Author: seanpage707

My new role started in April so I’m well into my induction. The great thing about it is the scope of the role – I look after more systems & different types of systems which is great experience for me.

I’m also involved in diverse project work, from biometrics & GDPR to becoming an IT contact for our legal team. A great chance to learn new stuff & pursue my interest in data & cyber security.

My Open University studies have finished for this year – that completes my 2nd year in computing – into third year modules next – that will be user design & a system management module. This year has been focused on web technologies (HTML, CSS, Javascript, PHP etc) & project management.

So, what about this Salesforce thing.

Well, I don’t have shares in Salesforce or anything but it must be simply the best ‘industry type showy show’ thing I’ve ever been to. Firstly, it’s massive. This image isn’t mine & it’s just one of the halls.

Secondly, it’s almost like a cult….maybe a better way to describe it would be religion. There are thousands of people, literally queuing to get in. Everyone tied into this platform. Their jobs. Their careers…their futures via an online training tool. It’s amazing. But it’s not all hot air. It really is a cool system & one that has more features added every year. Can anyone stop Salesforce taking over the CRM world? Maybe MS Dynamics? I@m not sure.

A great way to celebrate my new job.  I don’t go to many shows but there’s a info security one next year that I’m not going to miss. I went last year as an excited civvie. This year hopefully, I’ll feel more part of the team!

Back in January, I did some career planning. Many things were changing at work & I wanted to get my plans tidied up.

Well, I went for a security role & that didn’t work out. I got some great feedback & ended up being offered another role in our IS&T team – a role that gives me the chance to learn in all the key areas I need to.

I’ll be the systems administrator for a number of key systems across our business & have special responsibility for some of our central teams such as Legal & Communications. I’ll be working on data projects, Saleforce projects & other stuff that I really enjoy.

So, a really positive move for me.

Much of this change is driven by a new CIO who seems to have re-invigorated the team & business.  He’s certainly given me a new opportunity.

Long-term, my ambition is still in cyber-security & I’m reviewing my long-term plans to ensure I take this into account. And this role moves me into IS&T & gives me the chance to gain skills in all the right places!

Just a short blog for this month to share this news. One final point. Get yourself a good mentor. Mine won’t read this but I’ve had a mentor within IS&T helping me every step of the way. She’s been a guide in all kinds of areas & has been central to me getting this position. I can’t say how important it is to get an insightful mentor.

 

 

What is bio-metric data?

If I had a quid for every time someone in the business proposes using bio-metric data as a solution to a verification challenge, I’d have about £17. Tech like facial recognition & retinal scans seem to have been around for ages but We’ve mostly seen them in sci-fi & spy films where, let’s be honest, it seems to do the job.

If you do your research, you’ll find that things are a bit ‘smokier’ than the movies suggest. In my studies, the metric that really seem to come out on top was the Iris scan (just in case you were wondering!)

I sat in on recent webinar where the marketing presenters talked about examples of smart loos using the data from analysed waste to make suggestions related to health & diet. If you know anything about security and data, you’d have more alarms going off then Pudding Lane on the night of the Great Fire (well, you get the point).

Anyway, back to basics – what is bio-metric data?

Bio-metric data is ‘personal data’ (important) relating to the physical, physiological or behavioral characteristics of a person that allows or confirms the unique identification of that person. Good examples include fingerprints, facial recognition but also gait or the way an individual walks.

With bio-metric data, you don’t need name, date of birth or any other piece of meta-data – the body or habits tell us everything we need to know…

 

Is it covered by data protection legislation?

No previous enforced data protection law addresses bio-metric data but GDPR changes all that & its definition of personal data is specific & addresses bio-metrics.

The GDPR kinda emphasizes the need for ‘caution’ around bio-metrics – the same canons apply in areas such as explicit consent, processing only as necessary, protecting the data etc. But, I think the cool catz at GDPR central command are concerned about the potential damage & the uniquely personal nature of bio-metric information – in fact data can’t get much more personal.

