Crazy Adventures in Cyber Security

My new role started in April so I’m well into my induction. The great thing about it is the scope of the role – I look after more systems & different types of systems which is great experience for me.

I’m also involved in diverse project work, from biometrics & GDPR to becoming an IT contact for our legal team. A great chance to learn new stuff & pursue my interest in data & cyber security.

My Open University studies have finished for this year – that completes my 2nd year in computing – into third year modules next – that will be user design & a system management module. This year has been focused on web technologies (HTML, CSS, Javascript, PHP etc) & project management.

So, what about this Salesforce thing.

Well, I don’t have shares in Salesforce or anything but it must be simply the best ‘industry type showy show’ thing I’ve ever been to. Firstly, it’s massive. This image isn’t mine & it’s just one of the halls.

Secondly, it’s almost like a cult….maybe a better way to describe it would be religion. There are thousands of people, literally queuing to get in. Everyone tied into this platform. Their jobs. Their careers…their futures via an online training tool. It’s amazing. But it’s not all hot air. It really is a cool system & one that has more features added every year. Can anyone stop Salesforce taking over the CRM world? Maybe MS Dynamics? I@m not sure.

A great way to celebrate my new job.  I don’t go to many shows but there’s a info security one next year that I’m not going to miss. I went last year as an excited civvie. This year hopefully, I’ll feel more part of the team!

Back in January, I did some career planning. Many things were changing at work & I wanted to get my plans tidied up.

Well, I went for a security role & that didn’t work out. I got some great feedback & ended up being offered another role in our IS&T team – a role that gives me the chance to learn in all the key areas I need to.

I’ll be the systems administrator for a number of key systems across our business & have special responsibility for some of our central teams such as Legal & Communications. I’ll be working on data projects, Saleforce projects & other stuff that I really enjoy.

So, a really positive move for me.

Much of this change is driven by a new CIO who seems to have re-invigorated the team & business.  He’s certainly given me a new opportunity.

Long-term, my ambition is still in cyber-security & I’m reviewing my long-term plans to ensure I take this into account. And this role moves me into IS&T & gives me the chance to gain skills in all the right places!

Just a short blog for this month to share this news. One final point. Get yourself a good mentor. Mine won’t read this but I’ve had a mentor within IS&T helping me every step of the way. She’s been a guide in all kinds of areas & has been central to me getting this position. I can’t say how important it is to get an insightful mentor.

What is bio-metric data?

If I had a quid for every time someone in the business proposes using bio-metric data as a solution to a verification challenge, I’d have about £17. Tech like facial recognition & retinal scans seem to have been around for ages but We’ve mostly seen them in sci-fi & spy films where, let’s be honest, it seems to do the job.

If you do your research, you’ll find that things are a bit ‘smokier’ than the movies suggest. In my studies, the metric that really seem to come out on top was the Iris scan (just in case you were wondering!)

I sat in on recent webinar where the marketing presenters talked about examples of smart loos using the data from analysed waste to make suggestions related to health & diet. If you know anything about security and data, you’d have more alarms going off then Pudding Lane on the night of the Great Fire (well, you get the point).

Anyway, back to basics – what is bio-metric data?

Bio-metric data is ‘personal data’ (important) relating to the physical, physiological or behavioral characteristics of a person that allows or confirms the unique identification of that person. Good examples include fingerprints, facial recognition but also gait or the way an individual walks.

With bio-metric data, you don’t need name, date of birth or any other piece of meta-data – the body or habits tell us everything we need to know…

Is it covered by data protection legislation?

No previous enforced data protection law addresses bio-metric data but GDPR changes all that & its definition of personal data is specific & addresses bio-metrics.

The GDPR kinda emphasizes the need for ‘caution’ around bio-metrics – the same canons apply in areas such as explicit consent, processing only as necessary, protecting the data etc. But, I think the cool catz at GDPR central command are concerned about the potential damage & the uniquely personal nature of bio-metric information – in fact data can’t get much more personal.

Many folks, particularly marketers see the GDPR as an irritation – is that fair? I think so. But if history has taught us anything, one of its lessons is to prove once & for all the law of unintended consequences.

Back in the 1930s the Dutch government made intelligent use of its census, collecting all kinds of information about citizens. By 1941, the Nazis used this information to round up any remaining Dutch Jews. My point is that information can be misused for purposes way beyond what was intended. You don’t need to be paranoid like me to imagine what uncontrolled bio-metric data could be used for.

Why would someone want to nick it?

Unless it belonged to Elvis, most would-be thieves won’t be interested in your bio-metric data just for the sake of it.

What they are really interested in is bio-metric verification.

That’s where the magic is for the super-villains. The chance to fool any verification process that uses bio-metrics – be that facial recognition to enter your secret lair or retinal scans to fool your homemade supercomputer….

What? You don’t have a lair or supercomputer?

What about planting evidence at a crime scene? Is this a real risk for most people?

I make no apology for the ‘more questions than answers’ in this post. Things are still up in the air kids. Rather than someone using carefully created plastic copies of your fingerprints, I think it’s far more likely that someone would nick the string of numbers it’s converted into once you scan into any digital system. Who needs to mess around with fake fingers when the numbers will do?

In all honesty, all we need to know is that someone could do something nasty with it AND it’s covered under GDPR data legislation.

So, if you’ve got a stack of fingerprint data sitting somewhere on a server, a left over from some event years ago then you should really take another look at this data.

Back in 2014 I spent 7 days on a desert survival adventure. I’ve collected the various clips from different YouTube accounts so they’re all together.

So,  why did I head out into the Sinai alone?

Well, firstly, I wasn’t completely alone. I had Bedouin guides although I did spend many days alone. The guides are a legal requirement in Egypt & helped me find the right locations.

They also teach you about the desert & help you notice things you’d miss. I did a few days trekking with a guide as well as surviving alone on a nearby mountain top.

