My New Years Resolution

by javvad Malik with no comments

The New Year is always a good time to wipe the slate clean and start afresh. On a personal level many of us vow to make big changes in our lives. Spend more time with the family, lose weight, climb that mountain we’ve always wanted to climb and so on.

This year however, I’ve decided that I should make some specific professional resolutions with regards to information security.

Once I sat down to think about it, I realised it wasn’t an easy task. In order to make a resolution, you have to first admit there is a deficiency that needs correcting to begin with. So when someone asks you “what’s your resolution” what you’re really telling them is what you think is wrong with you.

Information security is not unlike most professional industries. Whenever anything goes wrong, it’s never really our fault. With a large number of people to point the finger at, it’s almost too easy to shift the blame. If there’s a security breach, you can blame the “lazy” developer for coding it wrong, the “incompetent” IT department for not patching it on time, the “ignorant” manager for not doing anything with the risk report you issued them with, or if all else fails, simply blame the “dumb” user.

So, this year, I’d like to set off on a more positive and accountable route. Not just personally, but hopefully something that my friends and colleagues in information security will also adopt:

If you’ve heard me talk about security but still don’t think it’s important.

That’s my fault not yours.

If you’ve seen my solution but don’t endorse it.

Then I haven’t understood your problem correctly

If you’re bored of my presentation

That’s due to my lack of passion and engagement.

If I fail to persuade you to implement a policy

That’s my fault too.

If a system is so secure it reduces your efficiency.

Then I need to design solutions that meet your business needs.

Wishing you a happy and prosperous 2011.

filed under Security

A new years message

by javvad Malik with no comments

As 2010 draws to a close, rather than send loads of cards, what better way to remind all your friends that you’re thinking of them as the calendar changes to 2011. So investing in the latest technology, hiring stuntmen, rigging explosions and bringing you the best new year video ever made…

filed under Video

A look back at 2010

by javvad Malik with 1 comment

I wasn’t going to write anything about this year in terms of a recap or future predictions, well purely because everyone seems to do it and it becomes a bit repetitive.

But I saw this Google video of the year in perspective and thought it’s worth sharing. – Enjoy.

filed under Video

UFC 124

by javvad Malik with no comments

I’ve had a pretty bad run of predicting UFC fights lately and it seemed like lady luck was against me. First Brock Lesnar got absolutely demolished and then Matt Hughes. If there was a slight silver lining it was that Rampage Jackson beat Lyoto Machida (barely).

But this weekend made up for all of it as Georges St Pier methodically took apart Josh Koscheck en route to a near perfect victory. People may complain that Georges wasn’t able to finish Josh, but personally nothing was more satisfying than seeing Josh getting punched repeatedly in the right eye for the full 25 minutes.

What a great early Christmas present!


I could tell you there were other fights on the card, but I honestly can’t remember any of them.

PS. Get healed up soon Josh. We need someone to root against in our fights :)

filed under Uncategorized

10 types of managers to avoid

by javvad Malik with 2 comments

image  As the old saying goes, you can’t choose your family, but you can choose your friends. I’m not sure which category managers fall into. On one hand they are thrust upon you by the organisation, “ye shall report to thee” and you have no say in the matter. On the other hand the counter-argument is, just change jobs.

But whilst you’re pondering over whether a manager is like family or a friend, lets look at 10 types of managers we’d rather not work for.

10. Nothing’s good enough

You know the type, whatever you deliver is not good enough. It’s too soon, it’s too late, not enough words or not enough pie charts. Avoid him like the plague or sit in a purgatory of endless document revisions.

9. The reject

He’s the guy who seems normal enough until you try to go for a promotion. You realise he’s the guy who went for the job above him but got rejected and hence begrudgingly doing his role managing you, whereas he could have been so much higher up the food chain. Expect to listen to plenty of sob stories of how he was wronged and how his superiors are all corrupt as FIFA officials. He will wear you down and drain you of all enthusiasm and talent.

Read the rest of this entry »

filed under Uncategorized

Random Security Picture

by javvad Malik with 1 comment

Is this what your web application looks like?


filed under Security

In flight safety card – what they really mean

by javvad Malik with 1 comment

So how many times have you been on a flight, probably on an international low-cost airline which is still using planes that your great grandpa used to fly back in the day and looked at that badly drawn safety card and wondered to yourself, “what does this mean?”

Fear not, they’re explained here.



