Standing in front of PowerPoint Part 3: Hello, I’m Chris Ratcliff, and this is my talk

In the final blog post of Chris Ratcliff’s series about speaking at a security conference, it’s SteelCon 2016 and the day of the presentation itself. Read on for a presenters-eye-view of standing up and giving a talk – and why, if you haven’t already, you should give it a go.

 

So far in these blog posts I’ve gone from never having set foot in a security con, to doing my first talk to preparing my latest one. This post is the talk itself…

The day. Oh, what a day. Steelcon is a fantastic event, with great talks and a great atmosphere. Since it started I’ve been taking photos for the event. That means bouncing from hall to hall, taking photos, chatting with folk, Tweeting photos and generally keeping an eye on everything going on. The downside of this is that I never really get a chance to sit down and watch a full talk live, but on the upside I don’t have time to worry about my presentation. About half an hour before my slot I go into presentation mode. Boot the laptop, check my clicker is working, make sure the presentation is there and quickly run through the slides. I start pacing and I’ve got about 10 mins before I need to go up. I’m making idle chit chat with people, but mostly I’m thinking about the talk.

 

The talk. The easy bit. Once I’d resolved an AV issue getting my laptop hooked up to both the room and recording equipment, I could begin. This really is the easy bit, because the slides can’t be changed now, you’ve rehearsed (hopefully) the talking bit, it’s now just a case of doing it. The one piece of advice I was given very early on was “know your opening”. If you know the first thing you’re going to say when you open your mouth, then the rest will flow from there. And I fluffed the first thing I had to say.

The important thing is not to dwell on your mistakes. They’ve happened, and they can’t be changed. Just keep moving on. I knew the next bit, and off I went.

I made a few mistakes as I went through, especially getting myself horribly confused on the Fight Club reference about the cost of a safety recall vs the cost of the fines or compensation. I also knew going in I was struggling with the name of the airbag manufacturer. Takata, simply pronounced ta-cat-a. I can do it now, takatatakatatakatatakatatakatatakatatakatatakatatakatatakata, but I knew I’d struggled with it going into the talk and sure enough I saw it looming and tripped again.

I had to remember that at a friendly event, filled with likeminded people, the room is one of the most supportive you’ll ever get as a presenter. Everyone there wants to enjoy the talk, and wants you to do well. There’s also no harm in being vulnerable, being open, being honest. When I forgot one of the important researcher’s names I was citing and someone called it out, I had to say something so I was honest about why I kept forgetting. It’s humanising.

 

Chris mid-presentation
Chris mid-presentation

The review. The important bit. I was lucky this year that Steelcon had video recording running, and running reliably, across all the talks so I could watch my talk back. It’s weird, it’s a bit uncomfortable, but it’s crucial in being able to identify what went well, and what you can improve. I discovered errors I’d made and not even noticed – such as mixing up a clutch and throttle pedal – while others were not having planned out a slide properly and instead of making the point I wanted, I’d ended up making a different one.

I was pleased with the response I received both at the event straight after the talk, and subsequently on social media. If you can, however, solicit feedback and critique. While it’s nice to get praise, constructive feedback will give you a different perspective on how things went and areas to work on next time.

Thinking back to my crisis of confidence I remembered the thing I worried about most; the lack of technical depth. The truth is that I’d laid my stall out well in my CFP so it was clear that my talk was going to be high level. On top of that I only really had 45 minutes or so, and a lot of ground to cover – 60 slides in fact! Those who knew the subject took away something new, but what I came to realise was that many people came in with little or no knowledge of the subject. What’s obvious or basic to me is only that because I’ve been dabbling in car systems for three or four years. The field of computer security is so huge that no one knows everything about everything, and what’s basic for one person is enlightening for another.

If you have a desire to talk at a security con (or anywhere!) then I hope this has been useful, or at the very least shown what it’s like from behind the microphone. It can be daunting to stand up and ask people to listen to you, but it’s a thrilling challenge, and one I would recommend anyone tries at least once.

By Chris Ratcliff

Read More

Standing in front of PowerPoint Part 2: an idea, some inspiration, and a crisis

In the second of a great three-parter, Chris Ratcliff talks us through what it’s like to go from attending security conferences to speaking at them. This post is specifically about honing the idea for a CFP through to preparing the presentation in its entirety. If you’ve ever thought about speaking at a conference, these posts are full of helpful, reassuring and practical advice. If you’re already experienced in conference speaking, there will be so much you can relate to (hi, google image search!) and probably something you can learn from, too.