I know this probably sounds like hell for most but I’m some will understand. Being alone in the wilderness, lighting fires, making camps, a hostile environment, a stunning landscape – what’s not to love. I should also mention that the Bedouin are amazing people – that’s partly why I couldn’t do the adventure completely solo. In desert lore, if you see someone alone, you check on them to see if everything is OK – so I have a lot of visitors!

Anyway, I remember keeping a written blog as I have on previous adventures but I’m not sure folks read these anymore so here are the video blogs, unedited, raw, sometimes difficult to hear but I great reminder for me of a wonderful adventure in a location now pretty much closed to outsiders.

OK – some video entries from back in 2014!

Day One Desert Survival Blog

Day Two Desert Survival Blog

And so on – if you’re interested, you’ll be able to follow the 7 day adventure. At the end of it, after some rough nights, dodgy water & considerable weight-loss, I emerged & met my wife for week’s holiday…..much needed!

I’ve blogged before about how difficult it is to ‘break into’ a security job. Well, a great opportunity came up at my company & so I went for it.

It was a great opportunity & I learnt a stack. Although I didn’t get the role I went for, the good news is that there is some movement just up ahead for me so I thought it was time I re-looked at my career plan.

First days back at work after Christmas is always a killer. Thoughts such as why am I here, what do I actually do & who moved my cheese fill the mind.

But, I was actually glad to get back to work. 2019 should be a big year for me. I still don’t have quite enough time to learn the banjo but I will complete the 2^nd year of computing degree & hopefully move into a different role within our IS&T team.

I put my first real career plan together in around 2013 – up to then I’d been drifting in the wind, safe in the knowledge that ‘working hard’ would get you to where you need to be. Also, I was blissfully unaware of any link around creating your own future. I know that sounds like I’m being a smart-ass but I really didn’t think about it.

This is not a career blog & there are loads of sources of information out there but my basic cycle started when an excellent line manager of mine presented me with a career development tool. He must have seen my face – I was like ‘oh lawd…not another review type career type tick box to take up my time’ – as he quickly added – ‘look it’s your career plan, if you don’t want to do anything with this document don’t.’

It was a realization moment for me. Nothing I hadn’t heard before but it made me think. To cut a long story short, it didn’t answer everything in life or provide a guarantee of success but it did make me wake up & take some responsibility.

The career plan I work with is nothing radical. How you do it is less important that doing it. I work better with graphics & pictures so mine has plenty of pictures.

Firstly you need to determine what you want…from work….I know there’s a link in there to what you want from life but I keep mine to work….don’t laugh but I created a career vision for myself. An over-arching statement about what I want to achieve….

Career Vision: To make a positive difference to my company and society through information technology.

I’m not channeling Michael Jackson or anything but you do have to think big. It’s a vision.

I then break this down into my medium-term objectives – this statement goes along the following lines:

Career Objectives: To become a qualified & experienced technology professional by June 2019, with specialisms in web projects , data technologies, cyber-security & technology-driven business change. To complete courses T227/TT284 by the end of May 2019. To develop the profile, experience, knowledge & qualifications to achieve BCS chartered status by the end of 2021.

Now it’s taken me a while to get here. Behind this I have lists of things I enjoy, potential career opportunities, things I’m good at, training courses I’d like to do etc.

Importantly, I’ve found that you can dream big. Great. But your plan will end up as a composite of your vision, ambition, the opportunities available & of course your own skills. Now you can impact on all of these but somethings are outside your control. In my humble opinion, if you’re crap at numbers then a career in data analytics may not be the right move. If you find ISO & data compliance boring then maybe data security isn’t for you.

Anyhow, I don’t have a magic formula but that’s my approach to 2019. I hope you all had a good break & look forward to more cyber-security adventures in the year ahead!

For sure, cyber-security is a vast field these days with more terminology than you can shake a stick it. Witty banter aside – I wanted to put together a post summarising some key learnings I’ve picked up so far.

Stuff I think we should all know about….

Before we get started – here are a few books I’ve found invaluable to my own learning journey. It’s a mixed combo as I’ve found you can’t just learn the technical stuff, you need to understand process stuff too. Equally, you can’t be the world’s expert on firewall configuration if you ignore the various principle frameworks that have been create to help us out.

No pressure to buy these or anything – just some books to ask Santa for….

The bullet points below are in no particular order but overall they should provide some decent tent-poles on which to hang your knowledge of information security.

What is Information Security?

Basics right – the principle that information is not made available or disclosed to unauthorised individuals, entities or processes. It also includes integrity – the property of safeguarding the accuracy and completeness of information. And, availability – that it is accessible & usable on demand from an authorised user.

Threats, Vulnerabilities, Risks & Impacts?

Not a new superhero show. A threat is simply something that could happen & cause some unwanted consequence. Vulnerability is a weakness that could be exploited to cause some unwanted consequence. I spend a lot of time thinking about & searching for vulnerabilities. Risk is that a given threat will exploit a vulnerability – it’s a combo of threat & vulnerability.

Impact gets a section on its own – it’s all about impact baby. Where do you focus your time with limited resources – where the impact is most significant – think damage to data, people, legal requirements, business continuity…

IS027001

ISO27001 specifies the requirement standards for an information security management system – it’s a framework of policies & procedures. Your organisation can be certified against the standard. Its approach is top-down, risk-based & technology neutral. It won’t tell you how to configure your firewall.

It outlines a range of different controls that need to be in place & documented including physical controls (locked doors/secure cabinets), procedural controls (checks on references) & product or technical controls (passwords/encryption).

So, also think codes of conduct, information security policies, developing a security culture, segregation of duties, user control mechanisms & any awareness training.  The standard has a little sister called ISO27002 that contains best practice recommendations of information security controls & some further definitions.

ISO22301

Another certified standard but this time one that focuses on business continuity management. It specifies the requirements for a management system to protect against, reduce the chances of and ensure that business can recover from disruptive incidents.

Think ‘what happens if’ scenarios.

Ransom ware has kept this standard busy in the last year or so.

