Salesforce World & a New Job

My new role started in April so I’m well into my induction. The great thing about it is the scope of the role – I look after more systems & different types of systems which is great experience for me.

I’m also involved in diverse project work, from biometrics & GDPR to becoming an IT contact for our legal team. A great chance to learn new stuff & pursue my interest in data & cyber security.

My Open University studies have finished for this year – that completes my 2nd year in computing – into third year modules next – that will be user design & a system management module. This year has been focused on web technologies (HTML, CSS, Javascript, PHP etc) & project management.

So, what about this Salesforce thing.

Salesforce-London-World-Tour-Meeting-Assistant-4

Well, I don’t have shares in Salesforce or anything but it must be simply the best ‘industry type showy show’ thing I’ve ever been to. Firstly, it’s massive. This image isn’t mine & it’s just one of the halls.

Secondly, it’s almost like a cult….maybe a better way to describe it would be religion. There are thousands of people, literally queuing to get in. Everyone tied into this platform. Their jobs. Their careers…their futures via an online training tool. It’s amazing. But it’s not all hot air. It really is a cool system & one that has more features added every year. Can anyone stop Salesforce taking over the CRM world? Maybe MS Dynamics? I@m not sure.

A great way to celebrate my new job.  I don’t go to many shows but there’s a info security one next year that I’m not going to miss. I went last year as an excited civvie. This year hopefully, I’ll feel more part of the team!

Career Planning Part 2

Back in January, I did some career planning. Many things were changing at work & I wanted to get my plans tidied up.

Well, I went for a security role & that didn’t work out. I got some great feedback & ended up being offered another role in our IS&T team – a role that gives me the chance to learn in all the key areas I need to.

I’ll be the systems administrator for a number of key systems across our business & have special responsibility for some of our central teams such as Legal & Communications. I’ll be working on data projects, Saleforce projects & other stuff that I really enjoy.

So, a really positive move for me.

Much of this change is driven by a new CIO who seems to have re-invigorated the team & business.  He’s certainly given me a new opportunity.

Long-term, my ambition is still in cyber-security & I’m reviewing my long-term plans to ensure I take this into account. And this role moves me into IS&T & gives me the chance to gain skills in all the right places!

Just a short blog for this month to share this news. One final point. Get yourself a good mentor. Mine won’t read this but I’ve had a mentor within IS&T helping me every step of the way. She’s been a guide in all kinds of areas & has been central to me getting this position. I can’t say how important it is to get an insightful mentor.

 

 

Learning the Basics: Bio-metric Data

Biometrics Fingerprint Scanning

What is bio-metric data?

If I had a quid for every time someone in the business proposes using bio-metric data as a solution to a verification challenge, I’d have about £17. Tech like facial recognition & retinal scans seem to have been around for ages but We’ve mostly seen them in sci-fi & spy films where, let’s be honest, it seems to do the job.

If you do your research, you’ll find that things are a bit ‘smokier’ than the movies suggest. In my studies, the metric that really seem to come out on top was the Iris scan (just in case you were wondering!)

I sat in on recent webinar where the marketing presenters talked about examples of smart loos using the data from analysed waste to make suggestions related to health & diet. If you know anything about security and data, you’d have more alarms going off then Pudding Lane on the night of the Great Fire (well, you get the point).

Anyway, back to basics – what is bio-metric data?

Bio-metric data is ‘personal data’ (important) relating to the physical, physiological or behavioral characteristics of a person that allows or confirms the unique identification of that person. Good examples include fingerprints, facial recognition but also gait or the way an individual walks.

With bio-metric data, you don’t need name, date of birth or any other piece of meta-data – the body or habits tell us everything we need to know…

 

images (1)

Is it covered by data protection legislation?

No previous enforced data protection law addresses bio-metric data but GDPR changes all that & its definition of personal data is specific & addresses bio-metrics.

