Information Security World 2018

This week I was mostly visiting this conference at the Institute of Engineering and Technology in London.

IMG_3236

Going to cyber-security conferences can be problematic for those interested in the field.

  1. How can you get past the end point security booths – I’m not responsible for it so I don’t really know what to say to them…
  2. How many suppliers tell you that they are now using machine-learning & AI to boost their cyber-security software….you can stack up 10 of these before you reach the first loo…
  3. What a mix you get at these conferences, some folks talk the jargon, some wear a smart suit…you just know who really knows their stuff…
  4. Blimey there are 20 new companies every time I go. If you are starting a company in cyber-security you have to call it some like Cy-thing or Seco-Bot. Names, it seems are important.

Well, Info Sec World was not like that. It’s a first-class event, with a full programme of lectures & talks plus a very limited selection of approved vendors – did I sound like an advert there? I didn’t mean to – it really is a good conference…I great one day event to stock up on the latest trends. We had a futurist looking at the next 10-20 years, we the VP from Symantec with some great insights then I broke into one of the tracks to focus on the challenge of cyber-cost & complexity in the digital world….

I came back with a back of goodies & pages of notes. Goodies below – were of high quality & will give you enough reading for months….

IMG_3246

That’s why these events are worth going to. I chatted to a few folks around the conference – here’s what one well-known author on cyber-security told me off the record:

“Insider threats account for over 80% of breaches….”

I know it’s not revelation of the year but for me it was one hell of reminder that you don’t just need to learn about firewalls.

In fact, several of the talks highlighted some fundamental truths I’d kinda lost sight of. Here are a few well-known pearls:

  • Patching is important – the boring stuff makes a difference
  • Segmentation is something you need to act on – validating who has access to what
  • Data management – talked about often, done not so much
  • Identity Management – hell yeah, login credentials, compromised administrators & crappy passwords

I hope this doesn’t all sound very flippant – I know its basic stuff but it was a great remember. One of the speakers told us that in his experience over 90% of breaches were avoidable by making effective use of standard controls & processes. That’s the basics – no need for AI here.

Finally, the VP from Symantec talked to us about the Law of Unintended Consequences.

He didn’t use the following example but it’s a good one. Something in hard facilities management think it’s a good idea to hook up the heating system to the Internet.

Smart stuff.

We’ll be able to control the heating via a mobile….you know where this is going.

I think the point he was trying to make was to think through the headlong rush towards Smart-pants & Smart-socks…

All in all, a really valuable conference. I know I haven’t done it justice here but well worth a look next year….

Cyber Security Career Progress Check

As the new university term approaches, I’m having a mini-crisis around my career plans in cyber security.

Firstly, the negatives.

Although my upcoming university courses are around web architecture & so highly relevant, neither of them has cyber security in the title & I look enviously at other more focused courses. I sometimes wish my studies could be more focused. I’ve mentioned this before on the blog but I think the Open University syllabus is looking dated.

I’ve switched my Java course to an IT projects & change course as it’s more relevant to my current job role & I don’t think I could have handled two technical courses in one academic year. I will still be picking up Java but at a future date. A kinda negative.

I don’t know how important this next one is but I don’t yet have ‘cyber security’ or anything related in my job title or remit. And, I’m struggling to see how this transition is going to work. An agent messaged me about another role recently but it was very similar to what I’m currently doing.

In my experience, without a long-term road-map, it’s easy to lose focus, faith & motivation in a direction of travel. Exactly how am I going to get into the ‘arena’ I want to be in…how is this miracle going to occur!

That’s the negative points. Here’s the positive side.

I enjoy where I currently work. And, my work is touching aspects of cyber security in so many areas. My most recent positive contribution was calling out the outdated hashing algorithm SHA-1 is a system I’m working on.

It was set up as a configuration but I knew it was compromised so have highlighted & proposed a change. I am trying to use my growing expertise to help in my current role.

I’m planning to complete my BCS Foundation Certificate in Information Security Management Principles to provide a foundation for my further studies & blogging. I’m paying for this one myself so it’s a big investment but I’m hoping it will be a solid stepping stone. I’ve looked long & hard at the various qualifications out there – it’s a confusing market place but I trust the BCS & believe this is the right one to start with.

Finally, my role is involving more e-commerce work which is bringing me into a sphere where data theft & hacks are far more….what’s the word….prevalent? Well, you know what I mean, stealing data is one thing, stealing payment or credit card details, is the golden goose.

So, that’s where I am. Hopefully, I can add some more technical cyber security blog updates as I go along this year. I’ve read some excellent ones out there & I’ll start including some links as I get to know them.

Maybe the work world is also changing a bit. I kinda suspect that moving forward cyber security in various forms is going to be a component of every business role?

