Stuart King's Security and Risk Management Blog

Some of the links referenced on this blog over the past few months.

Note: I do not endorse nor necessarily agree with the opinions, products, or comments posted on any of the referenced links.

David Lacey: http://www.computerweekly.com/blogs/david_lacey
Emergent Choas: http://www.emergentchaos.com/
SecurityFocus: http://www.securityfocus.com
OWASP: http://www.owasp.org
Garlik: http://www.garlik.com
SC Magazine: http://www.scmagazine.com
The Security Company: http://www.thesecurityco.com
VOIP Security: http://voipsecurityblog.typepad.com/marks_voip_security_blog/
Security Watch: http://securitywatch.eweek.com
Bruce Schneier: http://www.schneier.com/blog
Bakman's Blog: http://www.bakmansblog.com/
Mark Curphey: http://securitybuddha.com/
Karl Seifried: http://www.seifried.org/
IT Week Labs: http://labs.itweek.co.uk/
Secure Software Development Special Interest Group: http://www.ktn.qinetiq-tim.net/site/guest/ssd.html
AV Comparatives: http://www.av-comparatives.org/
Ponemon Institute: http://www.ponemon.org/
Kim Cameron's Identity Blog: http://www.identityblog.com/
Digital Identity Blog: http://digitaldebateblogs.typepad.com/digital_identity/

There are lots of blogs covering various aspects of information security. I thought I'd take a few minutes to list out a few of the ones I frequently refer to and recommend them on to you - in no particular order.

Anton Chuvakin at http://chuvakin.blogspot.com/. Anton is the self-styled "Security Warrior" and writes a very worthwhile blog.

Mark Curphey at http://securitybuddha.com/. Mark's been a bit quiet of late but his recent appointment as Head of Microsoft ACE Services in Europe means that when he does have something to say it's usually worth listening to...

Spire Security Viewpoint at http://spiresecurity.typepad.com/. A blog from Pete Lindstrom of Spire Security. Some good recent posts here.

Emergent Chaos as http://www.emergentchaos.com/. I see references to this blog all over the place, and for good reason as there is always something interesting to read.

Gunnar Peterson at http://1raindrop.typepad.com/. Gunnar writes on various software security related subjects. Well worth a read.

Bruce Schneier at http://www.schneier.com/blog/. Few can match Bruce Schneier's reputation and credibility in the security industry. His blog is often self righteous but there's lots of good food for thought.

David Lacey at http://www.computerweekly.com/blogs/david_lacey/. I consider it a privilege to share blog space with David. Always informative and a source of inspiration for my own work.

Do you mind if I shamelessly promote my own organisation's products? Of course not, I hear you say. Good. In that case, if you haven't already been there, please browse across to www.infosec.co.uk, homepage of the InfoSec Europe exhibition and download the excellent podcasts.

The latest one is from Tony Neate of GetSafeOnline who discusses laptop security. Some good, common sense, food for thought guidance from Tony.

Here are my top five information security related blog posts of the moment

1) ID theft – Facebook and MSN exploited by Kai Roer. This is a great example of a malware infection resulting in a compromised Facebook account and the resulting damage that can be done. There are plenty of other Facebook related stories around at the moment including this one from the BBC who were able to create their own malware for compromising private data.

2) Stopping at compliance by Michael Farnham. Michael hits the nail on the head when he says "compliancy does NOT equal security." I couldn't have put it so well myself.

3) Evolving Schneier’s Security Mindset . An interesting discussion on the perception of risk. The question the risk analyst must answer however, is really “What is *probable*?”. And we should really belabor the point that “What is probable?” is not just a “Can it be done?” question.

4) Swiss Army Knife – The Personal Portable Security Device posted by Mark Diodati. This discusses what is, from my point of view, an exciting new class of authentication product for the corporate network. Well worth reading about.

5) ROSI - Security Returns? by C Warren Axelrod. Interesting because I'm more likely to take an opposite stance and argue against trying to demonstrate an ROI for security related investments. Frankly, I don't think you can prove it.

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

I spent some time yesterday with the event director of another of my companies exhibition events: the Japanese Information Security Expo. This show exceeds Infosec Europe in scale, getting well over 100 thousand visitors over three days and covering a vast amount of floor space.

The seminar programme this year had a heavy focus on internal controls and web security with topics including dealing with information leaks, document security, forensics, and identity management.

The picture of the main seminar theatre above gives some indication of the scale of the event.

I was discussing with one of my local colleagues here in Tokyo the reasons why some major vendors were noticeable in their absence from the exhibitor list. His opinion was that many international companies, on first arriving in Japan, focus and prioritise on recruiting english speaking employees without much attention as to whether those people understand the business or market they are being brought into. What is clear is that the European or American ways of doing business do not always translate very well to the Japanese way, and that an understanding of local culture is essential for success. 

My visit to Tokyo is all too brief. I have some sightseeing time over the weekend before heading off to the next stop on my tour: see you in Shanghai!

I've been watching a security awareness training video produced for a well known blue-chip company. It's appallingly bad.  All the very worst Janet and John material that generally makes people's eyes glaze over and wonder whether they've left the gas on or have enough eggs left at home for an omelette.

Engaging with an uninterested audience and talking to them about security is difficult enough. Most would rather walk naked over burning coals on the mutilated and bloodied stumps of their feet than listen to somebody telling them to engage a screensaver whenever they get up to visit the lavatory.

Here's an engaging, and true story. Yes, it really happened. In fact it happened this week to my wife, an employee of a well-known high street Travel Company, as she was enjoying a mug of hot chocolate in a Starbucks somewhere in Berkshire close to her branch office.

At the next table two ladies in power suits and heels were chatting over their skinny vanilla lattes (drinks have been changed to protect the innocent). Their conversation drifted over across the tables and my wife was able to hear that they were discussing some career matters relating to a particular individual. It's a long story, and I wont go into all the gory detail, but it involved maternity leave, pay demands and various other unsavory HR related things. Suddenly it dawned that the two ladies were a regional manager and an HR manager from my wife's own organisation and the subject of their discussion was her own manager in the local store.

Now, that is the sort of scenario I'd put into a security awareness video. Banged to rights as they say. Of course, my wife being ever so discreet didn't tell anyone what she'd heard and I certainly wont say anything. So this is just between you and me.

From the Janet and John book of Information Security: If you have private business then do it in a private place otherwise consider it public. In my mind, that buys much more risk mitigation than using a combination of upper and lower case characters for your password.

For good, free, useful, and engaging security awareness guidance go to

http://www.theisaf.org 

http://www.getsafeonline.org/

An acquaintance is one of a team developing a new website - Surfing Safer - providing practical advice on security to home and business users.

It promises to be a useful companion to sites such as GetSafeOnline. For instance, that one recommends you use a firewall, Surfing Safer will provide product reviews on which ones are best to use from people with experience of using them.

Visit the new website here: www.surfingsafer.com