J4vv4D

The Cynic’s guide to ISO27001

by javvad Malik with no comments

Nearly every security practitioner is familiar with the ISO27001 standard for information security. A lot of companies base their internal security policies on it and third parties use certification to it as a gold standard.

But, what do the statements, recommendations and controls actually mean? Working for very large organisations, I learnt them to mean very different to what I suppose they were intended and now that I no longer am a practitioner and the 2005 standard has been replaced by the 2013 version, I thought it would be a good time to share some of my internal thoughts.

I’d also like to thank Brian Honan for his help in putting this together – if anyone understands security standards; it’s Brian.

 

The Cynics Guide to ISO27001:2005

The meaning behind the requirements

A.5 Security Policy

Objective: To state the bleeding obvious.

A.5.1.1 – Information security policy document

To set the readers expectations, the standard requires the security policy to be documented. That’s right you need an actual policy document.

The standard doesn’t define what the policy must be written on, so you could harness your inner Moses and etch it out on stone tablets. Or alternatively record it on a tapestry, which would be far more artistic and you’ve got more chance of someone reading it.

A.5.1.2 – Review of the information security policy 

No-one has ever made money by selling something only once. Just ask any network marketer caught up in a pyramid selling scheme. The only way you make any real money is through repeat sales to family members who don’t have the heart to tell you they don’t need any more water filters.

Similarly, for a security policy to remain relevant, you need to ensure your policy is reviewed frequently; generating enough money to fuel the ever-growing population of security professionals wanting to leech off your company profits.

A.6 Organisation of information security

A6.1. Internal organisation

Objective: Keep your glass house in order before you collect some stones

A.6.1.1 – Management commitment to information security

Managers have a lot on their plate. In between the meetings, listening to their staff’s personal problems, trying to generate more profit they must show an unwavering commitment to information security.

Like most great ambition, there is no way of measuring just how committed a manager is to information security. I’ve always been a bit of a Jack Bauer fan, and how a bit of quick torture seems to resolve all issues. So next time you’re recruiting a manager, try electrocuting them for a little while. If they give up their mothers’ maiden name too quickly, you know they just aren’t cut out for management.

A.6.1.2 – Information security co-ordination Read the rest of this entry »

filed under blog

(ISC)2 Congress 2014

by javvad Malik with no comments

This years (ISC)2 congress was held in Atlanta, GA. I’d heard of Atlanta being referred to as ‘Hotlanta’ and was warned of the humidity that prevails, but fortunately I caught it at the right time of year where the weather was quite pleasant.

The conference itself appears to have grown over the last two years quite significantly, even with 9 concurrent tracks running, each room seemed to be well-attended (or maybe I only attended the well-attended ones). But despite its growth, Congress still overshadowed by the gigantic ASIS which draws in excess of 25,000 attendees and exhibitors with cool robots, bullet proof cases, trained dogs and vehicle stop equipment amongst others.

As with most conferences, it’s a time to catch up with old faces and connect with new people too.

selfie in a lift

Selfie in a lift featuring, Dave Lewis, Rae Hayward, Raj Goel, Trey Ford, Wim Remes, top of my head and a hidden James McQuiggan

The talks themselves were of a high standard – I guess that’s the impression you’re left with when the first talk you catch is Chris Nickerson’s talk which is always informative and engaging and helps break out from the ‘IT-only’ mindset into the physical world of red teaming.

Another great talk was delivered by Dave Lewis regarding security risks in the supply chain. Having spent many a year in a previous life working on third party risk; I was pretty sure this would be an academic talk covering the basics – which isn’t a bad thing. However, what I was met with was an hour of anecdotes, war stories, and dynamic presenting that reinforced some of my beliefs whilst had me thankful that I didn’t have it half as bad as some people.

Alex Pinto and Dave "I'm not Colin Farrell" Lewis

Alex Pinto and Dave “I’m not Colin Farrell” Lewis

I’ve been following the work of Alex Pinto and Kyle Maxwell with regards to their MLSec project around machine learning security, so I was delighted to be able to not only meet Alex, but hear his talk on threat intelligence. Alex is a person who is extremely friendly, approachable and likeable… but at the same time scarily clever. His talk laid out some very solid concepts around threat intelligence and made some great points around capability and intent, signatures vs indicators, data vs intelligence, tactical vs strategic and atomic vs composite.