PCI-DSS

The Payment Card Industry Data Security Standards are like that the geeky brother to the above standards. In my opinion, they’re more widely known, very detailed and well-established in the card payments industry but not particularly outside.

Also PCI-DSS doesn’t have a girlfriend or anything…

It’s a series of principles around the storage, processing & storage of card details. Think secure network requirements, secure access controls & Cylon-like encryption.

 GPDR

If you haven’t heard of this mammoth chunk of data protection legislation then you must have been either living on the moon or at least under the sea.

The General Data Protection Regulation is now in force & is part of the data landscape in the UK alongside the new Data Protection Act 2018.

Complex? You bet but in simplistic terms it’s a series of principles designed to protect personal data & covers usage of data, breach notifications etc. The area I’ve had most experience with is ‘mailing preferences’ & opting in. If you have anything to do with prospect & customer data then the GDPR will have dominated your life this year.

Right – that’s what I’ve learnt so far….

This week I was mostly visiting this conference at the Institute of Engineering and Technology in London.

Going to cyber-security conferences can be problematic for those interested in the field.

1. How can you get past the end point security booths – I’m not responsible for it so I don’t really know what to say to them…
2. How many suppliers tell you that they are now using machine-learning & AI to boost their cyber-security software….you can stack up 10 of these before you reach the first loo…
3. What a mix you get at these conferences, some folks talk the jargon, some wear a smart suit…you just know who really knows their stuff…
4. Blimey there are 20 new companies every time I go. If you are starting a company in cyber-security you have to call it some like Cy-thing or Seco-Bot. Names, it seems are important.

Well, Info Sec World was not like that. It’s a first-class event, with a full programme of lectures & talks plus a very limited selection of approved vendors – did I sound like an advert there? I didn’t mean to – it really is a good conference…I great one day event to stock up on the latest trends. We had a futurist looking at the next 10-20 years, we the VP from Symantec with some great insights then I broke into one of the tracks to focus on the challenge of cyber-cost & complexity in the digital world….

I came back with a back of goodies & pages of notes. Goodies below – were of high quality & will give you enough reading for months….

That’s why these events are worth going to. I chatted to a few folks around the conference – here’s what one well-known author on cyber-security told me off the record:

“Insider threats account for over 80% of breaches….”

I know it’s not revelation of the year but for me it was one hell of reminder that you don’t just need to learn about firewalls.

In fact, several of the talks highlighted some fundamental truths I’d kinda lost sight of. Here are a few well-known pearls:

• Patching is important – the boring stuff makes a difference
• Segmentation is something you need to act on – validating who has access to what
• Data management – talked about often, done not so much
• Identity Management – hell yeah, login credentials, compromised administrators & crappy passwords

I hope this doesn’t all sound very flippant – I know its basic stuff but it was a great remember. One of the speakers told us that in his experience over 90% of breaches were avoidable by making effective use of standard controls & processes. That’s the basics – no need for AI here.

Finally, the VP from Symantec talked to us about the Law of Unintended Consequences.

He didn’t use the following example but it’s a good one. Something in hard facilities management think it’s a good idea to hook up the heating system to the Internet.

Smart stuff.

We’ll be able to control the heating via a mobile….you know where this is going.

I think the point he was trying to make was to think through the headlong rush towards Smart-pants & Smart-socks…

All in all, a really valuable conference. I know I haven’t done it justice here but well worth a look next year….

As the new university term approaches, I’m having a mini-crisis around my career plans in cyber security.

Firstly, the negatives.

Although my upcoming university courses are around web architecture & so highly relevant, neither of them has cyber security in the title & I look enviously at other more focused courses. I sometimes wish my studies could be more focused. I’ve mentioned this before on the blog but I think the Open University syllabus is looking dated.

I’ve switched my Java course to an IT projects & change course as it’s more relevant to my current job role & I don’t think I could have handled two technical courses in one academic year. I will still be picking up Java but at a future date. A kinda negative.

I don’t know how important this next one is but I don’t yet have ‘cyber security’ or anything related in my job title or remit. And, I’m struggling to see how this transition is going to work. An agent messaged me about another role recently but it was very similar to what I’m currently doing.

In my experience, without a long-term road-map, it’s easy to lose focus, faith & motivation in a direction of travel. Exactly how am I going to get into the ‘arena’ I want to be in…how is this miracle going to occur!

That’s the negative points. Here’s the positive side.

I enjoy where I currently work. And, my work is touching aspects of cyber security in so many areas. My most recent positive contribution was calling out the outdated hashing algorithm SHA-1 is a system I’m working on.

It was set up as a configuration but I knew it was compromised so have highlighted & proposed a change. I am trying to use my growing expertise to help in my current role.

I’m planning to complete my BCS Foundation Certificate in Information Security Management Principles to provide a foundation for my further studies & blogging. I’m paying for this one myself so it’s a big investment but I’m hoping it will be a solid stepping stone. I’ve looked long & hard at the various qualifications out there – it’s a confusing market place but I trust the BCS & believe this is the right one to start with.

Finally, my role is involving more e-commerce work which is bringing me into a sphere where data theft & hacks are far more….what’s the word….prevalent? Well, you know what I mean, stealing data is one thing, stealing payment or credit card details, is the golden goose.

So, that’s where I am. Hopefully, I can add some more technical cyber security blog updates as I go along this year. I’ve read some excellent ones out there & I’ll start including some links as I get to know them.

Maybe the work world is also changing a bit. I kinda suspect that moving forward cyber security in various forms is going to be a component of every business role?

Right, just to be clear, I’m not inferring that anyone is an idiot – it just seemed like a catchy title. I really mean folks without the honed technical skills to exploit some of the more hidden vulnerabilities in applications & websites…

Also, you have to realize that I’m not formally trained in any security yet. I’m kinda making it up as I go along & based on my experience.

Still – a useful survey for me as I embark on this learning journey. Read on but don’t get mad. (Also, I should emphasis that I am talking about looking for vulnerabilities to help fix stuff – not really exploit it – use your awesome powers for good, never for evil.)