Many folks, particularly marketers see the GDPR as an irritation – is that fair? I think so. But if history has taught us anything, one of its lessons is to prove once & for all the law of unintended consequences.

Back in the 1930s the Dutch government made intelligent use of its census, collecting all kinds of information about citizens. By 1941, the Nazis used this information to round up any remaining Dutch Jews. My point is that information can be misused for purposes way beyond what was intended. You don’t need to be paranoid like me to imagine what uncontrolled bio-metric data could be used for.

Why would someone want to nick it?

Unless it belonged to Elvis, most would-be thieves won’t be interested in your bio-metric data just for the sake of it.

What they are really interested in is bio-metric verification.

That’s where the magic is for the super-villains. The chance to fool any verification process that uses bio-metrics – be that facial recognition to enter your secret lair or retinal scans to fool your homemade supercomputer….

What? You don’t have a lair or supercomputer?

What about planting evidence at a crime scene? Is this a real risk for most people?

I make no apology for the ‘more questions than answers’ in this post. Things are still up in the air kids. Rather than someone using carefully created plastic copies of your fingerprints, I think it’s far more likely that someone would nick the string of numbers it’s converted into once you scan into any digital system. Who needs to mess around with fake fingers when the numbers will do?

In all honesty, all we need to know is that someone could do something nasty with it AND it’s covered under GDPR data legislation.

So, if you’ve got a stack of fingerprint data sitting somewhere on a server, a left over from some event years ago then you should really take another look at this data.

Back in 2014 I spent 7 days on a desert survival adventure. I’ve collected the various clips from different YouTube accounts so they’re all together.

So,  why did I head out into the Sinai alone?

Well, firstly, I wasn’t completely alone. I had Bedouin guides although I did spend many days alone. The guides are a legal requirement in Egypt & helped me find the right locations.

They also teach you about the desert & help you notice things you’d miss. I did a few days trekking with a guide as well as surviving alone on a nearby mountain top.

I know this probably sounds like hell for most but I’m some will understand. Being alone in the wilderness, lighting fires, making camps, a hostile environment, a stunning landscape – what’s not to love. I should also mention that the Bedouin are amazing people – that’s partly why I couldn’t do the adventure completely solo. In desert lore, if you see someone alone, you check on them to see if everything is OK – so I have a lot of visitors!

Anyway, I remember keeping a written blog as I have on previous adventures but I’m not sure folks read these anymore so here are the video blogs, unedited, raw, sometimes difficult to hear but I great reminder for me of a wonderful adventure in a location now pretty much closed to outsiders.

OK – some video entries from back in 2014!

Day One Desert Survival Blog

Day Two Desert Survival Blog

And so on – if you’re interested, you’ll be able to follow the 7 day adventure. At the end of it, after some rough nights, dodgy water & considerable weight-loss, I emerged & met my wife for week’s holiday…..much needed!

I’ve blogged before about how difficult it is to ‘break into’ a security job. Well, a great opportunity came up at my company & so I went for it.

It was a great opportunity & I learnt a stack. Although I didn’t get the role I went for, the good news is that there is some movement just up ahead for me so I thought it was time I re-looked at my career plan.

First days back at work after Christmas is always a killer. Thoughts such as why am I here, what do I actually do & who moved my cheese fill the mind.

But, I was actually glad to get back to work. 2019 should be a big year for me. I still don’t have quite enough time to learn the banjo but I will complete the 2^nd year of computing degree & hopefully move into a different role within our IS&T team.

I put my first real career plan together in around 2013 – up to then I’d been drifting in the wind, safe in the knowledge that ‘working hard’ would get you to where you need to be. Also, I was blissfully unaware of any link around creating your own future. I know that sounds like I’m being a smart-ass but I really didn’t think about it.

This is not a career blog & there are loads of sources of information out there but my basic cycle started when an excellent line manager of mine presented me with a career development tool. He must have seen my face – I was like ‘oh lawd…not another review type career type tick box to take up my time’ – as he quickly added – ‘look it’s your career plan, if you don’t want to do anything with this document don’t.’