An Idiots Guide to Vulnerabilities

Right, just to be clear, I’m not inferring that anyone is an idiot – it just seemed like a catchy title. I really mean folks without the honed technical skills to exploit some of the more hidden vulnerabilities in applications & websites…

Also, you have to realize that I’m not formally trained in any security yet. I’m kinda making it up as I go along & based on my experience.

Still – a useful survey for me as I embark on this learning journey. Read on but don’t get mad. (Also, I should emphasis that I am talking about looking for vulnerabilities to help fix stuff – not really exploit it – use your awesome powers for good, never for evil.)

What is a “vulnerability”?

Not reaching for any ITIL or security manual, for me it’s anyway to exploit a system in some way, shape or form. Think making it do something it wasn’t designed for. Think tricking it into recording a transaction that was never made. Think exploiting some poor coding or poorly configured credentials request.

So far, with my limited technical skills, I’ve helped to find some basic vulnerabilities in projects I’ve worked on including classic SQL injection attacks & API vulnerabilities. But vulnerabilities don’t always live in the technical shadows. Here are a few collected observations I’ve collected so far:

Thinking Differently – one of the things I’ve realized is that good hackers have the ability to look at systems from a different perspective. They look at the whole process (see the next point) – particularly where people get involved or physical entry points crop up. You don’t need to be a coding genius to download some malicious software. You don’t need to be 007 to follow someone through a security barrier & insert your code into the nearest slot. Internal security people tend to look at things one way. Network people are the worst. Not every vulnerability can be stopped by the firewall. It’s pointless locking the windows & doors when the villain is already inside.

Mapping the Process – related to the above, I like to map the process, even if it’s at a basic level. Like the trans-Atlantic convoys during World War Two, any process is only as strong as its weakest link. It’s pointless spending zillions on endpoint security if your IT department has not correctly configured the single-sign on software. I find visually exploring the process a useful tool – I’ve included an example – not the best one granted but I’m just at the start of the process.

Ingenico_Credit_Card_Process_Flow

There are not state secrets above. It’s a basic payment flow – pretty typical really. But when you start breaking it down, you notice real time & non-real time processes etc etc. You get the point. I actually did my own version of this, with more detail but I didn’t want to post that!

Follow the Money, Follow the People – something an experienced hacker told me was to start by following the money – the transactions – makes sense. But also, to follow the people. The people are often the most unpredictable element in any process. They forget stuff. They take short cuts. In my experience, the core financial processes are well-protected with encryption that would give Sheldon Cooper a run for his money (in real terms, they are basically unbreakable….until they get broken). But people, yeah we all love them. My pearl of wisdom here is that a key source of vulnerabilities here is that users tend to do the same thing every time. They like it like that. If they find a short cut or password ‘recipe’, they use it.

Fooling AI – oo-er….I’ve mentioned before that I’ve looked at brilliant companies like Darktrace & what they are doing with network traffic analysis etc. The math behind their machine-learning is smart. But, so far at least, it seems that every AI can at least be misled if not totally fooled. In my limited experience here, it’s in the parameters of the AI search – wherever the AI looks, you need to look just outside of it. As Forrest Gump used to say, that’s about all I have to say about that.

—-

Well, that was it. I warned you at the start. I plan to develop my knowledge in this area with my studies this year but hopefully that provides something of a primer.

I would like to leave you with a few pointers – if you like solving puzzles, if you are sort of person who likes a challenge & loves finding ways to ‘break’ things, then you should learn more about vulnerabilities & threats.

I think of technical training as a kind of multiplier. Get the basics & attitude right, add the technical skills & you become one dangerous monkey.

The Shadow IT Survival Guide

Recently I’ve been thinking through my next modules, changes at work & my career development. I’ve posted before about the challenges of getting into cyber security. It’s not an easy path for a career changer.

But what about living in shadow IT?

That’s kinda where I am at the moment. My role, like many, incorporates large swathes of technology from reviewing XML files to technology planning, from managing system upgrades to assessing user experience. And, although I work closely with an excellent IS&T team, I’m on the outside. I sit within the business.

I am a shadow IT person.

shadowIT

 

 

 

 

 

 

 

 

Here’s a definition of Shadow IT. There are loads out there on the web but you get the idea:

Shadow IT refers to information technology projects that are managed outside of, and without the knowledge of, the IT department.

The downside to being in Shadow IT is that you never quite feel you’re in the right place.

Development & training can be a struggle as few really understand why you’re trying to get on a particular course.

You don’t get that warm fuzzy feeling of being part of a professional job family.

You rarely have the right tools or access-level to really do what you want.

For the IT team or ‘regulars’, Shadow IT can be a nightmare. Deploying cloud-based systems no one has ever heard off. Creating vulnerabilities at the click of every button. Working round agreed processes because they’re too slow.