What is a “vulnerability”?

Not reaching for any ITIL or security manual, for me it’s anyway to exploit a system in some way, shape or form. Think making it do something it wasn’t designed for. Think tricking it into recording a transaction that was never made. Think exploiting some poor coding or poorly configured credentials request.

So far, with my limited technical skills, I’ve helped to find some basic vulnerabilities in projects I’ve worked on including classic SQL injection attacks & API vulnerabilities. But vulnerabilities don’t always live in the technical shadows. Here are a few collected observations I’ve collected so far:

Thinking Differently – one of the things I’ve realized is that good hackers have the ability to look at systems from a different perspective. They look at the whole process (see the next point) – particularly where people get involved or physical entry points crop up. You don’t need to be a coding genius to download some malicious software. You don’t need to be 007 to follow someone through a security barrier & insert your code into the nearest slot. Internal security people tend to look at things one way. Network people are the worst. Not every vulnerability can be stopped by the firewall. It’s pointless locking the windows & doors when the villain is already inside.

Mapping the Process – related to the above, I like to map the process, even if it’s at a basic level. Like the trans-Atlantic convoys during World War Two, any process is only as strong as its weakest link. It’s pointless spending zillions on endpoint security if your IT department has not correctly configured the single-sign on software. I find visually exploring the process a useful tool – I’ve included an example – not the best one granted but I’m just at the start of the process.

There are not state secrets above. It’s a basic payment flow – pretty typical really. But when you start breaking it down, you notice real time & non-real time processes etc etc. You get the point. I actually did my own version of this, with more detail but I didn’t want to post that!

Follow the Money, Follow the People – something an experienced hacker told me was to start by following the money – the transactions – makes sense. But also, to follow the people. The people are often the most unpredictable element in any process. They forget stuff. They take short cuts. In my experience, the core financial processes are well-protected with encryption that would give Sheldon Cooper a run for his money (in real terms, they are basically unbreakable….until they get broken). But people, yeah we all love them. My pearl of wisdom here is that a key source of vulnerabilities here is that users tend to do the same thing every time. They like it like that. If they find a short cut or password ‘recipe’, they use it.

Fooling AI – oo-er….I’ve mentioned before that I’ve looked at brilliant companies like Darktrace & what they are doing with network traffic analysis etc. The math behind their machine-learning is smart. But, so far at least, it seems that every AI can at least be misled if not totally fooled. In my limited experience here, it’s in the parameters of the AI search – wherever the AI looks, you need to look just outside of it. As Forrest Gump used to say, that’s about all I have to say about that.

—-

Well, that was it. I warned you at the start. I plan to develop my knowledge in this area with my studies this year but hopefully that provides something of a primer.

I would like to leave you with a few pointers – if you like solving puzzles, if you are sort of person who likes a challenge & loves finding ways to ‘break’ things, then you should learn more about vulnerabilities & threats.

I think of technical training as a kind of multiplier. Get the basics & attitude right, add the technical skills & you become one dangerous monkey.

Recently I’ve been thinking through my next modules, changes at work & my career development. I’ve posted before about the challenges of getting into cyber security. It’s not an easy path for a career changer.

But what about living in shadow IT?

That’s kinda where I am at the moment. My role, like many, incorporates large swathes of technology from reviewing XML files to technology planning, from managing system upgrades to assessing user experience. And, although I work closely with an excellent IS&T team, I’m on the outside. I sit within the business.

I am a shadow IT person.

Here’s a definition of Shadow IT. There are loads out there on the web but you get the idea:

Shadow IT refers to information technology projects that are managed outside of, and without the knowledge of, the IT department.

The downside to being in Shadow IT is that you never quite feel you’re in the right place.

Development & training can be a struggle as few really understand why you’re trying to get on a particular course.

You don’t get that warm fuzzy feeling of being part of a professional job family.

You rarely have the right tools or access-level to really do what you want.

For the IT team or ‘regulars’, Shadow IT can be a nightmare. Deploying cloud-based systems no one has ever heard off. Creating vulnerabilities at the click of every button. Working round agreed processes because they’re too slow.

My experience has so far revealed a few different species of Shadow IT. Here are the two I know so far:

• The Shadow IT Natives – a bit like me really. They do have some technical skills. Should they be in IT, who knows? Most of the time they are business people who have transitioned in. We tend to be a pretty pragmatic bunch but that doesn’t stop us causing trouble. We can be a troublesome for IT folks – a little knowledge is very dangerous – isn’t that what they say.
• The Digital Peeps – ever heard anyone say they work ‘in digital’? These tend to be marketing folks who go ecstatic when anyone mentions AI or block-chain. Or, they know about a bit about a CMS & are now ready to implement major machine-learning projects. Heavy on buzzwords – this group sees block-chain as a solution for everything from managing Brexit to solving the work food crisis.

I’m sure there are more. And, I don’t mean to sound critical of them – after all, I’ve already said I’m part of the zoo as well.

So, is there an upside to it?

Well, technology is everywhere nowadays as my Mum likes to say. Maybe it’s time it came out of the closet. I’ve read a lot of the growing demands for ‘hybrid’ managers – comfortable in both technology & business. With the right mix of digital & people skills. I’ve not personally seen this demand yet but folks like Gartner say it’s there.

Having a foot in both camps can be fun and challenging. My previous line manager was a superb example. She spent years in business & finance before moving into large scale deployment projects & was very effective in her roles. She’s pragmatic, realistic & has the rare talent of being able to bring her years of experience to the table without over-ruling new folks with new ideas. She is also adept at knowing when to lean on the regular IT team.

I don’t know how she does it. If I learn the secret I’ll share it. In the meantime, I’m going to continue learning how to survive in Shadow IT & spot of few more of those different species…

Recently, my ambition to work in the field of cyber security has been under a bit of pressure. I’ve been struggling as just how to connect the dots and make it really happen.