It was a realization moment for me. Nothing I hadn’t heard before but it made me think. To cut a long story short, it didn’t answer everything in life or provide a guarantee of success but it did make me wake up & take some responsibility.

The career plan I work with is nothing radical. How you do it is less important that doing it. I work better with graphics & pictures so mine has plenty of pictures.

Firstly you need to determine what you want…from work….I know there’s a link in there to what you want from life but I keep mine to work….don’t laugh but I created a career vision for myself. An over-arching statement about what I want to achieve….

Career Vision: To make a positive difference to my company and society through information technology.

I’m not channeling Michael Jackson or anything but you do have to think big. It’s a vision.

I then break this down into my medium-term objectives – this statement goes along the following lines:

Career Objectives: To become a qualified & experienced technology professional by June 2019, with specialisms in web projects , data technologies, cyber-security & technology-driven business change. To complete courses T227/TT284 by the end of May 2019. To develop the profile, experience, knowledge & qualifications to achieve BCS chartered status by the end of 2021.

Now it’s taken me a while to get here. Behind this I have lists of things I enjoy, potential career opportunities, things I’m good at, training courses I’d like to do etc.

Importantly, I’ve found that you can dream big. Great. But your plan will end up as a composite of your vision, ambition, the opportunities available & of course your own skills. Now you can impact on all of these but somethings are outside your control. In my humble opinion, if you’re crap at numbers then a career in data analytics may not be the right move. If you find ISO & data compliance boring then maybe data security isn’t for you.

Anyhow, I don’t have a magic formula but that’s my approach to 2019. I hope you all had a good break & look forward to more cyber-security adventures in the year ahead!

For sure, cyber-security is a vast field these days with more terminology than you can shake a stick it. Witty banter aside – I wanted to put together a post summarising some key learnings I’ve picked up so far.

Stuff I think we should all know about….

Before we get started – here are a few books I’ve found invaluable to my own learning journey. It’s a mixed combo as I’ve found you can’t just learn the technical stuff, you need to understand process stuff too. Equally, you can’t be the world’s expert on firewall configuration if you ignore the various principle frameworks that have been create to help us out.

No pressure to buy these or anything – just some books to ask Santa for….

The bullet points below are in no particular order but overall they should provide some decent tent-poles on which to hang your knowledge of information security.

What is Information Security?

Basics right – the principle that information is not made available or disclosed to unauthorised individuals, entities or processes. It also includes integrity – the property of safeguarding the accuracy and completeness of information. And, availability – that it is accessible & usable on demand from an authorised user.

Threats, Vulnerabilities, Risks & Impacts?

Not a new superhero show. A threat is simply something that could happen & cause some unwanted consequence. Vulnerability is a weakness that could be exploited to cause some unwanted consequence. I spend a lot of time thinking about & searching for vulnerabilities. Risk is that a given threat will exploit a vulnerability – it’s a combo of threat & vulnerability.

Impact gets a section on its own – it’s all about impact baby. Where do you focus your time with limited resources – where the impact is most significant – think damage to data, people, legal requirements, business continuity…

IS027001

ISO27001 specifies the requirement standards for an information security management system – it’s a framework of policies & procedures. Your organisation can be certified against the standard. Its approach is top-down, risk-based & technology neutral. It won’t tell you how to configure your firewall.

It outlines a range of different controls that need to be in place & documented including physical controls (locked doors/secure cabinets), procedural controls (checks on references) & product or technical controls (passwords/encryption).

So, also think codes of conduct, information security policies, developing a security culture, segregation of duties, user control mechanisms & any awareness training.  The standard has a little sister called ISO27002 that contains best practice recommendations of information security controls & some further definitions.

ISO22301

Another certified standard but this time one that focuses on business continuity management. It specifies the requirements for a management system to protect against, reduce the chances of and ensure that business can recover from disruptive incidents.

Think ‘what happens if’ scenarios.