My experience has so far revealed a few different species of Shadow IT. Here are the two I know so far:

  • The Shadow IT Natives – a bit like me really. They do have some technical skills. Should they be in IT, who knows? Most of the time they are business people who have transitioned in. We tend to be a pretty pragmatic bunch but that doesn’t stop us causing trouble. We can be a troublesome for IT folks – a little knowledge is very dangerous – isn’t that what they say.
  • The Digital Peeps – ever heard anyone say they work ‘in digital’? These tend to be marketing folks who go ecstatic when anyone mentions AI or block-chain. Or, they know about a bit about a CMS & are now ready to implement major machine-learning projects. Heavy on buzzwords – this group sees block-chain as a solution for everything from managing Brexit to solving the work food crisis.

I’m sure there are more. And, I don’t mean to sound critical of them – after all, I’ve already said I’m part of the zoo as well.

So, is there an upside to it?

Well, technology is everywhere nowadays as my Mum likes to say. Maybe it’s time it came out of the closet. I’ve read a lot of the growing demands for ‘hybrid’ managers – comfortable in both technology & business. With the right mix of digital & people skills. I’ve not personally seen this demand yet but folks like Gartner say it’s there.

Having a foot in both camps can be fun and challenging. My previous line manager was a superb example. She spent years in business & finance before moving into large scale deployment projects & was very effective in her roles. She’s pragmatic, realistic & has the rare talent of being able to bring her years of experience to the table without over-ruling new folks with new ideas. She is also adept at knowing when to lean on the regular IT team.

I don’t know how she does it. If I learn the secret I’ll share it. In the meantime, I’m going to continue learning how to survive in Shadow IT & spot of few more of those different species…

Book Review: Get Coding Kids!

Right, which book is number one on Amazon in the programming category?

Image1

Some fancy Java guide the size of a small house? A Python book to make PhD computer scientists cry? Some new language you must learn but have never heard of?

No, it’s Get Coding from Walker Books. A kid’s & everyone guide to HTML, CSS & Javascript. And you know what, it’s brilliant.

Get_Coding

Why am I reviewing a kid’s book? Long answer follows. Application security & best practice programming is vital in cyber security. I don’t know a lot about programming – I’m covering that off at university next year. Plus, I like the web & want to focus on it.

Enter this book. It’s a colourful work book, with a tonne of explanations, illustrations & exercises. It’s clear, concise & the story is very funny.

HTML, CSS & javascript are essential skills to have. Basically, you need to know them. If you don’t – this is a great place to start. It answers all the questions you were too shy to ask. There’s explanations on everything from HTML tags to how to tell your browser you’re now writing javascript.

I was stunned by the scope of this book & how it effortlessly introduces the core skills any web developer needs.

You got all the tag stuff of course. You got the style sheet madness – in a good level of detail. And, a great introduction to javascript itself.

But, on top of that you have talk of iframes, APIs & wireframing….what more could you ask? Plus, the exercises are fun & part of a funny little story that carries on through the book.

I can’t recommend this enough. If you’re worried about picking up kid’s book – forget it – we all learn in different ways & sometimes approaching like a kid is perfect. For them, learning needs to be interesting & fun. This cool book is both. It’s also backed up by a snazzy website.

Check it out if you’re interested!

Get Coding Book

Five Skills for New Cyber Security People

Recently, my ambition to work in the field of cyber security has been under a bit of pressure. I’ve been struggling as just how to connect the dots and make it really happen.

Changes at work have developed my role but I’m no closer to any formal cyber security brief. Sometimes it feels like a fortress I just can’t break into.

So, I thought this skills list might be useful.

Firstly, I want to introduce you to the unsavoury reality that I’ve come across when trying to answer the question – how do I get into cyber security?

The Established Path – join an established network team as a small child and get through all your Cisco qualifications around networking. Bugger around with corporate firewalls. Have an in-depth and practical knowledge of the OSI model, packet-switching and ports.

If you know the guy below from the TV series The Office – you ‘ll know what I mean.

sddefault

Job done.

You are now the kinda candidate everyone seems to be looking for. (Women, career-changers and anyone who didn’t follow the networking route need not apply).

Apologies if that all sounds very gloomy but that’s just sometimes how it feels – as I said when I started this blog – they don’t make it easier.

And, talk of new digital apprenticeships won’t mean much to the many career-changers I’ve spoken to. Being super-cynical, I’d say they’re just enough to enable the industry to say ‘we’re doing something’ but not enough to threaten the premier status of many in the industry establishment.

Enough of this gloom – following my career research – here are 5 key skills I’ve come across. If you are looking to get into cyber security, if you don’t where or how, then focusing on these will give you a good start…well, that’s the plan at least. These are presented in no order

  • Application Security – I remember reading somewhere, might have been on CBeebies, that 90% of vulnerabilities are within applications themselves. With that in mind, I suggest a grasp of a least one programming language a good starting point. You need to understand the critical structures in object orientated programming. Add to this the software development cycle and testing. Me, I’m learning Java on my course next year.