Changes at work have developed my role but I’m no closer to any formal cyber security brief. Sometimes it feels like a fortress I just can’t break into.

So, I thought this skills list might be useful.

Firstly, I want to introduce you to the unsavoury reality that I’ve come across when trying to answer the question – how do I get into cyber security?

The Established Path – join an established network team as a small child and get through all your Cisco qualifications around networking. Bugger around with corporate firewalls. Have an in-depth and practical knowledge of the OSI model, packet-switching and ports.

If you know the guy below from the TV series The Office – you ‘ll know what I mean.

Job done.

You are now the kinda candidate everyone seems to be looking for. (Women, career-changers and anyone who didn’t follow the networking route need not apply).

Apologies if that all sounds very gloomy but that’s just sometimes how it feels – as I said when I started this blog – they don’t make it easier.

And, talk of new digital apprenticeships won’t mean much to the many career-changers I’ve spoken to. Being super-cynical, I’d say they’re just enough to enable the industry to say ‘we’re doing something’ but not enough to threaten the premier status of many in the industry establishment.

Enough of this gloom – following my career research – here are 5 key skills I’ve come across. If you are looking to get into cyber security, if you don’t where or how, then focusing on these will give you a good start…well, that’s the plan at least. These are presented in no order

• Application Security – I remember reading somewhere, might have been on CBeebies, that 90% of vulnerabilities are within applications themselves. With that in mind, I suggest a grasp of a least one programming language a good starting point. You need to understand the critical structures in object orientated programming. Add to this the software development cycle and testing. Me, I’m learning Java on my course next year.

• Web Stuff – Scripting languages – we all love them – HTML, CSS and Javascript. Building blocks of the world wide web. Plus, how web services are deployed and provisioned. For me, getting to grips with these areas in 2018-2019 is going to be a key challenge. Like it or not, the web is at the centre of many security challenges.

• Stay Awake in Your Network Classes – you don’t need to be able to work out a subnet mask or an IP address in binary but the bit around the OSI model and that dusty MS networking book you were given are far more powerful and important that you might have realised. They underpin pretty much everything in modern computing. I’ve studied this stuff – I will be revisiting it. Virtual ports and all that jazz – a critical area in my opinion. Remember, you don’t need to be able to program in machine code but you do need to have a good understanding of what goes where in networking.

• Talking Cyber Security in Business – now, I’m not expert but I kinda the feeling that the rule of the network teams is coming to end. The industry is going to need a broad sweep of tech-savvy business folks. Training and education are going to be challenges – us career changers can help there. We know that jungle.

• Cyber Security in Your Pants – well, not literally, I’m just making the point that it is becoming part of so many jobs from access management through to vulnerabilities to new websites. Be curious in your current role. Find areas where you can put your cyber-sec hat on and start investigating. I’ve found vulnerabilities in websites, applications – all sorts of places. It might not be in your job title but make that effort to support yourself and your company by being an extra pair of eyes. Read widely so you know what to look for you. I’ve also found that you don’t need to understand all of the technical details to be able to expose vulnerability. Just think a bit differently, dig in a different area – look to prove that something could be done. For example, if you’re looking at injecting hostile code – it could just be pseudo-code – doesn’t have to be real, just proving that you can get it onto another machine will prove your point.

OK so that’s my take. I’m going to continue working on my dream now. I’m officially half-way through my computing degree, I’m building the kind of experience I need to, I just need a bit a luck to get to where I want to be…..

Cheers

Sean

I’m an experienced book reviewer but to date pretty much everything I’ve done has been related to zombies & horror(!). Well, time for a change. As I build up my own security library, I’m going to review the best books I find. Now we’re all different so maybe they won’t float your boat but I’ve found them useful on my path….

So, here we go….something in here for most people I think:

With the full title of: Internet Security Made Easy: Take Control of Your Online World, author Richard Williams dons a superman cape to try to gather together everything ‘most users’ need to know about being safe online & all that jazz….an impossible task you say?

Now, I must confess, no matter how bold the claim, I love this kind of book. I grabbed a copy of the paperback in a discount book shop – costs around £4 on amazon (links below). It’s a pretty glossy volume, good quality & well-laid out.

First things first – it says ‘straightforward’ on the cover & the book stays true to that mantra. So, even if you are a budding ‘security’ fanatic like me, there is plenty in there for everyone – be it a recap or some new stuff for you.

I knew much of the content on the history of the Internet, the web & virus types but it was great to get this refresher to make sure everything was straight in my own mind. Equally, I think this would be an ideal primer for anyone who wants to get to grips with ‘security’.

Considering it was published in 2015, it’s all dated pretty well – perhaps with the exception of the anti-virus software providers section – which to be honest, isn’t a million miles out. The mobile content probably needs a bit of an update but again, it’s pretty close to the mark.

The author is not a technical expert & I think this helps his quest. He basically takes everything floating out there & gets it into a format we can all understand. I liked his style & the pages were laid out specifically to make things easy to get a handle on.

Contents include an introduction to the Internet & web, some general bumpf on online security, a section on anti-virus software, browsers & some more advanced trouble shooting content.

My only slight criticism of the book is when it addresses dealing with some of the more troublesome malware that can both hide in your system & dodge many virus-checkers. This is the kind of threat that sometimes involves delving in the registry of your operating system & the book includes some detail on what to delete once you’re in this Aladdin’s Cave. To be fair, the author does warn you to back up your system & it is perhaps advice intended folks on the more advanced side of the user spectrum but still, I felt I should point it out. Messing around in your registry can cause you some serious headaches, that’s all I’d say. It’s one of those areas where a little knowledge is very dangerous. Just a small point really.

I’ve had this book around 6 months now. I’ve not read it from cover to cover but I’ve read chunks of it on an on-going basis & found it to be a really useful volume. By now, I reckon I’ve pawed over every page at least once!