Ransom ware has kept this standard busy in the last year or so.

PCI-DSS

The Payment Card Industry Data Security Standards are like that the geeky brother to the above standards. In my opinion, they’re more widely known, very detailed and well-established in the card payments industry but not particularly outside.

Also PCI-DSS doesn’t have a girlfriend or anything…

It’s a series of principles around the storage, processing & storage of card details. Think secure network requirements, secure access controls & Cylon-like encryption.

 GPDR

If you haven’t heard of this mammoth chunk of data protection legislation then you must have been either living on the moon or at least under the sea.

The General Data Protection Regulation is now in force & is part of the data landscape in the UK alongside the new Data Protection Act 2018.

Complex? You bet but in simplistic terms it’s a series of principles designed to protect personal data & covers usage of data, breach notifications etc. The area I’ve had most experience with is ‘mailing preferences’ & opting in. If you have anything to do with prospect & customer data then the GDPR will have dominated your life this year.

Right – that’s what I’ve learnt so far….

This week I was mostly visiting this conference at the Institute of Engineering and Technology in London.

Going to cyber-security conferences can be problematic for those interested in the field.

1. How can you get past the end point security booths – I’m not responsible for it so I don’t really know what to say to them…
2. How many suppliers tell you that they are now using machine-learning & AI to boost their cyber-security software….you can stack up 10 of these before you reach the first loo…
3. What a mix you get at these conferences, some folks talk the jargon, some wear a smart suit…you just know who really knows their stuff…
4. Blimey there are 20 new companies every time I go. If you are starting a company in cyber-security you have to call it some like Cy-thing or Seco-Bot. Names, it seems are important.

Well, Info Sec World was not like that. It’s a first-class event, with a full programme of lectures & talks plus a very limited selection of approved vendors – did I sound like an advert there? I didn’t mean to – it really is a good conference…I great one day event to stock up on the latest trends. We had a futurist looking at the next 10-20 years, we the VP from Symantec with some great insights then I broke into one of the tracks to focus on the challenge of cyber-cost & complexity in the digital world….

I came back with a back of goodies & pages of notes. Goodies below – were of high quality & will give you enough reading for months….

That’s why these events are worth going to. I chatted to a few folks around the conference – here’s what one well-known author on cyber-security told me off the record:

“Insider threats account for over 80% of breaches….”

I know it’s not revelation of the year but for me it was one hell of reminder that you don’t just need to learn about firewalls.

In fact, several of the talks highlighted some fundamental truths I’d kinda lost sight of. Here are a few well-known pearls:

• Patching is important – the boring stuff makes a difference
• Segmentation is something you need to act on – validating who has access to what
• Data management – talked about often, done not so much
• Identity Management – hell yeah, login credentials, compromised administrators & crappy passwords

I hope this doesn’t all sound very flippant – I know its basic stuff but it was a great remember. One of the speakers told us that in his experience over 90% of breaches were avoidable by making effective use of standard controls & processes. That’s the basics – no need for AI here.

Finally, the VP from Symantec talked to us about the Law of Unintended Consequences.

He didn’t use the following example but it’s a good one. Something in hard facilities management think it’s a good idea to hook up the heating system to the Internet.

Smart stuff.

We’ll be able to control the heating via a mobile….you know where this is going.

I think the point he was trying to make was to think through the headlong rush towards Smart-pants & Smart-socks…

All in all, a really valuable conference. I know I haven’t done it justice here but well worth a look next year….

As the new university term approaches, I’m having a mini-crisis around my career plans in cyber security.

Firstly, the negatives.

Although my upcoming university courses are around web architecture & so highly relevant, neither of them has cyber security in the title & I look enviously at other more focused courses. I sometimes wish my studies could be more focused. I’ve mentioned this before on the blog but I think the Open University syllabus is looking dated.

I’ve switched my Java course to an IT projects & change course as it’s more relevant to my current job role & I don’t think I could have handled two technical courses in one academic year. I will still be picking up Java but at a future date. A kinda negative.