He also presented a high level breakdown of what data is within a feed, how much overlap there exists within various feeds, what kinds of data is easily available and what is more reliable.

Tony Vargas hosted several panels. I was able to attend the ones on DevOps and business skills for security. Both were well-attended and Tony always does a great job as moderator – inviting comment and discussion from the audience during the sessions.

The last talk I attended was by Winn Schwartau entitled ‘why security awareness programmes fail’. Winn is a great character and if you’ve never met him or seen him present you really are missing out. He rattled off a list of how to make an ineffective awareness programme which included great nuggets such as, ‘it must be boring’, ‘never use humour’, ‘let the CISO into the production process’ and to ‘use threats and give orders.’

A rare sighting of Anthony Freed in a suit!

A rare sighting of Anthony Freed in a suit!

There were plenty of other talks, but these stuck out in my mind. I’m pretty sure all talks were recorded and will be made available at some point, including mine.

Every year the ASIS presidential reception is held at a nice venue – and this year was no exception with it being hosted at the aquarium. (ISC)2 held the ISLA awards at the Hard Rock Café, which turned out to be a very fun and chilled out event. It was heartwarming to see an emotional Tony Vargas get an award in recognition for all his efforts and you could tell how much it meant to him as was lost for words for the first time in his life!

Perhaps the most enjoyable event of the week was the (ISC)2 member reception, which allowed everyone to network whilst sampling some fine food and engage in some games such as pool, a giant connect 4 and also some retro video games. Raj Goel introduced me to ‘cards against humanity’ a game that can be so offensive yet additive at the same time.

On the last day I took a Segway tour through Atlanta which was very nice as there’s a lot of civil rights history in the town of Martin Luther King Jr. I also managed to take a trip to CNN and check out some of what they get up to and drool over all the equipment they have.

filed under Video

An Article about Information Security Articles

by Thom Langford with no comments

Edit: Despite almost qualifying as a senior citizen, my award-winning friend Thom Langford agreed to write me a guest post (seeing as he writes guests posts for everyone else). I did not impose any conditions except that the topic be relevant and not self-serving in the slightest.    

 

I found myself writing an article that I didn’t have the time or inclination to write the other day; it actually came out well and was commented upon by a number of people in a favorable light, so I hope it was of some value to its audience. However the difficulty was that I wrote it in exchange (albeit in jest) for someone to support my nomination for an upcoming award.

“Immoral!” I hear you cry. “Unethical!” you wail. Well, I disagree because I was carrying out an activity for a friend who I know and trust, an activity that I regularly do for free elsewhere, and to be honest I think he would have voted for me anyway.

But it made me think about the sheer volume of information security writing that I see out there from the various bloggers, pundits and professionals. These are not journalists who are paid to write every day, but people often in high level positions who are not time rich but are still able to produce volumes of words that would put Salman Rushdie to shame. How do we ensure that our nominated  spokespeople are true to their ethical commitments?

We should question the motives and therefore the content of such work; was it written to someone else’s agenda in exchange for something else such as a free dinner or even votes  Was it actually written by them in the first place, or even has it been presented as researched act when actually it was just a small idea that came to them as they sat on the toilet reading Dilbert?

Many of us, myself included, will eagerly await the next blog or article from someone as it gives me an opportunity to learn in an unbiased and open manner. I can see the inner workings of an organization, or the prevailing attitudes amongst the rockstars of the industry, and apply them (or not) to my own industry outlook. But if these opinions are being formed elsewhere, or influenced by vendors seeking sales the benefits gained from that article are skewed and devalued. What if the writer simply wanted to artificially raise their profile to secure more votes for a nomination for instance?

I certainly won’t name names here, but I would urge all of you to read between the lines, look for patterns where vendors and other third parties may be present, make up your own minds and vote  with your browsers.

(Pretty sure I didn’t mention I am up for an award, which you can vote on here.)

*NOTE: Thom Langford wrote this article entirely of his own volition and was not encouraged to do so in order to secure more votes for the award he is nominated for. He is a staunch supporter of the ethics and morals of the Information Security industry.

filed under blog

Photos in the cloud

by javvad Malik with no comments

We put ‘stuff’ in the cloud all the time – and most of the time, that’s perfectly fine because there aren’t any state secrets or self-incriminating evidence contained. The convenience factor it offers typically outweighs the risks.

