Is this what your web application looks like?
So how many times have you been on a flight, probably on an international low-cost airline which is still using planes that your great grandpa used to fly back in the day and looked at that badly drawn safety card and wondered to yourself, “what does this mean?”
Fear not, they’re explained here.
Having seen many prison films over the years, I know one thing. Whether you’re innocent or not, the first day you get into prison, if you want to avoid being the soap picker you have to make an example out of someone. It could be fashioning a shank out of a biro and stabbing your cellmate in the neck several times in the neck, or biting the ear off a prison warden. This sends a message out to everyone else, that you’re not someone to be messed with and they will leave you alone for the duration of your stay.
Well, today it so appears as if the UK’s information commissioners office received the memo today. As of April 2010, they’ve had the power to impose penalties of up to £500.000 for serious breaches of the Data Protection Act (up from the previous penalty of £5,000).
Come November and many of us were wondering if the commissioner actually had the coconuts to know what to do with their newfound power. I know of some security commentators who’ve been reluctant to believe they would ever fine anyone at all. But today 24th November 2010, they unleashed their vengeance and furious anger on not 1 but 2 data leakers on the same day.
Herfordshire County Council receiving the shank in the neck with a £100,000 fine for sending a fax to the wrong number (twice) and A4e were fined £60,000 for losing an unencrypted laptop which contained sensitive information.
So three cheers for the commissioner and for fighting the good security fight against these careless and sloppy organisations?
Simply fining organisations isn’t necessarily going to address the problem and gives little benefit other than fill the commissioners coffers. You still have data that has been lost which isn’t coming back and no assurance that the same won’t happen again. But there appears to be a disturbing trend whereby Governments, regulatory bodies and the like have agreed on a standard operating model, which is depicted as below:
Don’t believe me? Why do you think PCI DSS is so widely feared and adhered to? Let me give you a hint, it’s not because people truly believe in the security values it stands for.
Sarbanes Oxley, an almost bottomless pit of money poured into achieving compliance.
And then we wonder why people view security in a negative light. It’s because all they ever hear is do this or you’ll get fined, do that or you’ll be sent to jail, threats threats threats. It’s all about negative threats.
I’m not saying that governing bodies or professional certifications are completely useless. It’s just that you can’t go around milking the information security cash cow forever and there’s more to it than just scaring people. Information security isn’t the most complicated thing on the planet, a lot of it is common sense. You just need to identify critical bits of information, make sure only the people who need it can access it for legitimate purposes and once the information is no longer needed it’s destroyed.
If our regulatory bodies actually tried helping by making security easy to understand and accessible by all companies there would probably be a much greater benefit to all. Or an even radical approach would be to, say, where a company hasn’t encrypted their laptops, force them to spend money into rolling out encryption and performing a proper security assessment into their controls and how they handle data.
But then again they wouldn’t make much money if they done that.
There are hundreds if not thousands of “Indian Restaurants” dotted around London. However, we all know that most of these places are not owned or run by Indians at all. You have a large number of Bangladeshi or Pakistani’s owning and managing these establishments. But for convenience there’s an unspoken rule that the owners will advertise their food as “Indian cuisine” and customers will always refer to it as going out for an Indian.
By and large, it is somewhat irrelevant whether you’re eating a genuine Indian meal or not. You just look for one that will fill you up and not burn your insides.
The same traits are displayed when organisations set out to hire an infosec consultancy. There are many consultancy’s out there. Most of them aren’t even really geared towards security which results in the your organisations intestines exploding and an empty wallet.
So, to help you out, here are some things to consider when choosing an infosec consultancy:
Know what you want
First off you need to decide why you actually need an infosec consultancy. Is it because the work can’t be done in-house? Or there are confidentiality issues? Or someone at the golf course just mentioned how their infosec team can sort out all of your problems?
Granted there are some people who agree with that statement. They’re the type of people who will view their employer as extended family and will normally be the ones making that statement.
But if you’re like the rest of the population who wish you had a bit of extra cash at the end of the month, you’d probably want to slap them upside the head for making such a statement.
Ultimately, it all boils down to how much money you get. Sure, paid holidays and sick days have a value. But does 25 days holiday equate to £15k less a year? Probably not. Which is why so many people move for more money or alternatively go contracting.
It’s simple, we want to maximise our earning potential and realise tangible benefits. It’s like we’re our own individual business. We have income and outgoings and a certain amount of resource. So we manage as best as we can.
