Speaking and Conferences

Webinars and Lectures

Wendy will be participating in the February ISACA webinar (hosted by Bright-talk).

Forthcoming Conferences

EuroCacs in Budapest, Mar 2010 - Wendy will be speaking on selling Information Security to the Marketing Department, in "Fridges to the Eskimos" and Matthew will be talking about the need for careful planning when disposing of information storage devices in "Destroy for Victory."

SecureCloud in Barcelona, Mar 2010 - Wendy will be discussing "In the cloud, out of mind" -  looking at the challenge of caring about virtual data.

Recent Events.

Matthew and Wendy both spoke at the 3rd  Athens International Forum on Security - speaking on "Corporate and Personal Privacy – Your Employees and their Facebook Accounts" and "Fearing Empowerment", respectively.

 Wendy's BrightTalk webinar on Data Loss Prevention can be found here and Matthew's slides for his presentation to Strathclyde University can be found here.

 

 

 

Matthew's Musings

8th September

How much do you trust your bank?

The ever-interesting "Light Blue Touchpaper" blog, from the University of Cambridge security team, has a post up about the Which report into online banking security, which links back to an earlier post of theirs about vulnerabilities in the implementation of the "CAP" (I thought this stood for 'Card Authentication Protocol' but the Cambridge paper has 'Chip Authentication Programme' - they are probably right, except for the last two letters Cool ).

There are lots of issues raised - which reminds me of one of the useful dictums of dealing with customer security - the sorts of people who comment on security blogs (more generally "security specialists" or "people attending security conferences") are rarely representative of the customer base a normal business needs to serve. Anyway, I am interested in one of the proposals:

The banks should be exploring technologies which allow server side verification that the client is indeed secure. To a limited extended trusted computing could be used to solve this problem. Although such technology is clearly too immature at this moment in time.

It is interesting to consider to what extent this is actually practical. "Trusted Computing" simply isn't - trusted that is. The links to business DRM and the media industries have ensured that. Although it is a truism that you are better able to secure a small application / applet than a general purpose computing device. The problem here is that you are not fighting errors, you are fighting a capable adversary who can respond to any new security measures. And is a legitimate customer in their own right so you cannot hide your security measures from them.

It is necessary to consider how the fraudsters might spoof or mimic 'correct' responses to security tests, as well as realising that you need to serve 'the customer' - which means a default of two or three generations ago Microsoft, operating system and browser, limited or no security tools and still capable of functioning with the latest Linux kernel and konqueror, or the special browser software available for the blind or partially sighted. It must work through an application-level corporate firewall (with a hard-core malware filter) and a browser without scripting. There are also have privacy and deployment restrictions - conducting a vulnerability scan of your customer machine is simply not practical, even were it legal (your customer may consent, if it is their machine to consent, but has their ISP?) It makes the whole business much more complicated than it seems on the surface.

12th August

Customer Relations and "sucks" Websites

I have often been asked for assistance in taking down fraudulent and offensive websites. Sometimes, the sites are "sucks" sites - a genera of customer complaint linked to the proper domain name with "sucks" or "really sucks" appended. I have always seen these as a customer relations problem rather than an information security issue - fix the customer's problem and then ask them to take down the site, and annoyed with customer-facing teams whose response was to reach for the law rather than admit that a mistake has been made.

It is nearly impossible to win against the publishing potential of the internet - there are too many domain extensions available for you to register all possible offensive domain names. More significantly free speech laws, certainly in the USA (where much cheap or free web hosting still is), mean that unless you can allege passing off or a DMCA violation (publishing your IPR protected material such as a logo), your legal right to have the content removed is dubious. (However, see here for non-complaint domain registrations.)

Thanks to a plug from Amazon for this book, I have found this interesting article, written from the marketing perspective (the people who were normally desperate to have the sites removed) about how poor service can destroy even a good product and the importance of reputation.

Some good legal information can be found here and a beautiful example of how not to do things here.

31st July

iPhone- or not to iPhone.... that is the question!

With the news from Blackhat, the issues around iPhone security are once again to the forefront.

I'll be upfront - we both use iPhones for business and personal telephony, mobile email and web and (especially in my case) games. When the business decision was being taken, I was strongly in favour of the Blackberry route - mostly because there is currently a method of configuring these to allow use for low-level UK Government protectively marked data. I was outvoted (it is amazing how a tied vote always goes agin the blokes when the opposition comes from the distaff side) because of the easier readability of the iPhone screen.

But the iPhone is not massively secure:

  • it is a new and very complicated OS with a rapid update cycle, therefore there are going to be exploitable errors;
  • industrial design, not security, is really Apple's space - despite the US Army's adoption of OSX for their main, and some other, web-sites;
  • the programmers seem to need a bit of secure coding training - and probably some expert cryptography advice;
  • the ability of users to download active content is going to defeat almost any security regime.
However, security is a balance between business functionality and risk - and, at the moment, the balance for us means that we keep the iPhones, although I will be looking out for ways to improve their protection.

 

Wendy's Thoughts

 7th September 2009

 If you use Facebook and other social networking sites you will be familiar with the adverts and downloads which are available. 

These can easily draw in the unsuspecting user who might, amongst other things, be duped into downloading malware onto their machine.  

I appreciate why Theo Paphitis (of Dragon's Den fame) bans access to such sites in his workplace.  

 http://www.dailymail.co.uk/debate/article-1210564/THEO-PAPHITIS-Why-ALL-bosses-I-did-ban-staff-Facebook.html 

 When I joined Facebook one of my friends greeted me with "Welcome to the best way to waste time on the internet" and he does have a point.

However, I think it is an opportunity missed if the subject of social networking is not discussed as part of a security awareness program.  After all, staff may access work data from those infected home machines and bring the problem back to workSurprised

 3rd August 2009 

If the image your staff have of a person who conforms to security policy is that they are a 'towel straightening geek'- Then they are not going to want to turn into one themselves.

Therefore they are more likely to resist guidelines for secure behaviour. Yell

Managing that perception is one key to developing a culture of security Laughing

 

 

 

 

Idrach Security Articles

PostDateIcon Tuesday, 14 April 2009 10:42

Idrach Ltd will be developing the informative content on this website to include articles on identifying security risks, increasing security awareness, and other security related matters. 

Please check back to the website to find out whats new on the site.