 

  • Web Stuff – Scripting languages – we all love them – HTML, CSS and Javascript. Building blocks of the world wide web. Plus, how web services are deployed and provisioned. For me, getting to grips with these areas in 2018-2019 is going to be a key challenge. Like it or not, the web is at the centre of many security challenges.

 

  • Stay Awake in Your Network Classes – you don’t need to be able to work out a subnet mask or an IP address in binary but the bit around the OSI model and that dusty MS networking book you were given are far more powerful and important that you might have realised. They underpin pretty much everything in modern computing. I’ve studied this stuff – I will be revisiting it. Virtual ports and all that jazz – a critical area in my opinion. Remember, you don’t need to be able to program in machine code but you do need to have a good understanding of what goes where in networking.

 

  • Talking Cyber Security in Business – now, I’m not expert but I kinda the feeling that the rule of the network teams is coming to end. The industry is going to need a broad sweep of tech-savvy business folks. Training and education are going to be challenges – us career changers can help there. We know that jungle.

 

  • Cyber Security in Your Pants – well, not literally, I’m just making the point that it is becoming part of so many jobs from access management through to vulnerabilities to new websites. Be curious in your current role. Find areas where you can put your cyber-sec hat on and start investigating. I’ve found vulnerabilities in websites, applications – all sorts of places. It might not be in your job title but make that effort to support yourself and your company by being an extra pair of eyes. Read widely so you know what to look for you. I’ve also found that you don’t need to understand all of the technical details to be able to expose vulnerability. Just think a bit differently, dig in a different area – look to prove that something could be done. For example, if you’re looking at injecting hostile code – it could just be pseudo-code – doesn’t have to be real, just proving that you can get it onto another machine will prove your point.

OK so that’s my take. I’m going to continue working on my dream now. I’m officially half-way through my computing degree, I’m building the kind of experience I need to, I just need a bit a luck to get to where I want to be…..

Cheers

Sean

Book Review: Internet Security Made Easy

I’m an experienced book reviewer but to date pretty much everything I’ve done has been related to zombies & horror(!). Well, time for a change. As I build up my own security library, I’m going to review the best books I find. Now we’re all different so maybe they won’t float your boat but I’ve found them useful on my path….

So, here we go….something in here for most people I think:

intro

With the full title of: Internet Security Made Easy: Take Control of Your Online World, author Richard Williams dons a superman cape to try to gather together everything ‘most users’ need to know about being safe online & all that jazz….an impossible task you say?

Now, I must confess, no matter how bold the claim, I love this kind of book. I grabbed a copy of the paperback in a discount book shop – costs around £4 on amazon (links below). It’s a pretty glossy volume, good quality & well-laid out.

First things first – it says ‘straightforward’ on the cover & the book stays true to that mantra. So, even if you are a budding ‘security’ fanatic like me, there is plenty in there for everyone – be it a recap or some new stuff for you.

I knew much of the content on the history of the Internet, the web & virus types but it was great to get this refresher to make sure everything was straight in my own mind. Equally, I think this would be an ideal primer for anyone who wants to get to grips with ‘security’.

Considering it was published in 2015, it’s all dated pretty well – perhaps with the exception of the anti-virus software providers section – which to be honest, isn’t a million miles out. The mobile content probably needs a bit of an update but again, it’s pretty close to the mark.

The author is not a technical expert & I think this helps his quest. He basically takes everything floating out there & gets it into a format we can all understand. I liked his style & the pages were laid out specifically to make things easy to get a handle on.

Contents include an introduction to the Internet & web, some general bumpf on online security, a section on anti-virus software, browsers & some more advanced trouble shooting content.

contents

My only slight criticism of the book is when it addresses dealing with some of the more troublesome malware that can both hide in your system & dodge many virus-checkers. This is the kind of threat that sometimes involves delving in the registry of your operating system & the book includes some detail on what to delete once you’re in this Aladdin’s Cave. To be fair, the author does warn you to back up your system & it is perhaps advice intended folks on the more advanced side of the user spectrum but still, I felt I should point it out. Messing around in your registry can cause you some serious headaches, that’s all I’d say. It’s one of those areas where a little knowledge is very dangerous. Just a small point really.

page

I’ve had this book around 6 months now. I’ve not read it from cover to cover but I’ve read chunks of it on an on-going basis & found it to be a really useful volume. By now, I reckon I’ve pawed over every page at least once!

It really sets out what it plans to do. There’s something in there for everyone & it’s a good recap of what we should all know about staying safe & secure online. Thoroughly recommended & well-worth the price.

Linky to the Booky on Amazony