The GDPR kinda emphasizes the need for ‘caution’ around bio-metrics – the same canons apply in areas such as explicit consent, processing only as necessary, protecting the data etc. But, I think the cool catz at GDPR central command are concerned about the potential damage & the uniquely personal nature of bio-metric information – in fact data can’t get much more personal.

Many folks, particularly marketers see the GDPR as an irritation – is that fair? I think so. But if history has taught us anything, one of its lessons is to prove once & for all the law of unintended consequences.

Back in the 1930s the Dutch government made intelligent use of its census, collecting all kinds of information about citizens. By 1941, the Nazis used this information to round up any remaining Dutch Jews. My point is that information can be misused for purposes way beyond what was intended. You don’t need to be paranoid like me to imagine what uncontrolled bio-metric data could be used for.

images

Why would someone want to nick it?

Unless it belonged to Elvis, most would-be thieves won’t be interested in your bio-metric data just for the sake of it.

What they are really interested in is bio-metric verification.

That’s where the magic is for the super-villains. The chance to fool any verification process that uses bio-metrics – be that facial recognition to enter your secret lair or retinal scans to fool your homemade supercomputer….

What? You don’t have a lair or supercomputer?

What about planting evidence at a crime scene? Is this a real risk for most people?

I make no apology for the ‘more questions than answers’ in this post. Things are still up in the air kids. Rather than someone using carefully created plastic copies of your fingerprints, I think it’s far more likely that someone would nick the string of numbers it’s converted into once you scan into any digital system. Who needs to mess around with fake fingers when the numbers will do?

In all honesty, all we need to know is that someone could do something nasty with it AND it’s covered under GDPR data legislation.

So, if you’ve got a stack of fingerprint data sitting somewhere on a server, a left over from some event years ago then you should really take another look at this data.

Desert Survival Blog

Back in 2014 I spent 7 days on a desert survival adventure. I’ve collected the various clips from different YouTube accounts so they’re all together.

So,  why did I head out into the Sinai alone?

2014-04-29 09.24.58.mp4_000000838

Well, firstly, I wasn’t completely alone. I had Bedouin guides although I did spend many days alone. The guides are a legal requirement in Egypt & helped me find the right locations.

They also teach you about the desert & help you notice things you’d miss. I did a few days trekking with a guide as well as surviving alone on a nearby mountain top.

2014-04-29 10.56.40

I know this probably sounds like hell for most but I’m some will understand. Being alone in the wilderness, lighting fires, making camps, a hostile environment, a stunning landscape – what’s not to love. I should also mention that the Bedouin are amazing people – that’s partly why I couldn’t do the adventure completely solo. In desert lore, if you see someone alone, you check on them to see if everything is OK – so I have a lot of visitors!

2014-04-29 14.40.22.mp4_000036383

Anyway, I remember keeping a written blog as I have on previous adventures but I’m not sure folks read these anymore so here are the video blogs, unedited, raw, sometimes difficult to hear but I great reminder for me of a wonderful adventure in a location now pretty much closed to outsiders.2014-05-01 17.40.37

OK – some video entries from back in 2014!

Day One Desert Survival Blog

Day Two Desert Survival Blog

And so on – if you’re interested, you’ll be able to follow the 7 day adventure. At the end of it, after some rough nights, dodgy water & considerable weight-loss, I emerged & met my wife for week’s holiday…..much needed!

2014-04-29 15.33.50

Career Planning 2019-Style

I’ve blogged before about how difficult it is to ‘break into’ a security job. Well, a great opportunity came up at my company & so I went for it.

It was a great opportunity & I learnt a stack. Although I didn’t get the role I went for, the good news is that there is some movement just up ahead for me so I thought it was time I re-looked at my career plan.

First days back at work after Christmas is always a killer. Thoughts such as why am I here, what do I actually do & who moved my cheese fill the mind.

But, I was actually glad to get back to work. 2019 should be a big year for me. I still don’t have quite enough time to learn the banjo but I will complete the 2nd year of computing degree & hopefully move into a different role within our IS&T team.

