Recently in Misc Category

Top 5 information security annoyances - #2

| 1 Comment
| More
Few of my blogs have generated so much venom to be thrown in my direction than this one from last week. One blogger from America has gone so far as to write two very lengthy pieces in response while the highly respected security guru and fellow blogger, David Lacey, referred to it as being drivel. Another public commentor calls it trite.

I was well aware that my remarks about the usefulness of security awareness programs and risk models in particular would raise some eyebrows. However, I welcome the debate: we shouldn't be shy to challenge the accepted norms because there's plenty of evidence around that they frequently don't work.

Trite or drivel it might be....I actually started off with a list of ten!

Top 5 Information Security Annoyances

| More
I'm generally a tolerant and easy going sort of person. There's a fairly short list of things that get my goat. For instance, our local doctors surgery has a call queuing system with 6 different options. However, I know for a fact that there's only one person working in the reception and that regardless of which button you press (press 1 for a long wait etc etc) after about 12 rings you'll get through to her. How pointless is that? Our home phone number is fairly similar to a local pizza take-away place. At least a few times a week I'll take orders. Sometimes, I tell the caller that I've got no pizza left but they are welcome to have some of what I'm having...

The information security industry can be similarly infuriating at times. Here's a short paragraph on each of the five things that wind me up the most:

1. Security awareness programs

A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It's all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click "a). All policies are on the Intranet" in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes.  Security awareness programs sap energy and resources, and have little positive effect. Drop them.

2. Compliance = security

Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of "Qualified Security Assessors" driving their company Mondeos up and down the motorways of England en-route to the next company that's fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says "compliance" tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It's an ongoing program without an end-date.

3. Risk modelling

Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of.  You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand that if a retail website suffers a denial of service that it'll have some financial consequences, or  that if the internet connection is lost that there wont be  access to I've got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling - understand your systems and know the business so that you can make relevant risk-based decisions. 

4. Where are all the analysts

Here are two examples of what I mean. i) A vendor does a "penetration test" of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled "scan now") and sends you a report highlighting several "High Risk" issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!

5. It's not my fault

The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don't count. Only results. There's an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it's your fault. Admit it and learn from it.

Google latitude - power to the people

| More
In a country boasting the highest number of CCTV cameras in the world in proportion to the population; where local council workers can work as undercover spys to root out everything from putting bins out on the wrong day to whether or not a family can claim to live in a school catchment zone; where everytime a car is driven into London numberplate recognition systems can track every turn in its journey, it's a bit rich MPs calling Google's voluntary and free Latitude system a risk to privacy (see

"Mr Brake, MP for Carshalton and Wallington, said: 'In Britain, we have a tradition of fighting for our freedom" Hmmm. True enough if threatened by foreign invaders (although not sure how much experience the 46 year old Physics graduate Tom Brake has of being a freedom fighter), but against our own government systems the fight never started. More Citizen Smith than Che Guevara methinks...

McKinnon step closer to extradition

| More
British computer hacker Gary McKinnon has lost the latest round of his battle against extradition to the US.


More here:,1000000567,10012233o-2000331828b,00.htm

This, now pointless and irrelevent case, drags on.

A fresh face on an old blog

| More
It's time to give this blog a bit of an overhaul and freshen it up.

Duncan Hart, a good aquaintance of mine, has agreed to partner up and will shortly begin making his own contributions.

Duncan will introduce himself in due course, but needless to say he's an information security specialist and has plenty to say.

Risk assessment and the Nu M8 Child Tracker

| More
A few weeks ago I allowed my 7 year old daughter to walk the last 400 yards from the bottom of the road to the school gate by herself. Off she trotted, full of her own independence, and away she went. About half an hour later the school headmistress called me "did you know that your daughter arrived at school by herself today?" You'd have thought some crime had been committed, or that I'd been negligent in my care. The expectation is that all children will be accompanied to the school and into the grounds by a parent. When I broached this subject at a friend's party recently and expressed my view that most of the kids at the school are more than capable of walking the half a mile of so without needing to cling to a parent like a monkey with velcro arms, one mother of two particularly obnoxious offspring stated "well I'd be too worried to let mine go by themselves." So, it's no surprise that products such as the Nu M8 digital watch with child tracker are now on the market.

I really don't see why anyone would want to buy one. If my kids are outside playing then I can usually hear them and if I can't hear them my general attitude is "phew, some peace and quiet at last." Either I'm unaware and ignorant of the fact that kids are being regularly picked off the streets, or perhaps I'm just old fashioned enough to remember that kids like to explore and enjoy some carefree freedom rather than being shackled to the house under constant supervision just in case they graze a knee and need hospital treatment.