Read the rest of this entry »

filed under Uncategorized

My my commissioner, what nice teeth you have

by javvad Malik with 1 comment

image Having seen many prison films over the years, I know one thing. Whether you’re innocent or not, the first day you get into prison, if you want to avoid being the soap picker you have to make an example out of someone. It could be fashioning a shank out of a biro and stabbing your cellmate in the neck several times in the neck, or biting the ear off a prison warden. This sends a message out to everyone else, that you’re not someone to be messed with and they will leave you alone for the duration of your stay.

Well, today it so appears as if the UK’s information commissioners office received the memo today. As of April 2010, they’ve had the power to impose penalties of up to £500.000 for serious breaches of the Data Protection Act (up from the previous penalty of £5,000).

Come November and many of us were wondering if the commissioner actually had the coconuts to know what to do with their newfound power. I know of some security commentators who’ve been reluctant to believe they would ever fine anyone at all. But today 24th November 2010, they unleashed their vengeance and furious anger on not 1 but 2 data leakers on the same day.

Herfordshire County Council receiving the shank in the neck with a £100,000 fine for sending a fax to the wrong number (twice) and A4e were fined £60,000 for losing an unencrypted laptop which contained sensitive information.

So three cheers for the commissioner and for fighting the good security fight against these careless and sloppy organisations?

Not really.

Simply fining organisations isn’t necessarily going to address the problem and gives little benefit other than fill the commissioners coffers. You still have data that has been lost which isn’t coming back and no assurance that the same won’t happen again. But there appears to be a disturbing trend whereby Governments, regulatory bodies and the like have agreed on a standard operating model, which is depicted as below:


Don’t believe me? Why do you think PCI DSS is so widely feared and adhered to? Let me give you a hint, it’s not because people truly believe in the security values it stands for.

Sarbanes Oxley, an almost bottomless pit of money poured into achieving compliance.

And then we wonder why people view security in a negative light. It’s because all they ever hear is do this or you’ll get fined, do that or you’ll be sent to jail, threats threats threats. It’s all about negative threats.

I’m not saying that governing bodies or professional certifications are completely useless. It’s just that you can’t go around milking the information security cash cow forever and there’s more to it than just scaring people. Information security isn’t the most complicated thing on the planet, a lot of it is common sense. You just need to identify critical bits of information, make sure only the people who need it can access it for legitimate purposes and once the information is no longer needed it’s destroyed.

If our regulatory bodies actually tried helping by making security easy to understand and accessible by all companies there would probably be a much greater benefit to all. Or an even radical approach would be to, say, where a company hasn’t encrypted their laptops, force them to spend money into rolling out encryption and performing a proper security assessment into their controls and how they handle data.

But then again they wouldn’t make much money if they done that.

filed under Security

Choosing a security consultancy

by javvad Malik with 1 comment


clip_image002There are hundreds if not thousands of “Indian Restaurants” dotted around London. However, we all know that most of these places are not owned or run by Indians at all. You have a large number of Bangladeshi or Pakistani’s owning and managing these establishments. But for convenience there’s an unspoken rule that the owners will advertise their food as “Indian cuisine” and customers will always refer to it as going out for an Indian.

By and large, it is somewhat irrelevant whether you’re eating a genuine Indian meal or not. You just look for one that will fill you up and not burn your insides.

The same traits are displayed when organisations set out to hire an infosec consultancy. There are many consultancy’s out there. Most of them aren’t even really geared towards security which results in the your organisations intestines exploding and an empty wallet.

So, to help you out, here are some things to consider when choosing an infosec consultancy:

Know what you want

First off you need to decide why you actually need an infosec consultancy. Is it because the work can’t be done in-house? Or there are confidentiality issues? Or someone at the golf course just mentioned how their infosec team can sort out all of your problems?

Read the rest of this entry »

filed under Security

It’s more than your salary

by javvad Malik with no comments

How many times has someone tried to employ you with the line “There are other things to consider outside of your salary!”

Granted there are some people who agree with that statement. They’re the type of people who will view their employer as extended family and will normally be the ones making that statement.

But if you’re like the rest of the population who wish you had a bit of extra cash at the end of the month, you’d probably want to slap them upside the head for making such a statement.

Ultimately, it all boils down to how much money you get. Sure, paid holidays and sick days have a value. But does 25 days holiday equate to £15k less a year? Probably not. Which is why so many people move for more money or alternatively go contracting.

It’s simple, we want to maximise our earning potential and realise tangible benefits. It’s like we’re our own individual business. We have income and outgoings and a certain amount of resource. So we manage as best as we can.

Read the rest of this entry »

filed under Security