I put my first real career plan together in around 2013 – up to then I’d been drifting in the wind, safe in the knowledge that ‘working hard’ would get you to where you need to be. Also, I was blissfully unaware of any link around creating your own future. I know that sounds like I’m being a smart-ass but I really didn’t think about it.

This is not a career blog & there are loads of sources of information out there but my basic cycle started when an excellent line manager of mine presented me with a career development tool. He must have seen my face – I was like ‘oh lawd…not another review type career type tick box to take up my time’ – as he quickly added – ‘look it’s your career plan, if you don’t want to do anything with this document don’t.’

It was a realization moment for me. Nothing I hadn’t heard before but it made me think. To cut a long story short, it didn’t answer everything in life or provide a guarantee of success but it did make me wake up & take some responsibility.

The career plan I work with is nothing radical. How you do it is less important that doing it. I work better with graphics & pictures so mine has plenty of pictures.

Firstly you need to determine what you want…from work….I know there’s a link in there to what you want from life but I keep mine to work….don’t laugh but I created a career vision for myself. An over-arching statement about what I want to achieve….

Career Vision: To make a positive difference to my company and society through information technology.

I’m not channeling Michael Jackson or anything but you do have to think big. It’s a vision.

I then break this down into my medium-term objectives – this statement goes along the following lines:

Career Objectives: To become a qualified & experienced technology professional by June 2019, with specialisms in web projects , data technologies, cyber-security & technology-driven business change. To complete courses T227/TT284 by the end of May 2019. To develop the profile, experience, knowledge & qualifications to achieve BCS chartered status by the end of 2021.

Now it’s taken me a while to get here. Behind this I have lists of things I enjoy, potential career opportunities, things I’m good at, training courses I’d like to do etc.

Importantly, I’ve found that you can dream big. Great. But your plan will end up as a composite of your vision, ambition, the opportunities available & of course your own skills. Now you can impact on all of these but somethings are outside your control. In my humble opinion, if you’re crap at numbers then a career in data analytics may not be the right move. If you find ISO & data compliance boring then maybe data security isn’t for you.

Anyhow, I don’t have a magic formula but that’s my approach to 2019. I hope you all had a good break & look forward to more cyber-security adventures in the year ahead!

A Rough Guide to (some) Information Security Standards

For sure, cyber-security is a vast field these days with more terminology than you can shake a stick it. Witty banter aside – I wanted to put together a post summarising some key learnings I’ve picked up so far.

Stuff I think we should all know about….

Before we get started – here are a few books I’ve found invaluable to my own learning journey. It’s a mixed combo as I’ve found you can’t just learn the technical stuff, you need to understand process stuff too. Equally, you can’t be the world’s expert on firewall configuration if you ignore the various principle frameworks that have been create to help us out.

blog-piccie

No pressure to buy these or anything – just some books to ask Santa for….

The bullet points below are in no particular order but overall they should provide some decent tent-poles on which to hang your knowledge of information security.

What is Information Security?

Basics right – the principle that information is not made available or disclosed to unauthorised individuals, entities or processes. It also includes integrity – the property of safeguarding the accuracy and completeness of information. And, availability – that it is accessible & usable on demand from an authorised user.

Threats, Vulnerabilities, Risks & Impacts?

Not a new superhero show. A threat is simply something that could happen & cause some unwanted consequence. Vulnerability is a weakness that could be exploited to cause some unwanted consequence. I spend a lot of time thinking about & searching for vulnerabilities. Risk is that a given threat will exploit a vulnerability – it’s a combo of threat & vulnerability.

Impact gets a section on its own – it’s all about impact baby. Where do you focus your time with limited resources – where the impact is most significant – think damage to data, people, legal requirements, business continuity…

IS027001

ISO27001 specifies the requirement standards for an information security management system – it’s a framework of policies & procedures. Your organisation can be certified against the standard. Its approach is top-down, risk-based & technology neutral. It won’t tell you how to configure your firewall.

It outlines a range of different controls that need to be in place & documented including physical controls (locked doors/secure cabinets), procedural controls (checks on references) & product or technical controls (passwords/encryption).

