Recently in Useful Links Category

Security predictions for 2009

| More
I've hooked myself up to a device that administers a short, sharp, painful electric shock any time I get the urge to blog security predictions for 2009. There are plenty of others jotting down their own reckonings. Here's a few...

- 10 Security Predictions for 2009 from Channel Web

- 2009 Security Predictions on SANS

- Security Predictions: Experts look ahead at

- 7 Infosec Trends for 2009 from Rich Mogull

Fighting Death by PowerPoint

| More
I like the irony of a 61 slide PowerPoint presentation about how to avoid Death by PowerPoint. Linked here from Colin Beveridge's excellent IT blog at

Death by PowerPoint
View SlideShare presentation or Upload your own. (tags: tips powerpoint)

Threat reports threats to credibility

| More
What do you think the outcome would be if you put security experts from Symantec, McAfee, ISS, Secure Computing, and SPI Dynamics into the same room and asked them each what they'd like to see written into a report telling the world what the latest Cyber Security Threats are? The result is the GTISC Cyber Threats Report, a report with about as much credibility as if they'd held a seance or read palms in order to decide what to write.

Oh look, just by coincidence between them all the experts present sell solutions for most of the problems being described. Now there's a thing!

The report has also been picked up by the BBC who see fit to publish this piece of FUD for consumption by the general public.

The industry is full of threat reports, statistics, white papers and experts galore employed by vendors to tell us what the threats are and what we need to be doing about them. "Buy more stuff - preferably our stuff. If you don't buy our stuff then don't be surprised to find you're stuffed!" The difficulty is not in deciphering what all this information is telling us but what it is not telling us. A salesman is hardly going to be telling you what his product doesn't do.

Expert opinion such as that presented by the GTISC Cyber Threats Report is a waste of ink and paper. Want a decent opinion on what's important in security? Here's a few links for you

IT Security: The view from here

Mike Rothman's Security Incite:

Jeremiah Grossman:

Info Security Advisor:

David Lacey:

Surfing Safer

| More

wabi_logo.gifAn acquaintance is one of a team developing a new website - Surfing Safer - providing practical advice on security to home and business users.

It promises to be a useful companion to sites such as GetSafeOnline. For instance, that one recommends you use a firewall, Surfing Safer will provide product reviews on which ones are best to use from people with experience of using them.

Visit the new website here:



Security Awareness - Don't make private business public

| More

I've been watching a security awareness training video produced for a well known blue-chip company. It's appallingly bad.  All the very worst Janet and John material that generally makes people's eyes glaze over and wonder whether they've left the gas on or have enough eggs left at home for an omelette.

Engaging with an uninterested audience and talking to them about security is difficult enough. Most would rather walk naked over burning coals on the mutilated and bloodied stumps of their feet than listen to somebody telling them to engage a screensaver whenever they get up to visit the lavatory.

Here's an engaging, and true story. Yes, it really happened. In fact it happened this week to my wife, an employee of a well-known high street Travel Company, as she was enjoying a mug of hot chocolate in a Starbucks somewhere in Berkshire close to her branch office.

At the next table two ladies in power suits and heels were chatting over their skinny vanilla lattes (drinks have been changed to protect the innocent). Their conversation drifted over across the tables and my wife was able to hear that they were discussing some career matters relating to a particular individual. It's a long story, and I wont go into all the gory detail, but it involved maternity leave, pay demands and various other unsavory HR related things. Suddenly it dawned that the two ladies were a regional manager and an HR manager from my wife's own organisation and the subject of their discussion was her own manager in the local store.

Now, that is the sort of scenario I'd put into a security awareness video. Banged to rights as they say. Of course, my wife being ever so discreet didn't tell anyone what she'd heard and I certainly wont say anything. So this is just between you and me.

From the Janet and John book of Information Security: If you have private business then do it in a private place otherwise consider it public. In my mind, that buys much more risk mitigation than using a combination of upper and lower case characters for your password.

For good, free, useful, and engaging security awareness guidance go to


Infosec Japan

| More

infosecjapan.jpgI spent some time yesterday with the event director of another of my companies exhibition events: the Japanese Information Security Expo. This show exceeds Infosec Europe in scale, getting well over 100 thousand visitors over three days and covering a vast amount of floor space.

The seminar programme this year had a heavy focus on internal controls and web security with topics including dealing with information leaks, document security, forensics, and identity management.

The picture of the main seminar theatre above gives some indication of the scale of the event.

I was discussing with one of my local colleagues here in Tokyo the reasons why some major vendors were noticeable in their absence from the exhibitor list. His opinion was that many international companies, on first arriving in Japan, focus and prioritise on recruiting english speaking employees without much attention as to whether those people understand the business or market they are being brought into. What is clear is that the European or American ways of doing business do not always translate very well to the Japanese way, and that an understanding of local culture is essential for success. 

My visit to Tokyo is all too brief. I have some sightseeing time over the weekend before heading off to the next stop on my tour: see you in Shanghai!

Impact Factory

| More

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

Top five information security blog posts

| 1 Comment
| More

Here are my top five information security related blog posts of the moment

1) ID theft – Facebook and MSN exploited by Kai Roer. This is a great example of a malware infection resulting in a compromised Facebook account and the resulting damage that can be done. There are plenty of other Facebook related stories around at the moment including this one from the BBC who were able to create their own malware for compromising private data.

2) Stopping at compliance by Michael Farnham. Michael hits the nail on the head when he says "compliancy does NOT equal security." I couldn't have put it so well myself.

3) Evolving Schneier’s Security Mindset . An interesting discussion on the perception of risk. The question the risk analyst must answer however, is really “What is *probable*?”. And we should really belabor the point that “What is probable?” is not just a “Can it be done?” question.

4) Swiss Army Knife – The Personal Portable Security Device posted by Mark Diodati. This discusses what is, from my point of view, an exciting new class of authentication product for the corporate network. Well worth reading about.

5) ROSI - Security Returns? by C Warren Axelrod. Interesting because I'm more likely to take an opposite stance and argue against trying to demonstrate an ROI for security related investments. Frankly, I don't think you can prove it.

Infosec Podcasts

| More

Do you mind if I shamelessly promote my own organisation's products? Of course not, I hear you say. Good. In that case, if you haven't already been there, please browse across to, homepage of the InfoSec Europe exhibition and download the excellent podcasts.

The latest one is from Tony Neate of GetSafeOnline who discusses laptop security. Some good, common sense, food for thought guidance from Tony.

Good blogs

| 1 Comment
| More

There are lots of blogs covering various aspects of information security. I thought I'd take a few minutes to list out a few of the ones I frequently refer to and recommend them on to you - in no particular order.

Anton Chuvakin at Anton is the self-styled "Security Warrior" and writes a very worthwhile blog.

Mark Curphey at Mark's been a bit quiet of late but his recent appointment as Head of Microsoft ACE Services in Europe means that when he does have something to say it's usually worth listening to...

Spire Security Viewpoint at A blog from Pete Lindstrom of Spire Security. Some good recent posts here.

Emergent Chaos as I see references to this blog all over the place, and for good reason as there is always something interesting to read.

Gunnar Peterson at Gunnar writes on various software security related subjects. Well worth a read.

Bruce Schneier at Few can match Bruce Schneier's reputation and credibility in the security industry. His blog is often self righteous but there's lots of good food for thought.

David Lacey at I consider it a privilege to share blog space with David. Always informative and a source of inspiration for my own work.