Screen Shot 2016-09-29 at 12.49.48

500 million accounts

I felt it was time to get back on the video saddle on a regular basis (famous last words). You can probably tell I’m rusty because the sound peaks are all off – I think the onboard mic on my Drift camera is a bit old.

But the big news has been around Yahoo and the massive breach. The first thing that came to my mind when reading about the breach was the fact that under a regulation like GDPR, there’s no way the details of the breach could have been kept hidden from the public for so long. According to article 33 – notification of a personal data breach to the supervisory authority,

 

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

 

That’s right – 72 hours.

 

And GDPR is no little slap on the wrist. Under the regulation, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.

 

Given that in 2015 Yahoo’s revenue was reported as $4.968 billion (source: http://yahoo2015.tumblr.com) – a 2% fine would represent $99,360,000 – yep, just over 99 million.

 

That should cause every company facing GDPR implementation in 2018 reason to stop and think about the implications to itself.

infosec star thumb

Infosec Star

Being a RockStar isn’t easy. Just ask Nickleback, they’ve faced harsh criticisms for many years… and for what?

But that’s a walk in a park compared to being an Infosec Star.

 

gc promo

The Grand Canyon, Grand Roadtrip

There are two things I’ve been wanting to do for a while. One is to visit the Grand Canyon, and the second is to start a podcast.

Adrian and I have actually spoken about doing a podcast of sorts for a long time. We’ve even recorded 4 episodes, but each were considered inadequate for public consumption.

So, I ended up combining the two. We had a 4 hour drive ahead of us to go visit the Grand Canyon, which also served as a good opportunity for us to discuss important security topics, like how we would on a podcast.

We either nailed it by creating the best of both worlds, or we failed at making a decent podcast and road trip video.

Regardless of how we did, I’m glad we took the time out to go visit the Grand Canyon. Pictures and videos do not do it justice – the sheer scale and natural beauty is awesome. Plus, it is a very welcome relief to leave the confines of Las Vegas during a conference.

 

 

drift hd ghost
,

It’s not about the technology

Excluding phones or tablets, I have four video cameras in total. A flip cam, a DSLR, a mirrorless camera and an action camera, the Drift HD Ghost.

Surprisingly, despite having a ton of really cool features in my other camera’s, particularly the DSLR, I most frequently find myself reaching for my Drift.

It’s a rugged, but basic camera, has a fish-eye lens and that’s pretty much it. Aperture, shutter speed, ISO… none of that matters.

For all intents and purposes, one could say it’s a useless camera for making any video of significance. Unless you’re one of those crazy kids who likes to strap a camera to your forehead and then illegally climb cranes to hang from them with no safety harness. In which case it makes a pretty good case study on the reckless arrogance of youth.

In this short video I highlight a few of the memories I’ve been able to capture with this little camera, ranging from cycling, driving, days out with the family, holidays, conferences and a bunch of other activities.

The long-winded point that I’m trying to make is that, the camera itself means very little when it comes to making a short video or telling a story. That’s all done by making sure you capture the shots to begin with and then stitching a narrative together in the edit.

You could give the best camera in the market to someone, but if they don’t have the mindset of capturing the right shots to edit later, then they’ll give you something that may as well have been shot on a potato.

A fact that rings true when you compare this to what happens in information security. There is an almost blind race to go and buy the latest and greatest bit of security kit with little or no thought put to how it will be used or whether it is indeed appropriate for needs.

The ugly underbelly of this means that there are lots of people who are very good at using or even creating tools or technologies that mistakenly believe the tool itself will solve all problems.

For example, you have certain tools that will keep you private or anonymous on the internet. Encryption, TOR, Tails, etc. all come up when speaking of maintaining online security. However, these tools are just that – tools. The user themselves need to be educated in how to think and act in a more secure manner. What information is actually good to share, and what should never be shared even with the protection of tools.

Many enterprises experience buyers remorse for this very reason. It’s not that enterprises shouldn’t invest in tools. But why invest in a SIEM when all you really need is a log management system?

Before investing in any tool or equipment, it makes sense to evaluate whether the lack of desired results really is down to the lack of tools, or does it lie elsewhere? I know that if I had spent some time attending a video editing course, I would have probably avoided making some software purchases. Or bought fewer cameras.

This checklist of questions to ask yourself before investing in a tool may help:

1. Why
Are you clear on the reason why a particular product is being purchased? Does it align to your business needs? Is it actually a technology problem, or can it be solved by simply changing some internal processes.

2. Stakeholder support
Stakeholders should be engaged early and often. C-level acceptance should be as wide as possible and there should be a mutual acknowledgement of the security value that the product will provide.

3. Deployment plan
Do you have a detailed deployment plan prior to acquiring the product? Better results are often achieved via a phased approach that enables only a subset of features to begin with. Once it’s tested and proven, the scope and capabilities can be extended.

4. Out with the old
If you’re buying something to replace older / ageing technology. You should have a plan to retire old technology and its associated business processes.

5. Verify product capabilities
Undertake a proof of concept or trial within your own environment to evaluate product capabilities outside of a test lab. Only then will you truly understand whether the product is an appropriate fit.

6. Negotiate
Do negotiate with your provider. Not only for cost, but also with regards to training or support provided. Jeremiah Grossman recently wrote a good post  on getting good deals from your security vendor.

7. Do your homework
This is a point that cannot be stated enough. Don’t just listen to one point of view to form your opinion. There are many hidden costs and challenges associated with acquiring, deploying and using any security product. Additional staffing requirements or training are often overlooked amongst other things.

Network with peers at conferences or online forums. Read independently written reports, reviews and blogs. Make sure you’re fully aware of what you’re committing to.

There you have it, what started out as a nostalgic look at my 3 year-old Drift HD Ghost has turned into 7 tips to ask yourself before buying a security tool.

plan

How to have an epic RMISC experience

I made a short video on how to make the most of your time if you ever find yourself in Denver, CO for the Rocky Mountain Information Security Conference.

Of course, any conference experience is a lot more fun if you have some friends.

Which reminds me about a simple tip my friend Scot Thomas gave me when at Defcon about 3 years ago.

I was walking down the corridor and saw Scott sat on a bench, so I stopped to say hello and sat down next to him. I asked how things were going and he let out a slight sigh and motioned to people walking past. He said how a lot of people seemed to be in a competition to quickly say hello to as many people as possible. Literally a quick handshake and exchange of pleasantries before going off to repeat the 30 second ritual with someone else.

Those Jerry Maguire words stuck with me and I’ve found that simply stopping to have a 10-15 minute conversation with one person. Or grabbing coffee with 2 or 3 people can lead to a far better interaction. You get to understand what others work on, their experience, knowledge etc.

Ultimately, it boils down to what your objective is when attending a conference. For some people, attending talks or workshops is all they require. Myself, I value the networking opportunities and getting to meet and know other people. Others just want to attend the parties and collect swag… I guess there’s something for everyone.