It really sets out what it plans to do. There’s something in there for everyone & it’s a good recap of what we should all know about staying safe & secure online. Thoroughly recommended & well-worth the price.

Linky to the Booky on Amazony

Back in the summer of 2015, I started to study for my BSc in computing. The Open University was my choice – the decision seemed pretty obvious at the time – I was planning to study remotely, I was doing it part-time & working at the same time…

I’m nowalmost half-way through – that’s right – it takes around 6 years if you’re doing it part-time – it’s no quick fix.

My motivation is clear – I wanted to work in & have a much better grasp of technology.

Simples as the meerkats would say.

I started with some basic introductory modules & mathematics in my first year, I’m now on to specialise in digital technologies & the web. Next year brings me face to face with more web, Java & my final modules are around cloud computing & all that jazz.

Anyway, here are my 5 top tips, moans, whinges & useful pointers about studying computing with the OU in no priority order:

Number 1# Me + Degree = Success

You do not need to do mathematics to realise that the above it not necessarily true. See your degree as a foundation. If you are working, you need to get as much as experience in related projects as you can. Getting experience & developing a portfolio is essential. You’re in it for the long-haul so develop as you go along – link in your studies where you can. Above all, remember that a degree doesn’t guarantee anything – it’s not a Willy Wonka Golden ticket….

Number 2# Modules Madness

I’m 50/50 on the OU’s module mix. In several cases, the material is out of date or at least dated. The fundamentals are fine but after all you are paying for this – or at least someone is. There are some solid enough courses but it does all feel a bit old-fashioned. I suspect the OU are slow at updating content & a number of those I’ve done are ‘being replaced’. My advice – choose carefully. There are a number of streams including a general one but I suspect other providers offer more ‘modern’ selections’. For example, there is no cyber security module – when I asked, they answered that it was ‘part of every module’. Fair enough a few years ago but times have changed & how can I go through my entire degree & not do a module called ‘Cyber Security for Idiots’ – seriously, I would do that course….

Number 3# Skimming Students

The students – you get a mix. You get some trying to do 90 units (in other words a full-time course) whilst working & with kids. These folks tend to be pre-occupied with getting through it – they just want to get the qualification & to pass. Fair enough. My advice is don’t follow this path. Take your time & make best use of the materials. Many of the obvious things like the TCP/IP model will come back time & time again in your career & studies. Don’t be a skimmer! Be more Zen about the whole experience…

Number 4# Cliché about Marathons

Six years right? When people ask me how long it will take, I just don’t say anything. Many won’t understand this kinda planning. See it as a journey & build your experience along the road. Manage your workload carefully & my advice is don’t take on too much, stay ahead of the study schedule & try not to listen too much to moaning fellow students on Facebook. I haven’t got the figures but I suspect many drop out – they like the idea of the degree but it’s a long road (more cliches at no extra charge).

Number 5# Studying Alone

OK – they say there’s nothing remote about the OU – for example, there are some day schools & tutorials but on the whole, it is about studying alone. I don’t think many students get a social life out of the OU – might be obvious but I thought I’d mention it. You get books, websites, DVD’s & there is ‘support’ out there from various student support type people but for the most part, you’re on your own. Does that sound a bit gloomy? Maybe but I reckon at least 90% of your effort will be a solo affair. If you don’t like that then check out some other options – there are plenty out there….

Here’s an interesting graph from a really interesting blog. There could be loads of reasons why the trend is there such as funding but I also suspect the OU has fallen behind other providers because of it’s dated content & module mix:

Source: Coolio Intelligent Guy’s Blog

—

That’s quite enough of that. I hope this has given a flavour of studying at the OU. It’s not an easy path. There are some alternatives that maybe if I had my time again, I’d look at.

I do think the OU is changing but not fast enough & I suspect there will be far more slicker new options out there for remote & part-timers like us in the next few years.

I did mention when I started this blog that I’d be learning on the job. Well, here are a few bits I’ve recently learnt. Things that I think every computer should now. Things most of us have heard of but few really know what they are.

What is a Cookie?

Not the chocolate variety – I mean the cryptic collection of information that is placed on your hard drive without you really knowing. What’s worse is that they are not actually that easy to find. Below is cookie picture:

(I know – the power of graphics makes the blog come alive. Shit, it’s just a crappy text file with a load of code & perhaps a sneaky clue as to what the hell it is…)

How about that? Back in 2014 I had a thing for Fort Boyard. I watched loads of episodes; I also used to watch it in France. So, I checked it out online. Brilliant show but I had no idea the website had stored information on my hard drive. Here’s a picture of the real castle – good isn’t it.

Luckily, we now all get that lovely warning which pops up warning you that the website use cookies. Also, of course, they can be useful for making browsing your favourite sites quicker.

So, where’s the problem? Well, some people think they’re intrusive. For me, it was just the surprise of not knowing they were there. It was simply learning that others had stored information on my computer without my knowledge (or least without my educated knowledge).

What’s in the Cookie Jar?

A quick search on your Windows 10 PC will not yield instant results when searching for your cookie jar. You can google how to find them – here’s how I did it:

• Type ‘run in the ‘Type here to search box’
• Into the pop up run box type ‘shell:cookies’
• Hey presto, the cookies will appear in Windows Explorer – to be reviewing

Sure, there are easier ways to delete or clear your cookie history but it’s interesting to have a look through these mysterious text files. Your octane-fuelled browser will have some cunning options to help you manage cookies including blocking them completely.

What is a Firewall?

OK we pretty much all know that one right? For most of us, it’s software that examines communication traffic, blocking or permitting according to a set of user-defined rules. In most cases, our crafty anti-virus software helps us decide on these rules.

But what’s it actually protecting us from? Well, just have a look at this:

Hang on wrong picture. That’s my good pal Adam Pulman shooting himself rather than being converted into a zombie. That’s the kind of guy he is. Anyway, back to the picture I wanted to post:

That’s ‘much more better’ as my young daughter likes to say.