I don’t know how important this next one is but I don’t yet have ‘cyber security’ or anything related in my job title or remit. And, I’m struggling to see how this transition is going to work. An agent messaged me about another role recently but it was very similar to what I’m currently doing.

In my experience, without a long-term road-map, it’s easy to lose focus, faith & motivation in a direction of travel. Exactly how am I going to get into the ‘arena’ I want to be in…how is this miracle going to occur!

That’s the negative points. Here’s the positive side.

I enjoy where I currently work. And, my work is touching aspects of cyber security in so many areas. My most recent positive contribution was calling out the outdated hashing algorithm SHA-1 is a system I’m working on.

It was set up as a configuration but I knew it was compromised so have highlighted & proposed a change. I am trying to use my growing expertise to help in my current role.

I’m planning to complete my BCS Foundation Certificate in Information Security Management Principles to provide a foundation for my further studies & blogging. I’m paying for this one myself so it’s a big investment but I’m hoping it will be a solid stepping stone. I’ve looked long & hard at the various qualifications out there – it’s a confusing market place but I trust the BCS & believe this is the right one to start with.

Finally, my role is involving more e-commerce work which is bringing me into a sphere where data theft & hacks are far more….what’s the word….prevalent? Well, you know what I mean, stealing data is one thing, stealing payment or credit card details, is the golden goose.

So, that’s where I am. Hopefully, I can add some more technical cyber security blog updates as I go along this year. I’ve read some excellent ones out there & I’ll start including some links as I get to know them.

Maybe the work world is also changing a bit. I kinda suspect that moving forward cyber security in various forms is going to be a component of every business role?

Right, just to be clear, I’m not inferring that anyone is an idiot – it just seemed like a catchy title. I really mean folks without the honed technical skills to exploit some of the more hidden vulnerabilities in applications & websites…

Also, you have to realize that I’m not formally trained in any security yet. I’m kinda making it up as I go along & based on my experience.

Still – a useful survey for me as I embark on this learning journey. Read on but don’t get mad. (Also, I should emphasis that I am talking about looking for vulnerabilities to help fix stuff – not really exploit it – use your awesome powers for good, never for evil.)

What is a “vulnerability”?

Not reaching for any ITIL or security manual, for me it’s anyway to exploit a system in some way, shape or form. Think making it do something it wasn’t designed for. Think tricking it into recording a transaction that was never made. Think exploiting some poor coding or poorly configured credentials request.

So far, with my limited technical skills, I’ve helped to find some basic vulnerabilities in projects I’ve worked on including classic SQL injection attacks & API vulnerabilities. But vulnerabilities don’t always live in the technical shadows. Here are a few collected observations I’ve collected so far:

Thinking Differently – one of the things I’ve realized is that good hackers have the ability to look at systems from a different perspective. They look at the whole process (see the next point) – particularly where people get involved or physical entry points crop up. You don’t need to be a coding genius to download some malicious software. You don’t need to be 007 to follow someone through a security barrier & insert your code into the nearest slot. Internal security people tend to look at things one way. Network people are the worst. Not every vulnerability can be stopped by the firewall. It’s pointless locking the windows & doors when the villain is already inside.

Mapping the Process – related to the above, I like to map the process, even if it’s at a basic level. Like the trans-Atlantic convoys during World War Two, any process is only as strong as its weakest link. It’s pointless spending zillions on endpoint security if your IT department has not correctly configured the single-sign on software. I find visually exploring the process a useful tool – I’ve included an example – not the best one granted but I’m just at the start of the process.

There are not state secrets above. It’s a basic payment flow – pretty typical really. But when you start breaking it down, you notice real time & non-real time processes etc etc. You get the point. I actually did my own version of this, with more detail but I didn’t want to post that!

