• It’s not about the technology

    Excluding phones or tablets, I have four video cameras in total. A flip cam, a DSLR, a mirrorless camera and an action camera, the Drift HD Ghost.

    Surprisingly, despite having a ton of really cool features in my other camera’s, particularly the DSLR, I most frequently find myself reaching for my Drift.

    It’s a rugged, but basic camera, has a fish-eye lens and that’s pretty much it. Aperture, shutter speed, ISO… none of that matters.

    For all intents and purposes, one could say it’s a useless camera for making any video of significance. Unless you’re one of those crazy kids who likes to strap a camera to your forehead and then illegally climb cranes to hang from them with no safety harness. In which case it makes a pretty good case study on the reckless arrogance of youth.

    In this short video I highlight a few of the memories I’ve been able to capture with this little camera, ranging from cycling, driving, days out with the family, holidays, conferences and a bunch of other activities.

    The long-winded point that I’m trying to make is that, the camera itself means very little when it comes to making a short video or telling a story. That’s all done by making sure you capture the shots to begin with and then stitching a narrative together in the edit.

    You could give the best camera in the market to someone, but if they don’t have the mindset of capturing the right shots to edit later, then they’ll give you something that may as well have been shot on a potato.

    A fact that rings true when you compare this to what happens in information security. There is an almost blind race to go and buy the latest and greatest bit of security kit with little or no thought put to how it will be used or whether it is indeed appropriate for needs.

    The ugly underbelly of this means that there are lots of people who are very good at using or even creating tools or technologies that mistakenly believe the tool itself will solve all problems.

    For example, you have certain tools that will keep you private or anonymous on the internet. Encryption, TOR, Tails, etc. all come up when speaking of maintaining online security. However, these tools are just that – tools. The user themselves need to be educated in how to think and act in a more secure manner. What information is actually good to share, and what should never be shared even with the protection of tools.

    Many enterprises experience buyers remorse for this very reason. It’s not that enterprises shouldn’t invest in tools. But why invest in a SIEM when all you really need is a log management system?

    Before investing in any tool or equipment, it makes sense to evaluate whether the lack of desired results really is down to the lack of tools, or does it lie elsewhere? I know that if I had spent some time attending a video editing course, I would have probably avoided making some software purchases. Or bought fewer cameras.

    This checklist of questions to ask yourself before investing in a tool may help:

    1. Why
    Are you clear on the reason why a particular product is being purchased? Does it align to your business needs? Is it actually a technology problem, or can it be solved by simply changing some internal processes.

    2. Stakeholder support
    Stakeholders should be engaged early and often. C-level acceptance should be as wide as possible and there should be a mutual acknowledgement of the security value that the product will provide.

    3. Deployment plan
    Do you have a detailed deployment plan prior to acquiring the product? Better results are often achieved via a phased approach that enables only a subset of features to begin with. Once it’s tested and proven, the scope and capabilities can be extended.

    4. Out with the old
    If you’re buying something to replace older / ageing technology. You should have a plan to retire old technology and its associated business processes.

    5. Verify product capabilities
    Undertake a proof of concept or trial within your own environment to evaluate product capabilities outside of a test lab. Only then will you truly understand whether the product is an appropriate fit.

    6. Negotiate
    Do negotiate with your provider. Not only for cost, but also with regards to training or support provided. Jeremiah Grossman recently wrote a good post  on getting good deals from your security vendor.

    7. Do your homework
    This is a point that cannot be stated enough. Don’t just listen to one point of view to form your opinion. There are many hidden costs and challenges associated with acquiring, deploying and using any security product. Additional staffing requirements or training are often overlooked amongst other things.

    Network with peers at conferences or online forums. Read independently written reports, reviews and blogs. Make sure you’re fully aware of what you’re committing to.

    There you have it, what started out as a nostalgic look at my 3 year-old Drift HD Ghost has turned into 7 tips to ask yourself before buying a security tool.

  • Things I hearted last week

    For the week ending Friday 20th May 2016

    CESG’s password guidance advises against password expiry. Grab some popcorn and let the debates rage on.

    Stuart Winter-Tear gives an overview to the new General Data Protection Regulation (GDPR) and profiling.

    Dr Jessica Barker never fails to bring a unique perspective, particularly where it comes to the human side of security and the industry. In this post, Jessica addressed the issue of imposter syndrome within the security industry. 

    Giving Red-teamers the blues. 

    If you know Steve Lord, then you know this is the most Steve-Lordesque article ever. Where he created a bot to do all the swiping on Tinder for him, and the inevitable results.

    Before you buy your next IT Security product, stop and read this post by Jeremiah Grossman which gives 7 tips to get the absolute best price from security vendors.

    This is a cool website which gives an interactive open source intelligence (OSINT) framework – prepare to lose hours!

    Snake Oil salesmen on Kickstarter is nothing new. But when you kick the infosec hornets nest, prepare to be called out. Colin Keigher does a thorough job on exposing MyDataAngel.

    Google supercharges machine learning tasks with TPU custom chip.

    The hacker behind hacking team hack released a how-to video, in which they hit a police union.

    How Iraq turned off the internet.

    CSO has a piece on why CISO is the hardest tech role to fill.

    An example of entertainment industry abusing the copyright system. It’s almost comical.

    This is awesome and hilarious! Reverse engineering a mysterious UDP stream in my hotel.

    Sneaky! Uber knows customers with dying batteries are more likely to accept surge pricing

    F-Secure posted a blog on how AntiVirus works and the fact that it does more than checking hashes or signatures.