Most anti-virus software comes packaged up with a neat firewall – something better than the basic supplied with your operating system. Just have a look at the blocked intrusions from my firewall history. There are pages & pages of content. Tracing the IP addresses, I can see these are from all over the world. It kinda feels like everyone wants to get on my PC. In reality, it’s pretty typical. It’s why you need a firewall.

Now, not all blocked attempts are sneaky villains. Some were blocked accidentally but it does prove a point I hope.

There you go. Two simple things – cookies & firewalls. No great point to make. No test for readers. Just a note to myself not to forget these tiny but super-powered features in computing.

Here’s another needless picture – it’s me & a girl I met when I was down in the bunker……

Right, this is about the time in most blogs when you realise that you have only a few readers & you begin to wonder whether the whole thing is a pointless exercise…

(Incidentally, that piccie is me during my time in the bunker, see previous blogs but I thought the piccie summed it all up pretty well!)

Well, I’m using this point to checkpoint where I’m up to in my career plans, with particularly reference to technology & cyber security. Here are a couple of things I’ve learnt so far:

They don’t make it easy. You will read loads of articles reporting on massive gaps in the sector & from experts saying that it needs x thousand people by 2020. But, transitioning is very difficult. Routes are not clear. It typically comes down to that old adage; if you’re not already doing to the role then it’s hard to break into the area…

Cyber security does not just mean network security & firewalls. There’s a lot more to it but it sometimes feels like not everyone got the memo. I have a feeling the software development cycle & human factor will become increasing important. What route should I take? Should I just have swallowed the pill & done the CISCO networking qualifications?

You can find cyber security in your current role (probably). Unless you’re a goat-herder in Sinai, there are aspects of IT security in most roles. As I’ve done a lot of software testing I’ve had great fun with the following:

1. Finding a web form which leaves the organisation open to an SQL injection attack (success)
2. Discovering that a display screen for orders could be viewed by any user over the web with no credentials (great success)
3. Checking whether IP addresses can be faked as discovered that communications from a server to our mail server did not have any credentials other than the IP address. Turns out it’s very hard (impossible for me) to fake an IP address to get through the firewall (kinda success)

I think I’ve got the mustard for penetration testing. I’m irritating & I think that helps. I just need to develop my technical skills on par with my ‘gitness’ skills.

So, where does that leave me?

Well, I’m half-way through my computing degree with the OU. I’m not happy with my current module as it reads like it was written in 2006. The book on nuclear war wasn’t on the reading list.

Next year I move onto Java & web technologies. Believe it or not, there is no cyber security track. I did ask & was told ‘it’s part of every module’. Kinda true but also not that helpful.

Hence my remarks about flaky. I’ve learnt stacks so far but there’s still so far to go…that should be a song…My mind is awash with courses, certifications, entry level jobs, challenges & virtual ports….

I’m going to be revisiting my career plans in the next few weeks but am facing a few changes at work. I’m not really sure where this is going to end up so stay tuned. Let’s just hope I don’t go totally crazy with all this adventure…

As buzzwords go they don’t come much buzzier than blockchain. It’s used in every other article about digital business or cyber-security.

But, my own straw poll tells me that most people don’t know what the blazes it’s all about.  My ad-hoc survey work also tells me that people like The Muppets but are surprisingly ill-informed about the character Fozzie Bear. So, I thought I’d combine the two.

Blockchain is complicated enough to need explaining more than once. So, even if you’ve read an article or seen a presentation on it, the central concepts can still be vague and nebulous. You know it’s something to do with Bitcoins. Something to do with managing currencies or payments online….that’s about where most of us check out.

Fozzie Bear from the Muppets never gives up. He keeps coming back no matter how bad the joke so using that tenuous link I’ve created facts about both blockchain and Fozzie Bear.

(Please note in the real world, Fozzie Bear had no involvement with the creation or development of blockchain technology. If you’re interested check out Satoshi Nakamoto – he’s certainly no muppet.)

Random Facts About Blockchain and Fozzie Bear

• A blockchain is a digital & decentralised or distributed database. Importantly, data is added in blocks and that each block is linked to the previous one. As well as data, each block contains a hash pointer (or secret code) which to verifies that nothing has been changed. Soooo, it’s a super thing for keeping track of digital currency transactions.
• Fozzie Bear was created by Frank Oz & is a key member of the Muppet team. He’s best known for his naff joke-telling skills. He is no use as a distributed database with no central authority. But, he’s a skilful light entertainer.
• It was back in 2008 that Japanese uber-geek Satoshi Nakamoto published his paper on blockchain technology & introduced the world to a newly proposed crypto-currency. It went on to be a vital technology behind the success of Bitcoin.
• According to Muppet legend, Fozzie Bear grew up right next door to his best friend Kermit. Fozzie always wanted to be a comedian. Also, for years I thought it was ‘Fuzzy Bear’.
• Each block is a permanent part of the blockchain & records transactions. The chain is designed so that transactions cannot be tampered with or removed. As a distributed database system, it’s an open digital ledger which needs no central authority & keeps an open record of transactions.
• In later Muppet Shows, Fozzie teamed up with some chickens to create routines of every increasingly hilarity. However, by the 1990s the laughs were drying up & he had to resort to wearing a wig to get a giggle. He made a cameo appearance in The Muppet Christmas Carol as Scrooge’s kind employer Fozziwig. Rumours of onsite arguments with Kermit & the Chickens abounded. Fozzie was seen as a washed up diva with a honey drinking problem.