 

In the last post I talked about my introduction into the world of security cons and why people talk at them. With a desire to present at Steelcon 2016 here’s how I went through the process step by step.

 The subject. A tricky one. I still don’t have a technical field of research with breakthroughs I can talk about. Can I do people-y stuff again? Do I have anything to say? I keep work stuff separate from what I present about otherwise it opens a whole new can of worms.

I do have an interest in cars, and I’ve done a bit of tinkering with them. I start thinking, I start talking in my head. I start doing a presentation just to see where it leads, and I think I can bring some insight. I’m really interested and excited about the subject. This is key, as if you’re not passionate then that will come across. Most of all, I think I can add value to the event and to the community. Great, I have an idea, and I have a sense of purpose.

The CFP. This is the tricky bit. Most cons have a Call For Presentations where you submit your idea and an abstract that will become essentially your advert in the event schedule. You want to give a flavour of your talk without going through the content, to be detailed enough as to why you should present, and to attract attendees to come and see you! I’ve seen some really underplay their value, while others really go OTT to stand out.

My success ratio isn’t brilliant, so I wrote what I thought was best, and bounced it off a few people with more experience than I who helped shape it to a couple of simple sentences. I submitted it, and it was accepted!

I had an idea, and I had a slot. So now I just have to write and prepare and give my talk. Easy, right?

When it comes to presenting, I’m constantly aware of other people who do it really, really well. Great presenters tell great stories, and I’m a huge stand-up comedy fan. Dave Gorman’s Googlewhack Adventure is a fantastic story, but it’s also a good example of working with Powerpoint. Steve Jobs’ Apple keynotes are case studies in what to not include in presentations, and how to build a narrative and take the audience with you. TED talks can be great too, watching people like Mark Ronson ooze his personal calmness or Adam Savage be passionate is inspiring and informative. It’s not just about what they say, it’s how they say it.

These people are professionals at this though, how does this apply to me?

Every time you can watch anyone get up and talk, you can learn about presenting. If you attend an event with many speakers, watch each and look for things you could do too, what the speaker did well, and also where they could have improved and apply all of those to yourself. It may feel like imitation at times, but it’s a great way to identify a good trait and try it out.

I had an idea, a concept. I wrote down four major bullet points for my talk:

  • Attacks
  • Issues
  • *Things*
  • Future

I’d start slotting things into those headings, and discarding ideas that didn’t fit. I carried on presenting my talk to myself while out walking or doing the shopping or cleaning the kitchen. Letting my mind go down new paths and make new connections. I’d jot down ideas or update notes on my phone so I didn’t forget them – though ‘photo of footwell’ in isolation isn’t always very helpful. I started outlining what slides would be needed. With a couple of weeks to go before the event, I obviously had a full slide deck ready for polishing.

Or not.

The more I outlined the slides, the more research ideas turned up, which meant more Googling, which opened up yet more avenues for discovery. I had my slide ideas though, I had my bullet points, I had to move on.

The notes that make up a presentation
The notes that make up a presentation

The Slides. Or how I learned to stop worrying and love Powerpoint. It’s really easy to get distracted, and I did, with relatively trivial things. With the presentations being recorded, should by slides be 4:3 or 16:9? I tweeted the organisers and the head AV guy, I looked up how to set them differently in Powerpoint. That probably lost me a couple of hours overall. It’s the little things, the animations, the choice of fonts and colours that can take hours to choose but add little if the content isn’t there. I was in a time crunch so ploughed on, which was actually a blessing in disguise. The worst habit people have with Powerpoint is too many words. Putting up sentence after sentence which distracts the viewer, and can lead to you reading the words off the screen too. A bad habit, but very easy to do.

I didn’t have time to write words, and words which I’d have to stick to rigidly. Instead I hit Google Image search. I’m looking for images to illustrate my point – or be a punchline – and then it’s onto the next.

My way is not to write out talks long hand, but essentially make sure I know the bullet points I want to hit in a slide, and what gets me to the next slide. In some cases, too, knowing when to trigger an element within a slide.

On that note, if you’ve never used Powerpoint with a multiscreen set up then you’re missing out on Powerpoint’s great presenter view. On your screen you can see the next element to be displayed, your notes, the elapsed time and the current time. To have those available to you is a god send. You don’t have to remember every slide, or turn to face the screen the audience are watching. One tip: make notes very short and in a decent sized font!