Statistically, children are at more risk inside their own homes than out of it, from everything ranging from domestic violence to electric shocks. However, the hype that the press has put on the apparently ever increasing risk of child abduction (59 cases in 2002/2003 - see here) means that people do a quick risk assessment in their head where the formula used is something like risk = number of Daily Mail articles multiplied by mentions on GMTV. If result is a number greater than number of fingers on one hand then action equals throw protective blanket around child.

It's this same principle that causes people to panic about getting on an aeroplane at the same time as they happily swerve from lane to lane at 90mph on the motorway. It's also the reason why businesses have failed in the past to deal adequately with information security: hire an IT guy, call him the security dude, give him a firewall and a know-it-all attitude, and Bob's your uncle: tick the box, we're protected. It's no different from buying a Nu M8 - you get the same soft, warm, squidgy feeling of security without having done anything to address the real risks. The system will break down the first time the child goes to cross a road and gets run over because these days nobody teaches them the Green Cross Code anymore.

For information security, we do the brain surgery but, as somebody recently said, end up dying from the common cold. Example: a nicely developed and well coded online CRM system that I recently saw. No obvious hacks, hosted on a decent infrastucture with firewall, IPS, and anti-malware . Even a good hacker would struggle to get in through the code and steal the data. Except that everyone with access to the system was, for ease of use and administration purposes, using the same, very simple, username and password combination.

Anyway, must go and make up the kids school packed lunches for the day: remember, nothing with nuts just in case there's somebody with an allergy in the school, no sweets in case they get fat, but the crappy fake chemical cheese snacks that come in a plastic pot with some sticks of wood included for dipping are fine...

Internet censorship - should we have more of it?

| More
I'm currently escaping the bitter cold of the UK over in Abu Dhabi., where I'm spending a couple of days visiting the Reed Exhibitions regional office.

The UAE censors it's populations' use of the Internet. Should you accidentally stray into immoral browsing territory then your ISP will display for your benefit the following message:
siteblocked.jpgThis covers online dating sites, sites where "criminal skills" might be learnt, anything relating to drugs, pornography and gambling amongst other things considered to be immoral or illegal. So, type the word "gambling" into Google and instead of search results you will see the "site is blocked" message as shown above.

In fact, it's no different from the censorship employed on most corporate networks. Most of us are, I'm sure, familiar with tools such as WebSense which can be used to block a similar category set and prevent employees from accessing sites deemed to be either too insecure or morally unacceptable. It's also just as falible as the corporate controls that we use because the same message shown above is also displayed if I modify my search to "Internet gambling laws in the USA". Change the word "gambling" to "gaming" however, and access is granted!

We tend to get very hung up on censorship in the UK. One man's censorship is another man's infringement of liberty. But I find myself not opposed to the UAE policy but wondering whether some well defined laws on Internet censorship should become the norm rather than the exception. Would it make use of the Internet safer? In other words, if hacker sites and phishing sites were blocked by the ISP then would the number of people falling victim to malware drop?

There's an interesting report from the House of Commons Select Committee on Culture, Media, and Sport which discusses the need to "control children's access to potentially harmful content" and also mentions the role of the Internet Watch Foundation (IWF) as being to "minimise the availability of potentially illegal or otherwise harmful content on the Internet, and to take action to prevent exposure to illegal content." More to the point, the major ISPs in the UK already block access to websites listed by the IWF as hosting illegal content. So, in fact censorship of the web is already at an advanced stage in the UK, just not so overtly as in the UAE. Interestingly, the word "censor" is not actually used anywhere in the government report. Censored out perhaps?

The objections that do get voiced are mostly from those who object of the lack of transparency (one of many such voices here) and legal framework. So should Internet censorship in the UK be more overt such as that in the UAE?

Merry Christmas!

| More
It's Christmas!

Many thanks to everyone who has supported this blog over the past year, provided feedback - good or bad - and especially those of you who keep coming back.

Merry Christmas and all the best for 2009...

See you in the New Year.

Security professional from hell...

| More
What are the traits or characteristics of a security professional from hell?

See video at

" ... they wouldn't look out of place in the IT Crowd, ... poor interpersonal skills, ... obsessed by technology, ... the great unwashed, ...  "

Sound like anybody you know?

Phishing and Spam IQ Quiz

| More
SonicWall have posted an excellent Phishing and Spam recognition test. Pass it around.