as information security becomes much more difficult.

Another similar security issue that has cropped up in recent years has been the new trend of bring your own device – which has given us the fabled BYOD acronym.

Of course, this has happened thanks to the huge rise in mobility brought about by devices such as tablets, smartphones and even Ultrabooks in some cases.

Many companies across the globe are now allowing their employees to use their own laptops and other mobile devices in order to improve flexibility and generate cost savings.

Naturally, if staff are using their equipment at work, organisations will not need to fork out money on buying it themselves and if staff want to work from home they can, which is certainly useful for those trying to raise a family.

However, the downside to this is there are so many devices to keep track of. A few years ago, a firm would buy in all the equipment and staff would use them. It would all be the same, therefore keeping track of it and installing relevant software was easy.

Unfortunately, this is no longer the case and IT security managers have to keep track of dozens of different smartphone, tablet and laptop brands, while making sure all of them are up to date with protection software.

This will be a key challenge for many within the IT industry over the coming years as BYOD is showing no sign of slowing down.

It’s topic such as this that many professionals like to rant about at the Risk and Network Threat Forum (RANT) conferences that take place up and down the UK every month. Last month’s event took place in St Paul’s, London and it was a fantastic day filled with a tonne of topical debate.

Q&A with Ed Gibson, speaker and panellist at tomorrow’s RANT Conference

Can we have a sneak preview of what you’ll be talking about at the panel discussions?
I think provocative would be the word. All of us have attended conferences; we hear from the same people about the same things. Each panel member has so much experience that it will not be the same discussions about how we can boil the ocean and make the world a safer place.

It will be about things we can all do. One of the major problems is that people attend conferences and leave saying, ‘the world is falling apart – what can I do about it?’. We want to leave the audience with an idea of one thing they can do when they get home to help make their own environment more secure.

That sounds a bit different from the usual fear, uncertainty and doubt that you get from many conferences. This sounds much more practical.
Yes, and you often hear about how it must be the Chinese or North Koreans that are stealing all out IP… Well, maybe they are contributors but I think we need to get our minds set toward being more open. If we focus on one or two particular countries we are going down the wrong track. I think that will draw a fair bit of discussion.

Any time we deal with something we are not entirely familiar with there is a fear factor built in. If that’s not handled properly we can drive ourselves into a death spiral. I’m not sure we should be doing that. Yes, there are people out there who can exploit technology for the purposes of whoever they are acting on behalf of, but I’m not sure that’s different from other industries. And I think there are more people out there who want to make things better than want to destroy them. There are people out there with thoughts other than doom and gloom.

I think every day there are people making things better – whether that’s through law enforcement, security services or a combination of commerce and government agencies working together or informal CISO to CISO level at businesses.

You have held a number of fascinating roles in the security industry, working with the likes of Microsoft and the FBI over a long career. How has the industry changed over that time?
Sometimes I have to smile at what’s happened. I was talking about these things back in 2000, 2001 and 2002. Anyone who had some foresight back in 2000 into the security problems that could and indeed have developed was extremely frustrated because no one wanted to listen; we as consumers demanded that things just worked.

So in conclusion, what do you hope attendees will get out of the RANT conference?
You have to question why you really want to attend a security conference. There are hundreds of stands of people selling their security technology, how do you make a decision as to what security product is best for your environment? If so, how do you make that determination? Networking? Seeing what others are buying? The same way I buy wine – cheap and with a nice label?

I think what the organisers have done is a pretty spectacular thing; they’ve developed a forum that enables and facilitates different thoughts – maybe those thoughts that people want to say but haven’t said in public. Here’s an opportunity like no other to change our thought process and perception and understanding and maybe walk away with a different and more truthful understanding of what’s happening in the world.

Next week’s RANT Conference attracting some of the IT industry’s biggest names

IT professionals from around the country are currently preparing for this month’s RANT Conference, which is now merely days away from taking place.

The Risk and Network Threat Forum (RANT) Conference has been run by Acumin since 2007 and this month’s event is being held in St Paul’s London, in the heart of the UK’s IT industry.

Every month a new speaker attends the conference to start a rant about a hot topic within the IT sector. Of course this is not just a one way conversation and the audience is actively encouraged to interact and pitch in with their own points of view, opinions and suggestions in what is a relaxed and informal atmosphere.

