You cannot beat swimming with others

I don’t normally blog about swimming, but as one of the “others” mentioned, decided I would reblog!

A Master’s Swimming Blog

Due to logistical reasons I could not swim on Thursday, but I managed to book a swim tonight. It was great to swim with three others all doing the same set and working together. It made such a difference. Work was also different and so long today.

Today’s session was:

  • Warm Up 400 as 200 FC 100 BK 100 FC
  • 4 x 100 FC on 1:45
  • 8 x 50 FC on 60
  • 4 x 100 FC on 1:45 (I got cramp after 2 and a half of these and switched to pull for the rest of the session)
  • 8 x 50 FC on 60
  • 100 swim down
It appears my Apple Watch is not so good at tracking my heart rate during warm up!

I am feeling really positive after having a great swim and also swimming and meeting people from swimming. It was great to see the mighty Ben…

View original post 21 more words

Re-blog: Using Maths to Show that Automated Security Tools do not Provide Security

(Blog first appeared on nexor.com)

Automated security tools can be a very effective security tool, but there are pitfalls for the unwary. I will use a couple of well-known maths puzzles to illustrate why these pitfalls exist.

1 = 2

Most 16 year old maths students will be able to provide a convincing proof that 1 equals 2. The following variant courtesy of Wikipedia:

Before reading on, if you are home schooling due to Covid restrictions, see if your maths student can spot the “error” in the above. Each step, on its own, is mathematically correct.

You can only spot the “error” when you look at the bigger picture (or operational context): the transition from line 4 to 5 is a division by zero error, because by definition a = b, so a – b = 0.

1 + 2 + 3 + 4 … = -1/12

Things are not always that simple. It probably takes an undergraduate studying a mathematics course covering number theory to figure out what goes “wrong” here…

In other words, a proof that:

(See Wikipedia for an explanation). The issue comes between the two steps:

It is similar to the divide-by-zero “error”, but this time based on doing the scalar calculation on infinity. Four times infinity is still infinity, not something four times bigger.

As with the 1 = 2 case, to spot the problem, you need to look beyond the line by line maths and understand the bigger picture – the operational context.

Automated Tooling = Security?

To support gaining accreditation to cyber security standards like Cyber Essentials, many suppliers are bringing automated tools to market. In many cases they are really good tools.

These tools provide the equivalent of one, or multiple, lines of the above “proofs”.

As shown mathematically, this can lead to a false result – or a false sense of security. It is only when the results and operational context are analysed by a security professional can the true meaning of the tools results be understood and the company’s true security posture assessed.

So is this mathematic proof that “Automated Security Tools do not Provide Security?”

No, but it illustrates the point: to be secure you need to think about the whole system and how elements interact – a tool cannot do that for you.

ISO 27001 = Security?

ISO 27001 is an international standard that “provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS)”.

Some businesses choose to implement ISO 27001 as it is a market expectation in their chosen markets, while others choose to do so to improve the security posture of their business. The former may choose to use ISO 27001 as a checklist (Annex A) of things to show an auditor they have done everything – the challenge is this risks missing the bigger picture – the divide by zero assumption that means all the steps do not join up to a secure organisation.

So is this mathematic proof ISO 27001 that does not mean security?

No, but it illustrates the point: to be secure you need to think about the whole system and how it interacts; blindly following a line by line checklist will miss key evidence. There are plenty of ISO 27001 success stories, but these are obtained following a process of business improvement, not tick box compliance.

Avoiding errors with automated tools

My intention is not to discredit all automated security tools, but to encourage businesses to see them as part of a larger picture. The same big picture view also applies to an ISO 27001 checklist.

Automated tools and accreditations like ISO 27001 can be valuable additions to an organisation’s security setup, but they must be viewed in the context of the whole operational system. Seeing an automated tool as a complete solution in itself is likely to lead to the sort of errors that can make a maths student conclude that 1=2.

Re-blog: The King is Dead

Reblog. Original (Nexor.com)

For the last few years, the cyber security commentary has been if you focus on the basics, and do the basics well, you will prevent 90% plus of cyber security attacks. To many this has been interpreted as doing the “Cyber Essentials”.

Then the SolarWinds / Sunburst attack occurred. Doing Cyber Essentials will not have prevented this. This was one of the 10% attacks. So, is Cyber Essentials dead?

Continue reading A Day in the Life of a CISO

Re-blog: A Day in the Life of a CISO

Reblog. Original (Nexor.com)

A CISO – Chief Information Security Officer – at an SME is responsible for security operations, securing the business, its technology, and its initiatives, and leading the business’s information security strategy. A CISO must liaise with different areas of the business including IT, HR, and C-level executives to ensure that their objectives are achieved.

Image showing the tasks a ciso has to manage day to day

There is no such thing as a typical day in the life of a CISO, but some activities are more common than others. The following breakdown gives you an idea of what to expect from a CISO, though each day will look very different.

Continue reading A Day in the Life of a CISO

Phishing Irony

Cyber Security Marketing – Please read your own messages?

I just received a marketing email entitled “Your Complete Guide to Phishing”.

Interesting.

All I had to do to get the guide was…

  1. Click on a link (from the unknown source)
  2. Provide my name and email address

Oh the Irony.   “Learn how not to click links and provide details, by clicking this link and giving us your details.”

If we are to protect people from mass phishing attacks, our industries marketing needs to do better.