• Blockchain works. Bitcoin is the best example but how to you change your virtual bitcoins into ‘real cash’. Simple. Look for a Bitcoin exchange that is offering a reasonable price. Check the currency you want. You’ll need an account but beyond that it’s like cashing in chips at a casino. They may be virtual but they have real value.
• Fozzie Bear has many catchphrases but his most famous is ‘Wocka wocka wocka’ – which he often employs after one of his disastrous gags.
• Blockchain technology is perfect for the digital space & cross-border activity due to the lack of human involvement,  it’s speed & efficiency. There is no single blockchain & there are various blockchain technologies which look at various aspect of the solution.
• There is not that much information on Fozzie Bear on the web. When selecting a Muppet to brighten up a serious blog, it would be far easier to go for Kermit. Also, select the right Muppet at the start or things such drying up when you get half-way through.
• Blockchain technology will be a buzzword for years to come. The potential is significant. Some banks & institutions are cautious. The anonymity & state-less nature of blockchains is perfect for the dark forces of this world to use to move their money around. Blockchains will become everyday in the next few years so just as well you got to the end of this article. Seriously, there is a stack of information out there online, just check your sources as always.

Right, that’s it. I’m sure mixing up Muppet facts help to confuse things further but if you picked up only a snippet about blockchain technology then my work here is done (poorly).

Very smart people at organisations like the ISF (Information Security Forum) & Gartner consulting produce some excellent predictions of terror for everyone to be scared of.

They help by projecting forward to look at the kind of threats we’re going to face in cyber security in the next 5 years.

My diagram provides a good overview of the ones I suspect will cause a few sleepless nights (No I haven’t employed a professional graphic designer – it’s all my own work, scanned in.):

Automated Misinformation

Pretty much every point on this list is underpinned by smarter AI capability. Think deliberate, automated & targeted false information – targeting organizations & corporates. This could be anything from a sea of misinformation to false profit warnings, artificially created scandals & fake board level announcements. We can do much of this at the moment but think how powerful it would be with evolving AI personas driving it at a relentless pace. Are the PR & Comms team ready for this?

Unexpected Outcomes

No knows the future – not even Mystic Meg but the experts see a headlong rush into AI projects leading to new vulnerabilities. In science terms, ‘unexpected outcomes’ is a terrifying phrase which could mean anything from a button you didn’t know about to thermonuclear war & the eradication of life on Earth. Realistically, cyber criminals will quickly exploit any gaps or vulnerabilities in AI decision-making. This we can be sure of.

Opaque Algorithms

Mmm….I was going to put legacy systems collapsing, as few people realize how much institutions like the Stock Exchange rely on old code. Still, imagine you’re turned down for some form of insurance – you query it – who knows how the algorithm works – the business probably won’t. Who knows what could happen? My point is they are getting ever more complex mathematically & the pool of those who understand them is already small. People on Facebook are already blaming the algorithm for things going wrong. Will we see forms of discrimination we don’t even know about? How important is that that we understand how important decisions about us are made?

Robot Takeover

We all know it’s coming but maybe not in the way we imagine. People get excited about robot waiters but the real challenge will come as AI replaces thousands of ‘middle’ jobs. We’re not the first generation to face disruption but if we fail to plan for this, I’m convincved we’ll face serious civil unrest. One option is to offer everyone a basic universal income – regardless of whether they work or not. If you want to earn more, you can apply for one of the few jobs open to humans. (I’ll cover this in more detail later.)

I’ve read a lot about cyber security on my journey so far & I think I’ve already mentioned that many debates are dominated by the on-going theme that the industry needs more people….fair enough……

However, I have to say, they don’t make it easy.

I’d be classified as a career changer – a general business/IT project managery type of person, shifting some of his focus to cyber & data security. But, trying to find your way through the jungle is just so confusing.

I present here what I call the ‘Diamond of Unwelcomeness’ which shows just how unwelcoming the profession really is to newcomers & career changers….

(To help us (& this is only from a selfish point of view!) there are regular ‘women in cyber’ sessions to which I can’t really go.)

Qualifications, Training & Standards – don’t get me started here. Never have I come across such a confusing nexus of industry standards, associations & qualifications. I’m a member of BCS but there are about 4 other industry groups you could join – it would cost you a fortune to join all of them…

Barriers to First Jobs – Accountants have it good don’t they – CIMA/ACCA – a recognised path…everything I think we are missing. My solution is to look for the cyber security elements in my current role & that is working really well.

Apologies if this all sounds a bit grim…if you’re new like me you also find conventions full of these folks:

Type As – glossy sales people on stands who know all the lingo but have a surprisingly shallow knowledge of the industry & technology.

Type Bs – industry old-hands who have been in it for years. There’s not much you can tell these guys & most of them used to code.

Type Cs – network & helpdesk folks – they’re big on the technical side – they know how to configure a firewall. This is their domain & they don’t want it de-mystified too much..

I say this all slightly tongue in cheek – you kinda get this with every professional. But, I hope there are also some serious points in here.

I’ll keep on chipping away & keep you posted on how I get on.

If I disappear, you’ll know I’ve probably been taken out by one of the industry associations in a revenge attack…

Let’s start with four. More are available. There are more sub-divisions than there are branded coffee outlets in London.

Personally, I’d never heard of malvertising but it’s a big problem in India at the moment. Identify theft we are all aware of but how many of us really take this seriously. I always imagine someone coming up to you in the street & talking about your most personal information – all stuff you’ve shared online.

Cyberstalking – a nasty, very personal attack which can be motivated by money or something even worse.

Spam & Phishing – team this one up with a bit of social engineering & it’s like finding an irritated scorpion in your sleeping bag that was in a real bad mood even before you sat on him. Just one click, that’s all it took. So convincing. Click on the mysterious link, go on, we’re friends now – Clickie Click Here

(Note to my few readers – yeah things are a bit simple at the moment on my blog. Yeah there are lines in the drawings. That’s just how it is. I’ll keep updating the site as I learn stuff but if you’re an MSc student from somewhere or a 20 year security veteran who knows what a container is, hey you’re not gonna learnt a lot here.)

Here’s a graphic to summarise what’s in my brain:

Here’s what we know so far.

The Daily Mail (as ever) is a great source of information crazy news link.

Seriously, it’s all over the news. Cyber attacks are the new thing. I even heard the DarkTrace guys on Radio 4 so it must be big news.

I have summed up my current technical knowledge in diagram form:

The Cyber-war begins…