The crisis. It will come, one day. About 10 days before Steelcon it hit. Should I really be doing a talk? Is it technical enough? Should I have more actual examples and less of my conjecture? I know I can stand up and talk, but what if people say it was too self-indulgent or, even worse, boring? The crisis is like stage fright for your Powerpoint deck. I reviewed the slides, I made sure things still fitted and were relevant. I even looked back at the stuff I’d cut out. Actually, would it be better in, or was I right to cut it? This is the moment that panic can set in and rash decisions made, but best to be methodical and stick to the course.

The Crisis Hits
The Crisis Hits

For me the worry was that the more I researched the topic of car hacking, the more I found whole reams of working groups, forums, projects and documentation outlining how things work and the standards they use. If anyone had an interest in car hacking, and they did more than 5 minutes Googling then they’d find most things I would talk about and more. Heck, I cited two PDFs in my talk that I find fascinating. They go into the greatest depth about car hacking and anyone who’d read them would realise I was barely scratching the surface. There was some original thinking though, but it was around the industry and not massively technical. I hoped I wouldn’t lose my audience.

Rehearsal, or do what I say, not as I do. You should absolutely rehearse your talk. The process of doing it and refining and iterating will help you give a more polished talk and iron out any bugs or errors. And I didn’t. Well, that’s not strictly true, but I never performed it. I went through it again and again, I drummed in the words and the ideas. I stepped through the powerpoint deck, going through the bullet points, the asides, the links and making sure it worked.

So far so good. In the final blog of this series it’s the big day of the talk itself, and then reflecting on how it went.

By Chris Ratcliff

Read More

18-24 year olds least likely age group to trust biometrics over passwords

Biometrics hit the headlines again recently with news that Barclays is rolling out voice recognition technology to its telephone banking customers as a replacement for passwords. In recent years, there has been an increased focus on biometrics, for example with many people getting used to fingerprint technology to access iPhones. It’s an interesting subject from a cybersecurity point of view, as any new technology brings with it the opportunity / threat of compromise, demonstrated, for example, by this story about exploring 3D printing to bypass fingerprint access to an iPhone.

With the news of Barclays voice recognition, I was approached by a few media outlets to comment on whether we are about to see the end of the password, and the cybersecurity implications of biometric systems, including this interview on Radio 4’s Today programme.

When I’m able to, I’m always happy to give my opinion to the media on issues which relate to cybersecurity, but with something like this it’s the opinions of the general public which interest me the most. After all, it’s the attitudes and behaviours of the ‘average user’ that we’re often trying to engage with and influence, so how do they feel about biometrics?

The survey

A few days ago, I asked members of the general public in the UK the following question:

Would you use a biometric system (voice activation, fingerprinting etc.) instead of a password to access your internet accounts (e.g email and online banking)?

1,003 people completed the survey, 51.6% were male and 48.4% female. The overall findings were:

Overall Findings
Overall Findings

The most popular response was that people would consider using a biometric system, at 35.5% of the sample, closely followed by those who would not use it because they don’t trust it, at 28.7%. Behind that were those who wouldn’t use it because they don’t understand it, at 22.3%, and finally the group of people who already use it, 12.9% of the sample. There was a tiny percentage of people, 0.6%, who selected ‘other’ and their responses included ‘don’t know’, ‘too tech’, ‘maybe’, ‘not sure’ and ‘boring’*. I could dismiss the respondent who inputted ‘boring’ but this response has value in itself. The response rate for this survey was only 15.4% and this could be related to the perception that cybersecurity is boring and onerous – a challenge the industry faces when trying to encourage engagement from the ‘average user’.

Returning to the top level findings, the proportion of people that either currently use a biometric system in place of a password, or would consider doing so, is 48.4% and those who would not use it either because they don’t trust it or don’t understand it is 51%. So there are marginally more people in this sample who reject, rather than feel quite comfortable with, biometrics. However, it’s such a small margin that it’s hard to put stock in it, and so it seems pretty much 50/50 whether people in the UK are willing to embrace biometrics or not.

When we unpick the data further, the findings offer more insight.

Regional differences

People in the East of England were most likely to consider replacing their passwords with biometric systems, at 52.9%, and Londoners were least likely, at 29.3%.

The East of England was the area which displayed the most trust in biometrics (only 16.7% rejected the idea of biometrics due to distrust). The least trusting place was the North East, with 34.8% of people from that area saying they would not use biometrics due to distrust.

Gender Variations

Comparing how women and men feel about biometrics shows that men have more faith and trust in replacing their passwords with biometrics. The gap between women who would consider replacing their password with biometrics (33.2%) and those who would not trust it (30.5%) was much smaller than the gap between men who would consider it (39.7%) and those who do not trust it (27.3%).