Tuesday (June 11th) will see many top industry professionals take to the stage to engage with an audience that is growing month-by-month. Well known speakers Stephen Bonner of KPMG and Mark Stevenson of Futurologist will be there to talk about some of the biggest issues the sector is currently trying to tackle.

Naturally, there is so much to go through considering the changes occurring in the industry and this month’s agenda is simply massive and there will be plenty to talk about both at the presentations and in the pub afterwards with the infosec community.

Bring your own device will feature heavily in the conference and all advantages and disadvantages will be explored. Mobile device management, secure outsourcing and the major threats currently facing cyber security will also all be discussed.

The RANT Conference is designed for passionate information security managers, directors, chief information security officers and other senior information security and risk professionals who work within end user organisations.

A short teaser video for the RANT Conference has been devised and can be viewed here. It was made by Twist & Shout Media – @twistandshoutUK on Twitter if you’d like to give them a follow – the team behind restrictedintelligence.co.uk.

Next week’s RANT Conference is going to be huge and there are set to be 60-80 ranters in attendance. Places are going fast so professionals are urged to register ASAP to secure their place.

Sending a message: The meaning of Google’s privacy fine

The fine levied by the Federal Trade Commission (FTC) on Google for violation of privacy laws was either in proportion to the billions of dollars the multinational tech company makes every year or so big as to send a message that such abuses will not be tolerated by other organisations.

Either way, the $22.5 million (approximately £14.4 million) is humongous. What was the crime? Well, according to the FTC, which exists to ensure that consumers are protected from dishonest, manipulative and unfair practices, Google basically “misrepresented privacy assurances” to users of Apple’s Safari browser.

This is a huge indictment of a company known for its motto “don’t be evil”. In the preface of its code of conduct, Google explains that it’s “about doing the right thing more generally – following the law, acting honourably and treating each other with respect”.

The FTC concluded that the influential company was anything but honourable in its assertion that tracking cookies would not be placed on users’ computers. This it did, which in turn meant that peoples’ browsing habits could be monitored without permission. Targeted ads could then be deployed.

“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” stated Jon Leibowitz, chairman of the FTC. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

It’s a statement of magnitude because it reinforces the importance of privacy, which has had its foundations shaken ever since the internet began to find its voice, so to speak, and when people began to “live, socialise and exist” in a virtual world. Without privacy – or the option to preserve it as we so choose– we risk being exploited and the internet becomes a playground for this

“At the bottom, the elimination of spyware and the preservation of privacy for the consumer are critical goals if the internet is to remain safe and reliable and credible,” Cliff Stearns, the US representative for Florida’s 6th congressional district, once said. You can’t dispute that argument.

An attorney from the IT Law Group says that companies should not pay lip service to privacy and if they have a practice, to stick to it. Speaking to BankInfoSecurity, Francoise Gilbert, who has far-reaching and detailed experience with data protection and information security, said that while a privacy policy is a good thing, if it’s not adhered to, it becomes inessential.

Google, while accepting the fine, didn’t have to accept any wrongdoing. It’s a strange thing given that the fine is unprecedented, and resulted in one judge dissenting on the decision. His colleagues however argued that denial of liability is not inconsistent with the “imposition” of a civil penalty. So long as Google pays the fine, then that is all that matters.

The FTC accepts that the fine may be perceived as insufficient, but to kind of steal a quote from Heath Ledger’s Joker in the Dark Knight, it’s not necessarily about the money, it’s about sending a message. The fine is part of that message: you abuse privacy, you will be hit hard. Google’s reputation might be intact given how useful it is to our lives, but other companies might not have that luxury.

Catch up to the internet

Do you remember when the internet first emerged? We’re not talking about its absolute origins, the privy of a few exceptionally smart individuals, but when the internet really started to infuse into the everyday activities our lives. For most people, of a certain age that is, it was the late 90s when it all really kicked off.

Back then though, we were more interested in emails than the web per se, websites not really offering much in terms of the perfect marriage of aesthetics and content. Instead, it was the buzz of being able to contact one another instantaneously that hooked us onto this new technological development. And it could be done globally.

It was, to all intents, the only account we “signed up to”. If we were inclined to actually browse the web, we wouldn’t need to log in to pages. Online banking didn’t exist, shopping was still about popping down the high street, and Facebook, well, Mark Zuckerberg was still in nappies, right?

After the dotcom bubble burst, things changed, the pieces fell in place and boom, soon there was a proliferation of knowledge, money and clout, a perfect coalescence of software and hardware. Now, in the year 2012, we have a smooth operating machine that allows us to do pretty much everything online.

