House of Lords

Last Tuesday I was asked to attend a meeting at the House of Lords in Westminster. The host was Lord Erroll, an advocate of improving Governmental security. The purpose was to act as a 'thinktank' to gather opinion on the challenges of measuring and proving compliance.

I was privileged to speak in front of many of my colleagues who work in a cross section of the industry.

Some very interesting views came across, I was particularly interested in the challenge of making sure we are measuring the real items that prove compliance and contribute to a secure architecture along with difficulties experienced in accurately measuring impact and likelihood of incidents.
For example of what real use is the fully qualitative High/Medium/Low rating but how much effort should we put into using quantative methods and is that effort time well spent?

In some ways it was reassuring to hear similar issues cross industry, from another viewpoint it shows how much work we have to do in order to develop robust, accurate information risk metrics and frameworks.

I'm looking forward to future events of this calibre.

-- Posted from my iPhone

Security visit to Phoenix

Last week I travelled to hot and sunny Phoenix, Az to check out a vendors security.
I don't normally perform these visits now that I specialise in architecture. It's always good to get involved in security areas slightly outside of your immediate role (audit, risk, policy writing etc) as it builds your appreciation for the 'bigger picture'. I hate that phrase sometimes but you know what I mean.
I found this sign amusing, like in Robin of Sherwood, "no arrows, no bows, leave your weapons here"



I left my firearm in the hotel ;)

I also got some time to enjoy the rather awesome scenery.

How Secure is Windows?

Windows is very insecure by default. Windows allows people to access data without even identifying or authenticating a person.
Yes, having computer screens clearly visable to the public by positioning them near windows erodes the technical controls we design into our systems.

Of course Microsoft Windows is far more secure by default!

Tips for this office in the centre of London;

Place privacy film on the window of this busy street

Place screen filters on the PC's

Challenge people with cameras taking photos :)

Virtualisation Executive Summit

Last month I was asked to present at the Virtualisation Executive Summit in Birmingham.
I'd like to thank Tech:Touchstone events for this opportunity.

The presentation on Virtualisation Security is available from thier website http://www.virtualisationsummit.com/page.cfm/link=67

Industry Insiders from Microsoft

Recently I have been asked if I wanted to join the Microsoft Industry Insiders community. Here is the security article I wrote.

There are some very interesting articles here, check them out and feel free to comment

User Account Protection.. Introduction

User Account Control aka UAP/LUA How does it work?

2 years ago I was partaking in an annual geekfest referred to as Microsoft IT Forum which was hosted in Barcelona.
As Vista's proposed features were being demo'd a shocked gasp resounded through the auditorium. Yes flip 3D was here (hey, I did say it was a geekfest!)

I thought it was interesting that there was an hour seminar on how to run all your enterprise users run as non admins (standard users to borrow Vista parlance) on Windows XP without breaking all the apps.

Shortly afterward a seminar showing how Vista accomplishes the same thing automatically was presented.

Love it or hate it. User Account Control is the offspring of the Limited User Account/User Account Protection concept.

We have all seen this coming, and much like the days when we all knew we should wear seatbelts, now it is being enforced some are naturally finding it a little inconvenient at first.

In the next few articles I will explore a little about UAC and how it works.

What is token filtering and how does it work?
How is Vista similar to a military operating system?
What does this mean for you?
Why you shouldn't disable UAC or enable the built in Admin account (Its disabled by default as you probably noticed!)

...are just some of the topics I will be covering.

One last thing...If there was a crime of Mobile phone abuse, Steve Lamb would be guilty for the repeated merciless remote wipes of his device @ the TechEd roadshow. Well done for getting through the demo in a professional manner despite the PA conspiring against you!

Is your laptop worth 1 million pounds?

Is your Laptop worth £1 million pounds?

Laptops are getting a lot cheaper to buy. Of course if you buy a nice Sony Vaio, you could pay up to £2,000. At the other end of the scale I have seen budget laptops from £299.00.

Portable computer security has long been of big concern to security solution advisors such as myself. The hardware is normally the cheapest thing to replace.

Many people back up their personal data on portable computers, but not everyone.

The loss of business critical data could be disastrous with no adequate backup’s. Perhaps more of an issue would be the value of your customer relationships, their contact details and their credit details in the hands of your direct competitors.

People involved with risk know how to calculate predicted annual loss from certain unforeseen events. This is normally done by calculating the likelihood of an event occurring (Annual Rate of Occurrence) and then multiplying this by the Single Loss Event (SLE) dollar amount.

After this has been calculated, you can establish how much money you can afford to spend to prevent these events from occurring.

To take this a step further, once controls are in place, their effectiveness can be measured and Return on Investment calculated.

One of the key costs that Risk Analysts consider, is the cost of financial sanctions or penalties.
Nationwide Anglia discovered this the hard way this week after being fined a record 1 million pounds. A member of Nationwide Anglia staff had a laptop stolen, but didn’t report it promptly.
After the fact was discovered, the FSA found NA to be negligent in disclosing exactly what the value of the data was on this computer.

Most interesting of all, Nationwide Anglia was criticised for not having a clear and understandable policy for the protection of critical, highly confidential data.

In summary, the value of a clear, understandable and enforceable security policy cannot be over emphasised.
Data is our most valuable resource and we should protect our customers from potential harm by appropriate controls on their information.
When considering the cost of security and technology, we must remember the ‘hidden’ costs. £1,000,000 seems a lot for a single laptop, but this just goes to prove how seriously the FSA and other regulatory bodies take negligence when it comes to protection of customer’s data.

Back to Vista tomorrow!