Attitudes to Biometrics by Gender
Attitudes to Biometrics by Gender

When we breakdown the findings by gender and geography, we discover that the least trusting population is women from Wales, 43.5% of whom would not use biometrics due to distrust. This contrasts quite sharply with the most trusting population, men from the East of England, where only 10.3% reject biometrics due to trust issues.

Percentage of Respondents who Reject Biometrics due to Distrust
Percentage of Respondents who Reject Biometrics due to Distrust

Attitudes by Age

Attitudes to biometrics also varied according to age group, and probably not in the way many people would expect. It is often said that ‘millennials’ have a laissez-faire attitude to privacy and security. However, my findings here contradict the notion that 18-24 year olds are oblivious to issues of technology and security.

biometrrics_wouldconsider
Attitudes to Biometrics by Age

18-24 year olds were the age group least likely to consider replacing their passwords with biometrics, with only 25.4% of that age group saying that they would consider doing so. They were also the age group least likely to trust biometrics, with 38.1% saying they would not use biometrics in place of passwords because of distrust.

Distrust of Biometrics by Age
Distrust of Biometrics by Age

It’s interesting to speculate why attitudes to biometrics vary according to age. Perhaps the younger age group feel more comfortable with passwords, having grown up with the internet? Are the older age groups more willing to trust biometrics because they, perhaps, have more work accounts and are fed up with trying to manage so many passwords? Could it be that younger people are more privacy conscious, and more aware of the pitfalls of technology, and so more considerate of the risks of giving away their biometric data?

Sharing this article on Twitter elicited the following suggestion regarding why young people in the UK may be the age group most likely to distrust biometrics:

At least 3,500 schools in the UK use biometric security systems and as this article highlights “a data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives”. Perhaps the very experience of being expected to entrust their schools with their biometric data has instilled in many young people an awareness of the potential pitfalls of such systems?

Without more research, it is impossible to know exactly why people feel differently about passwords depending on where they live, their gender and their age. However, if organisations want consumers to use biometrics more, they will need to address the sections of the population which are most sceptical about how biometrics work and whether the systems can be trusted. In particular, 18-24 year olds are an important cohort they will have to engage with if they are to have any success. The password isn’t going to die anytime soon if the younger generation has little trust in the alternatives.

By Dr Jessica Barker

*The two other responses from the ‘other’ field were ‘I have no biometric qualities’ and the most inane / depressing response, ‘rape’.

Read More

Standing in front of PowerPoint Part 1: Discovering Security Cons

They say you always remember your first time. For me it was 1995 at the British Educational Training and Technology show at Olympia. The college I attended had a sponsorship deal with a company who were exhibiting and they wanted someone to talk about the use of IT in day to day education. While my contemporaries stared at their shoes I thrust my hand up and a few weeks later was being handed a full on Madonna wireless headset and presenting to an audience of bemused show visitors and stand staff who enthusiastically watched a 15 year old geek talk about using IT while a friend of mine used various trigger words to know when to change slide or quickly alt-tab to another application to make a point.

21 years later, that’s the only time I’ve ever had a voice activated slide deck.

Since then I MC’d mountain bike events for Future Publishing and Red Bull, appeared on the Extreme Channel and even had a few goes doing car videos on Youtube. I’m not an extrovert but public speaking isn’t something I shy away from, it’s fair to say.

Chris on the mic for a mountain bike show
Chris on the mic for a mountain bike show

Then my first con. BSides London 2014. It was overwhelming and exhilarating. I’d never even watched a hacking talk online, but now I was surrounded by people sharing the results of their research, sharing their secrets, doing things I understood but could never actually do. On the train ride home, I started preparing my ideas for a talk of my own.

There are often discussed points as to why you should do a talk at a con; it may be for personal development, commercial reasons, to try and raise your professional profile to help your career, or simply because you have a cool thing you want to share with people. There’s no requirement to, though. I think it’s a great thing to give back to the security community, but there are many, many ways to do that. For me, I think a lot of presenters don’t do it because they think they should, but rather because they are driven to.

It’s also worth remembering that organisers choose talks, and that’s your first round of validation. If your talk is not selected then they think it wouldn’t be a good fit. It stings to be rejected, but if you are accepted then it’s a sign that other people believe in your idea.

My ideas weren’t technical, they didn’t unveil a new attack or highlight vulnerabilities in a thing, they talked about people. They were both offensive and defensive, they brought some experience I’d gained through work and hoped to fill in some of the gaps I saw at different BSides events. And no-one would accept them. Eventually I got a slot at the second Steelcon event in 2015 and I found the talk on the other track was about the myths of plane hacking. In hindsight this was A Good Thing, as it meant my first security talk was for a modest audience, and it was definitely a learning experience.