Having said that, it’s always worthwhile evaluating the risks – in particular when using photo backups from your phone. Two things worth considering for cloud-based services or websites (if available) are to turn on notifications and two factor authentication. Jerry Gamblin has compiled a handy list of popular services where you can enable 2fa.

filed under Video

Vegas from afar

by javvad Malik with no comments
One of the rules from our Infosec Rockstar video was that even if you can’t attend a con, you should tweet as if you’re there. Well, I kind of messed up on that tweeting part – but despite me not being at Bsides, Blackhat or Defcon this week, I’ve been living vicariously through the tweets of others.
Speaking of the Rockstar video, SpaceRogue bought this to my attention!

Whoever you people are… STOP!
Throughout the week Pilgrim really captured the essence of being there with tweets and retweets that evoked mixed feelings where I felt like I was missing out, but somewhat glad I was missing out, if you know what I mean.

From a technical perspective, the social medias were abuzz with Dan Geer’s keynote talk from BlackHat. Which means:
  1. The keynote was really good.
  2. His talk contained perfectly placed twitter-friendly soundbites.
  3. All the ‘noisy’ tweeters attended his talk.
I guess you can read a transcript of the talk and judge for yourself – http://geer.tinho.net/geer.blackhat.6viii14.txt
Finally, the coolest, in a classic old skool anti-hackery-hack thingy was without a doubt, Wesley McGrew’s Pineapple pawnage

Which, kids is the moral of the story. A lot of cool tools, software, hardware exist to help automate tests by taking the complexity out of it all. But that doesn’t mean you shouldn’t try to understand how it works – or at least recognise the fact that your tool can be manipulated itself to work against you… particularly at a con where most people will know more than you.
Stay secure my friends.
filed under blog

A recap for Eve and Gillis

by javvad Malik with 1 comment

I often shoot myself in the foot by agreeing to doing things and then realizing it eats up a lot more of my time than I’d originally anticipated which is why I haven’t been blogging or making videos much recently.

Some of the things that have been consuming my life lately have included (cue fast-paced soundtrack)

I travelled to Las Vegas to attend Guidance Software’s CEIC conference.

travel

I must say, Vegas is very different outside of Blackhat / Defcon / Bsides season and I did miss not seeing an ocean of black shirts and wonderful hair styles. Although, I did get to find a shisha bar – so it wasn’t all bad. shisha vegas

For non-shihsa related news, my 451 Research colleague David Horrigan and I co-wrote a writeup on the conference which can be obtained here free of charge and registration.

Oh, and I also got to hang out with the goodDoctor Krypt3ia

Bq1hawcCcAALawQ.jpg-large.jpeg

In June, the good folk atEskenzi held their annual event. The first day consists of analyst / vendor meetings where I got to speed date a whole host of vendors. The second day consisted of a CISO roundtable – which in theory should have played out like the hunger games. Three sides converged, CISO’s, vendors and analysts – I was hoping for fireworks, nasty comments and backhanded digs. But this is London and despite the efforts of some of our American guests, the proceedings remained rather civilized.

 

And I got to hang out with and pick the brilliant mind of Mike Rothman.

mike rothman

The next day it was the RANTConference – where I donned my Host Unknown mask. We had a great time, and my nail file swag was definitely the highlight. You can see the video here:http://youtu.be/XlhgKlmc7K8?list=UUTwY3LNRujMskBDbQvKoiBw

ACG put on their London conference. It was the first time I’d attended an ACG and it was extremely good. I was lucky to moderate a panel entitled, “is Anti Virus dead?” – the summary outcome was ‘yes’.

There was the inaugural Bsides Manchester which was brilliant. Matt Summers who was instrumental in setting up the first Bsides London invited me to MC the main track and I couldn’t say no to him. After all, he’s the man who imported Bsides into the UK… he’s kind of like Jack Daniel, except younger, with no facial hair, not as much style, class or interesting… but you get the idea. It did afford me the luxury of getting selfies from the front whenever I wanted. bsidesmcrselfie

As the old adage goes, you wait for one new and cool conference up north and suddenly you get two. Steelcon was held in Sheffield and organised by Robin Wood. This was a special conference for me as not only was it the first time that I’d been invited to give the opening keynote – but I was invited to deliver it along with my daughter, Girl Cynic. I’ve been meaning to put up a video of our experience which I may do so in the future, but suffice to say it went well. There was a kid’s track which the children all seemed to really enjoy and the whole day was really well put together.

steelconselfie

My final trip came a couple of weeks ago when I attended McAfee’s analyst event in Amsterdam. It was an enjoyable whirlwind 36 hours in the Dam, where I got to spend some time with the ever-elusiveRaj Samani.