Photo: Shooting yourself in the foot
Image Source: https://www.pinterest.co.uk/pin/374854368982582019/

I won’t buy your product if it implements “military grade security”.

When looking at commercial or consumer products how often do you seen the phrase “military grade security”, very often as the only nod to the security of the product?

The phase tells me two things.

  1. You do not understand security;
  2. You do not understand military grade security.

So I won’t buy your product.

Why?

By saying “military grade security” you probably mean you have implemented an algorithm such as AES.   This is not knocking AES, it’s a great algorithm, designed to protect routine confidential information.   Yes, it may be used by the military to protect routine stuff, but it is not used for anything they consider particularly sensitive – in today’s climate they will, also certainly be using high-grade, quantum safe algorithms.

Algorithms such as AES are perfectly suitable for commercial grade products – but I don’t care.   Rarely do security attackers break the encryption.   They break the passwords or keys used by the encryption – it’s much easier to do!  Alternatively they find a weakness in the software to gain access to the unencrypted data.

So please don’t tell me you use military grade encryption.   Instead, please tell me how you protect the keys used, and the quality controls mechanisms you use to verify the software.

Re-blog: Zero-Trust – IT’s an Architectural State of Mind

Reblog. Original (Nexor.com)

What Is Zero Trust?

The term ‘Zero Trust’ was first coined by John Kindervag in 2010, building off a concept put forward by David Lacey at the Jericho Forum, an international group founded in 2004 that worked to promote deperimeterization.

Deperimeterization means to “protect an organisation’s systems and data on multiple levels, by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication” (Wikipedia). Our Managing Security Consultant, Colin Robbins, has been discussing deperimeterization for over 5 years.

Over the past few years, the world has seen a period of digital transformation. The increasingly popular use of Cloud-based solutions and remote working are eroding traditional security boundaries. Network architecture is changing, as static work environments are being phased out in favour of letting employees work from any location at any time.

In this new world, the role of local networks and Intranet changes, it no longer poses a significant security boundary, as business data is now outside of that network on cloud services. Thus, the priorities of the local network have shifted to providing access, not security. The need for security has not been diminished and a replacement solution must be found – this is where Zero Trust fits in – it helps provide confidence that your users and devices are appropriately trusted to be able to access your (on premise and cloud-based) services.

Zero Trust Architecture – NCSC

Zero Trust is a term being (mis)used by some product vendors, to push their unique angle on it. To cut through this, the NCSC, along with techUK, are working toward a non-partisan view of the base principles.

As part of this, the NCSC has developed a series of principles that will help people understand and migrate to a zero trust architecture. These principles are still in development and they have recently reduced the 10 alpha principles down to 8 beta principles.

More…

Continue reading Zero-Trust – IT’s an Architectural State of Mind

New Identity – Old Problem

Like many, during lockdown I’ve been catching up on a number of Webinars.   It’s given me the opportunity to do some catch up in the Identity Management field.

During the EEMA annual conference, a distinguished speaker observed “We are in danger of re-inventing the wheel, without learning from the past”, which caused me to reflect on the identity lessons from my identity management past.  (Apologies to the speaker, I forgot exactly who made the comment).

My first reflection is:

  • Identity Management technology is easy
  • Scalable Identity Management technology is hard
  • Securely deploying Identity Management technology is hard

Which is where the conundrum lies – the “next generation” see the current solutions as hard to deploy, and think there must be an easier way, and sure enough come up with an idea for “easier technology” – get momentum, then stall because scaling and deploying it is hard!

My second reflection is there are three domains of identity:

  • Citizen identity
  • Consumer identity
  • Business identity

These are fundamentally different things, with different requirements and challenges.   Don’t let your “solution” confuse them – you will fail.  Yes, there are common technologies that will play a part, but the scalability and deployment challenges are fundamentally different.

My third reflection, I’ve probably been in the game too long to offer new solutions, it is time for the next generation – but please do study history, the challenges are not new.

Covid-19 Clearout: Business Cards

The continuing Covid-19 house clearout led to me finding a pile of business cards…

The first card, from 1990.
An X.400 email address, did anyone every think that would really catch on? Looks like we ran our own PRMD, unusual for a small business.
I wonder why our current meeting room is called the Enterprise?
Steve joined the company and we started to bring a bit more colour into the re-designed logo.
Interestingly (for me anyway) is the ‘A= ‘
(yes that is a single space character after the = sign, if you didn’t put the space it would not work.)
Whoops, time to change the name from X-Tel to Nexor (another company with a very similar name and logo noticed us, and the lawyers had a friendly chat!)… but we kept the same “look and feel”
Who were Mark400?
Growing up in the World – a change of address as we moved off the university campus.
As well as turning sideways, looked like we changed X.400 ADMD service providers.
No Web address?
By the time we moved to Rutherford house, looks like we had removed the graphics from the logo, and straightened the italics.
Looks like X.400 died, as did Nexor.co.uk, and we became a .com.
In a word, ‘the pink era’…
Gosh, the scanner really can’t cope with the grey header.
LinkedIn made an appearance
Initially available as black on white, but quickly changed.
Twitter makes an appearance.
If you have a black on white one it has rarity value – please send me an image!
Bringing it right up to date.
Seem’s someone didn’t like the icons.
Twitter has taken a backseat too.

How many of these do you have in your collection?