To build on that first experience I decided to do a presentation for Steelcon 2016. In my next guest post I’ll take you through the process; the highs, the lows and how Google image search is your friend.

By Chris Ratcliff

Read More

Inside out: managing the insider threat

News of a data breach at the UK software company Sage is a reminder of the potential damage which can be done by an insider. Sage is a FTSE 100 company and provides business management software for companies in 23 countries. It has reported the breach to the City of London police and has informed customers who they believe may have been affected that the personal informaton of employees at 280 firms may have been compromised by someone using an internal computer login.

The insider threat can take the form of malicious and non-malicious activity. From an attacker (or attackers) with inside access who are consciously stealing or using internal information for their own gain and / or to harm the organisation, to an individual accidentally emailing information to the wrong recipient or leaving documents on a train. Research suggests that the malicious insider is the most costly threat facing organisations.

What can your company do the mitigate the insider threat?

  1. Access to information should be based on the principle of ‘need to know‘. Ensure that this is in place with an access rights review and set up procedures to make sure that IT is informed, and amends access accordingly, when employees move jobs or leave the organisation. Data should be segregated, with network segregation at least according to department.
  2. Train employees in cybersecurity, instilling them with an understanding of the threats and of the impact that their behaviours can have on keeping information safe.
  3. Situational awareness is important on an organisational, as well as individual, level. Participate in threat sharing communities if at all possible. Communicate with peers to develop and maintain awareness of the threats which they are managing and consider what this means for you. Remain aware of current cybersecurity threats hitting the headlines.
  4. Look at your password policy, and practices of employees. Do people leave passwords on post-it notes on their desks, or share them with colleagues? If so, this increases the potential for unauthorised insider access and could be an indication that you should simplify your approach to passwords.
  5. Consider your other cybersecurity policies. Have you clearly and concisely communicated how you expect employees (and anyone else with access) to handle information? How are the policies communicated and enforced? It’s really important to understand where people find workarounds in the policies and procedures – what they routinely don’t comply with as a means of getting their job done. These workarounds shows where policies and procedures are hindering the business and inducing risk. Work with the business to address these in a proportionate way – how can you find a balance that enables people to get their job done whilst maintaining security of information?
  6. Review how employees and contractors access your network. Remote working and Bring Your Own Device (BYOD) open up new risks and so you may need to consider how you can support flexible working whilst minimising those risks.
  7. Encrypt data at rest and in transit. Don’t make it easy for unauthorised people to access and view data.
  8. Look at your personnel and physical security. How easy would it be for an attacker to take advantage of an internal weakness, such as tailgating, poor CCTV or a lax approach to wearing name badges? A social engineering test is a good way of attaining an ‘attacker’s eye view’ of your organisation.
  9. Keep logs. Many organisations don’t make this a priority, and whilst logs of course will not protect you from the insider threat, they will provide an audit trail to help you unpick what has happened and provide supportng evidence in a criminal trail, should it come to that.
  10. Have an incident response plan, which outlines roles, responsibilities and avenues of communication – and test it. Again, an incident response plan will not protect you from the insider threat, but it will enable you to respond as quickly and effectively as possible. However, it will only do this if you test it to ensure that when you really need it, the theory works in practice.

Some of these tips are aimed at minimising the insider threat, whilst others are about managing an incident should one occur. Ponemon’s latest data breach report highlighted that having an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of a data breach.

Finally, remember that the definition of an insider threat is not limited to employees, but rather relates to anyone (employees, contractors, third-part suppliers) who accesses your information or networks.

By Dr Jessica Barker

Read More

Cyber by any other name would smell as insecure: the language of security at Bsides London 2016

Photo by Sir Jester

At Bsides London 2016, I gave a presentation on a topic I’ve been thinking about for a long time: why we should embrace the term ‘cyber’.

There’s a tendency for the industry to roll its collective eyes at the term cyber. There’s an unwritten rule that it’s not credible, that it’s a buzzword which means nothing and is used by people who don’t really belong in the field. Actually, it’s not an unwritten rule at all: you see references to it in memes and tweets all the time. Obviously as someone who describes herself as a ‘cyber security consultant’ and publishes on this domain name, I don’t prescribe to that view. I wanted to speak at bsides about why, and why I would like more people in the industry to consider embracing cyber, too.