So, also think codes of conduct, information security policies, developing a security culture, segregation of duties, user control mechanisms & any awareness training.  The standard has a little sister called ISO27002 that contains best practice recommendations of information security controls & some further definitions.

ISO22301

Another certified standard but this time one that focuses on business continuity management. It specifies the requirements for a management system to protect against, reduce the chances of and ensure that business can recover from disruptive incidents.

Think ‘what happens if’ scenarios.

Ransom ware has kept this standard busy in the last year or so.

PCI-DSS

The Payment Card Industry Data Security Standards are like that the geeky brother to the above standards. In my opinion, they’re more widely known, very detailed and well-established in the card payments industry but not particularly outside.

Also PCI-DSS doesn’t have a girlfriend or anything…

It’s a series of principles around the storage, processing & storage of card details. Think secure network requirements, secure access controls & Cylon-like encryption.

 GPDR

If you haven’t heard of this mammoth chunk of data protection legislation then you must have been either living on the moon or at least under the sea.

The General Data Protection Regulation is now in force & is part of the data landscape in the UK alongside the new Data Protection Act 2018.

Complex? You bet but in simplistic terms it’s a series of principles designed to protect personal data & covers usage of data, breach notifications etc. The area I’ve had most experience with is ‘mailing preferences’ & opting in. If you have anything to do with prospect & customer data then the GDPR will have dominated your life this year.

Right – that’s what I’ve learnt so far….

Information Security World 2018

This week I was mostly visiting this conference at the Institute of Engineering and Technology in London.

IMG_3236

Going to cyber-security conferences can be problematic for those interested in the field.

  1. How can you get past the end point security booths – I’m not responsible for it so I don’t really know what to say to them…
  2. How many suppliers tell you that they are now using machine-learning & AI to boost their cyber-security software….you can stack up 10 of these before you reach the first loo…
  3. What a mix you get at these conferences, some folks talk the jargon, some wear a smart suit…you just know who really knows their stuff…
  4. Blimey there are 20 new companies every time I go. If you are starting a company in cyber-security you have to call it some like Cy-thing or Seco-Bot. Names, it seems are important.

Well, Info Sec World was not like that. It’s a first-class event, with a full programme of lectures & talks plus a very limited selection of approved vendors – did I sound like an advert there? I didn’t mean to – it really is a good conference…I great one day event to stock up on the latest trends. We had a futurist looking at the next 10-20 years, we the VP from Symantec with some great insights then I broke into one of the tracks to focus on the challenge of cyber-cost & complexity in the digital world….

I came back with a back of goodies & pages of notes. Goodies below – were of high quality & will give you enough reading for months….

IMG_3246

That’s why these events are worth going to. I chatted to a few folks around the conference – here’s what one well-known author on cyber-security told me off the record:

“Insider threats account for over 80% of breaches….”

I know it’s not revelation of the year but for me it was one hell of reminder that you don’t just need to learn about firewalls.

In fact, several of the talks highlighted some fundamental truths I’d kinda lost sight of. Here are a few well-known pearls:

  • Patching is important – the boring stuff makes a difference
  • Segmentation is something you need to act on – validating who has access to what
  • Data management – talked about often, done not so much
  • Identity Management – hell yeah, login credentials, compromised administrators & crappy passwords

I hope this doesn’t all sound very flippant – I know its basic stuff but it was a great remember. One of the speakers told us that in his experience over 90% of breaches were avoidable by making effective use of standard controls & processes. That’s the basics – no need for AI here.

Finally, the VP from Symantec talked to us about the Law of Unintended Consequences.

He didn’t use the following example but it’s a good one. Something in hard facilities management think it’s a good idea to hook up the heating system to the Internet.

Smart stuff.

We’ll be able to control the heating via a mobile….you know where this is going.

I think the point he was trying to make was to think through the headlong rush towards Smart-pants & Smart-socks…

All in all, a really valuable conference. I know I haven’t done it justice here but well worth a look next year….