BtLkWItIYAAdWYB.jpg

So with all these events and travelling happening in the last few months – I had to tap out and not go to Blackhat, Defcon or BsidesLV this year. Maybe now Eve and Gillis will stop this online campaign of terror! J

 

Screen Shot 2014-08-06 at 14.48.34

filed under blog

Interview with the BatCISO

by javvad Malik with no comments

With so many breaches occurring on a regular basis, perhaps it’s time for a new kind of CISO. A Bat CISO!

filed under Video

Infosec conferences – client side vs server side

by javvad Malik with no comments

Because infosec has cured cancer, ended poverty and created a utopian paradise that the villain in Demolistion Man could only dream of – the industry often finds itself trying to fix the really big issues via twitter and other social media platforms as well as within the hallways of conferences as to what is wrong with the infosec conference scene.

A few suggestions have been thrown out about what can be done to remedy the problem and what the ideal number and style of infosec conferences look like.

Haroon Meer gave a very good talk (as always) during his 44con keynote last year.

The infinitely quotable Grugq posted a thought-dump on the issue and most recently, Rob Fuller commented on the role alcohol plays within the infosec conference scene which caused a firestorm of opinions to rain down from all sides.

Of course, those aren’t the only opinions in this space – we often also get the chance to grab some popcorn and witness some absolutely mind-blowingly epic micro-movements which generate dialogue that Simon Pegg would be proud to have penned himself. Examples include

  • • Banning of booth babes
  • • Expensive ticket prices
  • • Not enough free caffeine
  • • Too much free caffeine
  • • Vendor parties
  • • My talk not getting accepted

Not to belittle some of these issue, I mean I know how cranky I get without caffeine, but the problem is that these are what I’d say are, “server side” issues that primarily are up to conference organizers to address and resolve. Average attendees have little say or influence in how conferences are run – so what can you, as an average attendee do in order to maximise your chances of having a fruitful and useful experience?

It’s like me complaining that the luggage allowance on flights isn’t enough, or that there isn’t enough legroom in economy. Sure they are valid complaints that need the U.N. to get involved, but these can only be fixed by the airlines and not by the passengers. On the other hand, you can make your flight a much more pleasant experience by simply investing in luggage bags which meet the airlines dimensions and a bottle of sleeping pills.

Until a couple of years ago I wasn’t a regular conference goer. However, in my job as an international analyst, my job revolves around me going to quite a few conferences. At first it sounded like the ideal job, but my boss did warn me it would take all the fun out of going to cons… and she was right. So, I’ve adopted a bunch of activities that try to make cons a better experience for me.  In other words, these are some of the ‘client-side’ changes I’ve made.

1. Book early

There’s something quite heroic about booking a last minute flight, not knowing if you’re going to get to the airport, sharing tweets with the world letting them know how you like to live dangerously and always on the edge. In reality though, few things worse than booking late to find all the nearby and good quality hotels have been taken leaving you across town in a seedy part of town. Sure, it may allow you to experience some of the local culture, but I prefer to conserve as much energy as possible – it’s a marathon and nothing is worse than my short legs having to carry me halfway across town to walk all day at a conference.

Less walking, less tiredness = more happier conference goer. Read the rest of this entry »

filed under blog

Security and the cobra effect

by javvad Malik with no comments

Some people just want to watch the world burn. Others just want to give bad security advice. Check out Troy Hunt’s blog post on the matter.

filed under blog, Video

The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security

by javvad Malik with no comments
I didn’t write the book, the book wrote me. Which is kind of true because I kind of wrote a lot of stuff independently and then combined it with some of my old notes that I took whilst preparing for the exam and scoured through old emails for the rest.

 

It’s definitely not something that will help you pass the test, but the idea was simple, give a perspective and some real-life stories on how the knowledge pans out.
Ben Rothke kindly took the time to read and review the book, so that should  give you some ideas as to what it’s all about.

 

If you want to get your hands on a copy, then it’s virtual only from Amazons UK  , US and other stores.

 

If you’re a publisher or in a similar line of work and would like a review copy, get in touch via email, javvad<at>j4vv4d.com.

 

filed under blog