We have many terms for what we do. Information security, cyber security, information assurance, data security, IT security; the list goes on. While they all technically have their own definitions, as consulting NIST will confirm, we often use them interchangeably. In different contexts and speaking to different people, the terms get muddied and even contradict themselves. Only one of the terms is in the dictionary:

cyber security definition

Words go in the dictionary when they’re used a lot. Only one of the different terms that we use to describe what we do has gained enough traction outside of our industry to go in the dictionary.

The history of cyber

Cyber is perceived to be a pretty new word, and is often accused of being a word which means nothing. In fact, it actually has quite a long heritage:

  • In Ancient Greece, the term kubernao was used to mean “steer a ship”
  • The Latin kubernetes gives us “cybernetes“
  • The Romans turned kubernao into guberno, from which we get “govern”
  • Plato used “kubernetika” to mean skill in steering
  • In the 1940s the American mathematician Norbert Wiener used “cybernetics” to mean “control and communication theory, whether in the machine or in the animal”
  • In the 1980s, William Gibson coined the phrase ‘cyberspace’ in his short story Burning Chrome; it became popular after he used it again in Neuromancer

The association of these terms with cyber and cyber security is obvious to me: cyber security is about governing information, it is about where humans and machines meet.

Survey findings

For the presentation I didn’t want to simply rely on my own assumptions and biases, so I did a couple of surveys to explore the terms which resonate most with people.

To elicit the opinions of my peers, I did a twitter poll. I was relying on the fact that most of my followers work in the industry, and most of their followers – if they retweeted it – probably do, too (according to my twitter analytics, 89% of my followers are interested in tech news, 76% in technology and 67% in network security).

The poll got a good response: over 8,000 impressions, 403 votes and a fair bit of discussion. Thanks to everyone who voted in it, commented on it and shared it. The wording of the question is of course open to criticism (it could have been more precise / it could have been more general) and I’m relying on the assumption that most of the people who responded to the poll are involved in, or identify with, the industry. I’m happy with those caveats and feel pretty confident that the poll is a good reflection of the industry, in which most people identify with the term ‘information security’ (over twice as many as ‘cyber security’).

As much as I was interested in the poll results, I was also keen to hear people’s opinions. Some which stood out to me, and summed up what others had to say, were:

 

I also did a survey with the UK general public. I asked the same question and got over 700 responses:

cyber smells sweet survey

 

So, based on 737 responses, cybersecurity* was the top response. Information security, in contrast to the twitter poll, was the least favourite response. Most tellingly, it was less popular than e-security, which I put in on a bit of a whim (it was omitted from the twitter poll because you can only give four answer options on twitter). I have never heard anyone use the term e-security, so to discover that it was ever-so-slightly more popular with the general public than information security was pretty surprising.

Why does it matter?

If research tells us that the industry and the general public use different terms to refer to the protection of information, does that matter?

I think so.

Language has existed for perhaps 150,000 years, at least 80,000 years – it is mainly used as speech, evolving as we talk. Language changes a lot, from Ye Olde English to textspeak. There are many words we use now which used to mean something completely different. So, for people who resist the use of ‘cyber’ because it meant something altogether different 20 years ago, I would say: that’s the nature of language, it changes. When we say something it is always ambiguous and when people speak, they do so with the intention of being understood by the listener, or perhaps to intimidate and impress. Language relies on mutual understanding and cooperative communicators consider the listener’s assumptions, knowledge and prior experience.

In our industry, we are trying to engage with, and change the behaviours of, individuals, organisations and society. At the micro, meso and macro levels, we want people to listen to us more. We want individuals to better protect themselves, for example with password managers, two factor authentication and taking care of what they post online. We want organisations to be more responsible with the data they are entrusted with, we want them to build security into their products and give us the resources we need to do our jobs. We want the media to understand what we do so that the most important messages are represented, which helps us communicate more effectively with individuals and organisations. We want the law to reflect the realities of our jobs and the challenges we face, and the justice system to punish people intelligently and appropriately (i.e. criminals not researchers). If we truly want those things, then we can’t afford to reinforce silos of communication where everyone speaks a different language and fails to understand one another.

In psychology, heuristics are simple rules of thumb that explain how people make decisions and why they act in a certain way. The fluency heuristic explains that the more clearly, skilfully and elegantly an idea is communicated, the more people will engage with it. The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.

William Gibson has spoken about the process he went through in coining the term cyberspace:

“Data space didn’t work and infospace didn’t work but cyberspace! It sounded like it meant something or it might mean something… My whole delight was that I knew it meant absolutely nothing so I would then be able to specify the rules for the arena”

Cyber is here to stay. We have a choice as an industry whether to keep trying to resist and undermine it, or whether to embrace it, engage with it and start shaping the rules of the arena ourselves. Otherwise, we can continue allowing businesses, governments and the media define it for themselves.