I was going to write about something else but that couldn’t have been too important because I’ve forgotten what it was. Strange how that happens. What seems important one moment, is trivial the next. One day USB encryption is the current flavour and the next day it’s all about Trojans.
So what are security departments doing all the time? One thing they do quite a lot of is keeping up with the Joneses.
Like most social rituals, I’m not sure how the whole phenomenon of keeping up with the Joneses started. Someone can probably trace it back to cavemen times where Mr Caveman saw the another had a nice looking club so sought out to carve himself a more impressive one. Being the proud owner of a far superior club, Mr Caveman could look down on his neighbour. Not only that, he could probably find that he became a far better hunter because of his better formed club. Naturally, being a better hunter would mean that he would attract the best looking cavewomen and have the most children, hence contributing greatly to the gene pool… all because he thought his neighbour had a better looking club.
So companies spend countless hours writing their security policies and this isn’t an easy task. Each policy has to be drafted, proof read, re-drafted, re-proof read and then published. It’s at this point that the real fun begins where users have to be educated in the ways of the new policy. Gap analysis have to be conducted and new baselines set.
Then, just as it’s all beginning to make some sense… it’s time to re-draft your security policies.
Of course work like guarantees that policy writing consultants can make their monthly mortgage payments, but it does seem like a lot of effort. Therefore, I’ve been doing some of my own research into what would be the best way to write a security policy that would withstand the test of time.
After spending many hours researching the best authors on the planet, I finally found the answer in Divine texts. Yes, you see, Holy books have been around for centuries and act as a policy, guiding its followers towards the truth. For one to truly make the ultimate security policy, one must follow the logic such as is used in the Bible.
Follow these simple steps to make your own physical manifestation of your company’s security word!
Rule one: Paradoxes
The only way your policy can be successful is if it cannot be disproved. The only way to make sure this can’t happen is to build a few logical dead ends. By suggesting that your CISO is always right, you get people pointing at hackers and environmentalists. You should instead say that your company is always going to test their employees. Have your CISO always answer questions with a question.
In my daily research I come across many different types of photo’s, some are sent through to me and some I create myself. So for your amusement, here are some of the best this week.
Geek Gang Signs:
So, should twitter be treated the same as other social networking websites? I mean, a lot of companies don’t allow their staff to use twitter. Their whole risk assessment is based upon issues such as information leaking out of the company, 140 characters at a time. But that’s just lazy risk assessment. The real dangers of Twitter are far beyond that. Using the world renowned Infosec Cynic methodology © here are some of the threats posed by Twitter.
1. Faking Sick
Ask any HR droid and the one thing that vexes them the most are slacker employee’s faking sick days and wasting valuable company time and money. Here’s how the employee normally pulls it off,
Let’s say they are going to go out on a Thursday and will be in no condition to work on Friday. It starts out with a few Tweets Thursday morning about how excited they are for the Thursday night event. At 5:00pm they Tweet that they aren’t feeling so hot. At 9:00pm when they are getting ready to head out, they Tweet that they just puked. There is usually no more Tweeting for the next 12 hours and when they call in sick the next morning, the sympathetic boss will say that they caught the Tweets and wish the employee better.
I don’t have the calculations, but I believe one can easily make the case that this results in 3 million lost days of productivity a year.
Every organisation has one. The ones that don’t; definitely need one. We’re talking about a Chief Information Security Officer. The alpha dog of security professionals within any given organisation. The person who sits at the board and convinces all them other executives to make sure the company protects their and their customers information.
It’s not compulsory that the CISO comes from an information security background. But they should have a good awareness of what infosec is and have a competent team of infosec professionals working for them.
Looking through Linkedin it seems CISO’s are a dime a dozen. How do young budding CISO’s looking to differentiate themselves from the rest of the pack and become a true badass CISO? If you want to know, simply follow these tips:
No one would ever suspect that a religious leader would be a bad CISO. This identity will allow you to hide your flaws AND persecute others who are brave enough to question your leadership. Be careful about over persecution… you don’t want someone to really call you out to a fist fight.
2. Wear Jeans
First things first, you gotta ditch those womens sold as mens clothes you get from GAP, Top Man etc. They’re made for a specific type of man. Generally those who want to attract the attention of another man. Secondly, you want to stand out right? Make your own rules, don’t wait for jeans for genes day to wear yours. Rugged ripped jeans show a real CISO is too cool for any other clothes.