Follow the Money, Follow the People – something an experienced hacker told me was to start by following the money – the transactions – makes sense. But also, to follow the people. The people are often the most unpredictable element in any process. They forget stuff. They take short cuts. In my experience, the core financial processes are well-protected with encryption that would give Sheldon Cooper a run for his money (in real terms, they are basically unbreakable….until they get broken). But people, yeah we all love them. My pearl of wisdom here is that a key source of vulnerabilities here is that users tend to do the same thing every time. They like it like that. If they find a short cut or password ‘recipe’, they use it.

Fooling AI – oo-er….I’ve mentioned before that I’ve looked at brilliant companies like Darktrace & what they are doing with network traffic analysis etc. The math behind their machine-learning is smart. But, so far at least, it seems that every AI can at least be misled if not totally fooled. In my limited experience here, it’s in the parameters of the AI search – wherever the AI looks, you need to look just outside of it. As Forrest Gump used to say, that’s about all I have to say about that.

—-

Well, that was it. I warned you at the start. I plan to develop my knowledge in this area with my studies this year but hopefully that provides something of a primer.

I would like to leave you with a few pointers – if you like solving puzzles, if you are sort of person who likes a challenge & loves finding ways to ‘break’ things, then you should learn more about vulnerabilities & threats.

I think of technical training as a kind of multiplier. Get the basics & attitude right, add the technical skills & you become one dangerous monkey.

Recently I’ve been thinking through my next modules, changes at work & my career development. I’ve posted before about the challenges of getting into cyber security. It’s not an easy path for a career changer.

But what about living in shadow IT?

That’s kinda where I am at the moment. My role, like many, incorporates large swathes of technology from reviewing XML files to technology planning, from managing system upgrades to assessing user experience. And, although I work closely with an excellent IS&T team, I’m on the outside. I sit within the business.

I am a shadow IT person.

 

 

 

 

 

 

 

 

Here’s a definition of Shadow IT. There are loads out there on the web but you get the idea:

Shadow IT refers to information technology projects that are managed outside of, and without the knowledge of, the IT department.

The downside to being in Shadow IT is that you never quite feel you’re in the right place.

Development & training can be a struggle as few really understand why you’re trying to get on a particular course.

You don’t get that warm fuzzy feeling of being part of a professional job family.

You rarely have the right tools or access-level to really do what you want.

For the IT team or ‘regulars’, Shadow IT can be a nightmare. Deploying cloud-based systems no one has ever heard off. Creating vulnerabilities at the click of every button. Working round agreed processes because they’re too slow.

My experience has so far revealed a few different species of Shadow IT. Here are the two I know so far:

• The Shadow IT Natives – a bit like me really. They do have some technical skills. Should they be in IT, who knows? Most of the time they are business people who have transitioned in. We tend to be a pretty pragmatic bunch but that doesn’t stop us causing trouble. We can be a troublesome for IT folks – a little knowledge is very dangerous – isn’t that what they say.
• The Digital Peeps – ever heard anyone say they work ‘in digital’? These tend to be marketing folks who go ecstatic when anyone mentions AI or block-chain. Or, they know about a bit about a CMS & are now ready to implement major machine-learning projects. Heavy on buzzwords – this group sees block-chain as a solution for everything from managing Brexit to solving the work food crisis.

I’m sure there are more. And, I don’t mean to sound critical of them – after all, I’ve already said I’m part of the zoo as well.

So, is there an upside to it?

Well, technology is everywhere nowadays as my Mum likes to say. Maybe it’s time it came out of the closet. I’ve read a lot of the growing demands for ‘hybrid’ managers – comfortable in both technology & business. With the right mix of digital & people skills. I’ve not personally seen this demand yet but folks like Gartner say it’s there.

Having a foot in both camps can be fun and challenging. My previous line manager was a superb example. She spent years in business & finance before moving into large scale deployment projects & was very effective in her roles. She’s pragmatic, realistic & has the rare talent of being able to bring her years of experience to the table without over-ruling new folks with new ideas. She is also adept at knowing when to lean on the regular IT team.

I don’t know how she does it. If I learn the secret I’ll share it. In the meantime, I’m going to continue learning how to survive in Shadow IT & spot of few more of those different species…