By Dr Jessica Barker

*Notes: I haven’t tackled the fact that sometimes we use ‘cyber security’ as two words and sometimes (and in the dictionary) ‘cybersecurity’ as one word. As a habit, I have always used the term as two words and in the public survey it was a typo / auto-correct error that I compounded them. An interesting thought made by someone at the end of my presentation: ‘information’ and ‘security’ have many meanings and can be applied to many contexts. ‘Cybersecurity’ has one meaning. This seems like a very valid point to me and combined with the fact it’s the term used in the dictionary, is making me think I should compound the words in future.

Read More

How to Hack a Human: my infosec 16 keynote

Photo by Soraya Iggy

At Infosecurity 2016, I gave a keynote talk on the elements of human nature and social norms which make us so susceptible to social engineering attacks. Infosecurity invited me to give the keynote drawing on my background in sociology and experience helping organisations mitigate against social engineering.

What is social engineering?

Social engineering is about using psychological tools such as charm, manipulation and deceit to elicit information or access to places and systems from people who should be keeping it safe. We associate social engineering with cyber security, because the way we use technology – the way we share, store and use information on the internet – has increased the attack space. This is why phishing attacks are at a 12 year high.

However, social engineering has undoubtedly been around for as long as mankind. History is littered with examples of it, some of which have been pivotal in social, economic and global development. For example, when the American industrialist Francis Cabot Lowell visited England in the early 1800s, he feigned ill health to win the sympathy of Lancashire mill owners and, using this sympathy combined with flattery, he was given tours of the cotton mills. In doing so he took the opportunity to memorise the mill blueprints. He used this information to build the mill towns of Massachusetts, enabling the United States to become the global leader in the cotton industry.

Why is social engineering so successful?

Whether online or not, we fall for social engineering attacks because they take advantage of human nature, fundamental parts of how we all tend to think and act, and social norms, the cultural and social pressures to do what is generally expected of us. For example, some argue that reciprocity is part of human nature. Our ancestors survived by sharing goods and services before we had currency and governments and so, it is argued, reciprocity is ingrained in our survival instincts. Even when a favour is uninvited, people feel obliged to repay someone who gives them something. This explains why 47.9% of people gave away their password when they were given chocolate immediately before being asked for it.

Much like reciprocity, humanity is innately curious, which brings many benefits. It underpins education, innovation and social interaction. But, when it comes to cyber security, curiosity can be a huge obstacle. Phishing emails thrive on the irresistibility of curiosity, enticing the reader to open the email and click a link or download an attachment. Curiosity may have killed the cat, but it makes a phish live.

People have a tendency to believe stories, whilst being sceptical of facts. Even the most senior and successful people can be taken advantage of by a well-crafted story and their success makes them more likely to both be targeted with social engineering attacks and, arguably, more likely to fall for them, too. This was the case in the recent example of the Austrian aerospace CEO who fell for a spear-phishing attack that cost the organisation £40 million, and cost him his job.

Use of social media has risen phenomenally in the last decade or so, with 20% of the world’s population now on facebook. At the same time, narcissistic personality traits have risen sharply. While a correlation has not been proven, research does suggest narcissism is related to the way young people use social media. Research suggests that the desire to have as many friends as possible, and to want those friends to know what they are doing, is higher among young people with narcissistic traits. This provides perfect breeding ground for social engineering attacks.

We have a tendency to assume that people are rational, and always make rational decisions. But when you’re running between meetings, hurriedly checking emails across devices and you receive a phishing email that plays to base emotions like those outlined above, taking time to make a rational, security-conscious decision is not the priority. Getting through the backlog of emails and progressing business issues is the priority. Mindlessness reigns and, as Dr Helen Langer commented a recent Security Through Education podcast, “when you’re not there, you’re not there to know you’re not there”. As Sunstein and Thaler outline so eloquently in Nudge, our brains are a battleground between Homer Simpson and Dr Spock – a rational, long-term planner trying to reign in a short-termist, impulsive thrill-seeker. Our challenge in battling social engineering attacks is encouraging people to engage more with the Spock in their brain and less with the Homer.