This new order requires a lot of accounts, by virtue of which we need lots of passwords. It can be problematic from a memory point of view, but more so, in terms of data protection, it has real security implications.

Which is why the figures from a new report are startling. Experian’s CreditExpert’s web monitoring service revealed that between January and April this year alone, over 12 million pieces of personal information were “illegally traded” online by cyber criminals.

Compare to the 9.5 million bits of information that were traded throughout the entirety of 2010 and you can appreciate how things have spiralled out of control. At the core of the data being passed around are login and password combinations. It’s like giving a thief the key to your house and then saying this is the code to the alarm, it never changes, go wild.

“The reason password and login combinations make up nine out of ten illegally traded pieces of data is because they give access to a huge amount of other valuable information, such as address books and related accounts,” explained Peter Turner, managing director at Experian Consumer Services in the UK and Ireland.

“Using a different password for each account will minimise risks, but if password information is stolen from a website, all accounts using the same details will be compromised, and this information can spread among fraudsters rapidly.”

The lesson to learn here is that although the internet has changed radically since its inception and been promoted from the fringes of usefulness and relevance to the big league – a central, ubiquitous and almost essential entity – our habits and attitudes haven’t come as far. We have to adapt, get with the programme, and treat the web seriously.

So, even though the number of accounts we have has increased massively, we haven’t responded with widening the number of passwords we use. It has just been easier to just have one static password, which we even concede to being lax. It’s wrong, we accept that, but we do nothing about it.

It’s worth repeating: the simple advice is to have a unique password for everything. This may seem like a lot of work, but the payoff is extraordinary: peace of mind backed up by a hefty dose of security. Experian’s guide to keeping your account secure is pretty decent.

It has four tips: avoid the obvious like pet names; have a lengthy password – ten or more characters is great; mix up lowercase and uppercase letters with numbers and special characters; and come up with a memory exercise to remember everything – sing a song with them in it – whatever works for you.

Bear all of that in mind and you’re definitely keeping with trends. The internet has come a long way since its early days, just ask Bill Gates.

“The internet is becoming the town square for the global village of tomorrow.”

Taking on the high-rollers

The European Network and Information Security Agency (ENISA), which exists to improve network security within the EU, has stated that all banks should “presume” that all of its customer’s have PCs that are “infected”.

This fascinating suggestion by the security agency is predicated on the idea that it makes sense to go with the default position that computers – the definition here inclusive of devices like tablets and smartphones – are, to a degree, compromised.

ENISA believes that banks and financial institutions at present operate under the assumption that their online banking systems are secure, but this is a mistake that can and does lead to serious trouble.

The security agency felt compelled to make such an assertion in light of recent reports about “high roller” cyber attacks, which have been directed at wealthy corporate bank accounts.

In particular, ENISA draws its conclusions from a detailed report into the matter, produced by McAfee and Guardian Analytics, which discussed its discovery of a “highly sophisticated, global financial services fraud”.

“Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation,” the authors of the report stated.

“The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research: Operation High Roller.”

The intriguing thing about this is that no human participation is needed, with each assault moving at a swift speed. Combine insider knowledge of banking transaction systems with “custom and off the shelf malicious code” and you’re charting into organised crime territory, the research noted.

What can be derived from this is the notion that today’s bank robbers have migrated online because this is where the money is, another sign that the digital world is increasingly becoming the default habitat in which to do everything…literally.

The attacks occur in three distinct phases. First of all the targets are recognised using spear phishing. Those with large capital are then identified. Follow on from that, malware is then directed into their computers – and it’s bespoke to the victim’s online banking websites. It kicks into action soon as a person accesses their account. This then allows the fraudsters carte blanche to carry out deceitful transactions.

ENISA has some suggestions about how to beat the criminals at this. One, as mentioned above, adopt the attitude that all PCS are compromised and adopt security measures that protect against, for example, viruses like Zeus. Two, make online banking even more secure. Finally, there needs to be strong global cooperation (here the attacks were coordinated across the globe), otherwise there will always be shortfalls in knowledge.

Other things that can work, even against highly sophisticated attacks, includes anomaly detection strategies – criminal behaviour is fallible – developing solutions to more automated, obfuscated and creative forms of fraud, and providing equally diverse and multilayered forms of protection. The house always wins in the end.