So, what can organisations do to mitigate social engineering threats? Having a robust cyber security culture, in which staff are empowered to challenge and prioritise security appropriately is the key. This culture provides the framework on which policies and procedures are designed and adhered to with security in mind. To achieve this, consider the following:

  • Awareness-raising training should be focused on changing behaviours and making people conscious of the most prevalent threats and how they relate to them. So, for example, senior executives and finance staff should be made particularly aware of ‘CEO Fraud’ phishing emails.
  • Procedures should be in place to ensure that financial transactions have to be signed off by more than one person. Pressure points in the process, such as a particular member of staff being overworked, need to be identified and managed so that people have more time to follow security procedures whilst meeting business requirements.
  • Receptionists should be trained to stick to security procedures regardless of the apparent seniority of the visitor. Senior staff should be trained to know that this is a good thing for the organisation and everyone’s security, not an affront to their status.
  • Wearing security passes in a company premises should be mandatory – as should taking the passes off when outside the premises (so that copies cannot be easily made).
  • The organisation should have a social media policy which takes account of social engineering attacks.

Developing a strong cyber security culture is not straight-forward and it takes time, but it is worth it.

If you’d like to discuss your cyber security needs and how I might be able to help, or you would be interested in having me speak at your organisation or event, please email me at mail@drjessicabarker.co.uk.

By Dr Jessica Barker

Read More

Would the real imposter please stand up?

Having had a number of separate conversations recently with people in this industry, some very experienced and incredibly well-respected, I was struck by how prevalent it is to feel like a fraud. This prompted me to do a quick twitter poll on so-called ‘Imposter Syndrome’.

Imposter syndrome is defined as individuals who are successful by external standards but have the illusion of personal incompetence; they attribute their success to luck and interpersonal skills, rather than hard work, talent and experience. The ways it manifests has been very well described by Scott Roberts in this blog post.

 

Findings

 

I set a twitter poll for 24 hours asking ‘infosec people’ how often they feel imposter syndrome and gave the options of:

  • All the time / daily
  • Often / weekly
  • Sometimes / monthly
  • Never

The poll got a large response and generated a lot of discussion: 37,976 impressions, 2,212 engagements, 813 votes and 79 replies. I feel pretty safe in assuming that’s the biggest response I’ve had to a tweet, which implies that my question struck a nerve.

 

 

As you can see above, 84% of respondents feel imposter syndrome at some point. The majority of respondents, 64%, feel it either on a weekly or daily basis. The largest response was ‘all the time’, at 34%.

Twitter polls don’t facilitate demographic analysis and so there is no way of knowing whether age, experience, seniority, gender, sector etc. influence feelings of imposter syndrome. Some argue that it exists more in women than men (and so it would be surprising that it was prevalent in a male dominated industry), but research suggests that it is experienced by men just as much as women (Chrisman et al., 1995).

 

Causes

 

The replies and discussion which followed was, for me, the most valuable and insightful part of the poll. Many very successful and well-known leaders in the field replied to share their feelings and it seemed from the replies that the feeling was not dependent, as many would assume, on experience and standing in the industry. In fact, for some, the more senior they became, the more they experienced the feeling – as Ben Hughes describes in an excellent, eloquent and thought-provoking blog post which he wrote after responding to the poll. I’m not even joking when I say this: I felt nervous about writing this blog post after reading what Ben had shared as his article is so good.

And, isn’t that part of the problem? Having conducted this poll, had lots of great responses to the tweet and thought about imposter syndrome a lot over the last two weeks, some of the causes, or exacerbating factors, seem to be:

  • Insecurity (Alanis Morisette could write a fitting lyric about the insecurity felt by a bunch of people working in security). The feeling we have to be as good as one another surely contributes to imposter syndrome, especially given the fact we work in a hugely diverse industry which is based on distinct specialisms that vary hugely. As many commented, we meet someone or watch them talk at a conference and feel intimidated and concerned when we don’t know what they know. We worry that we can’t possibly truly understand the field, and belong in it, in the way that this person does. We often forget that we actually don’t need to know what this amazing person does, that our job is not the same as theirs and that we probably have a bunch of knowledge and experiences that they don’t. We don’t acknowledge that the most vocal people in this field are the minority, they are the 2% of this industry as research by both Adrian Sanabria and Lawrence Hecht shows. If we all knew the same stuff, this industry would be a lot worse off. In fact, aren’t we always saying we need more diversity?
  • Bravado. There’s the notion that all hackers are egotistical. Of course, there are the loud mouths who like nothing better than to point and laugh when someone messes up or doesn’t display a perfect level of knowledge. As far as I’m concerned, these people are probably the most insecure – tearing someone else down is usually a sure sign that you’re not very happy with yourself and you’re desperately trying to convince yourself, and everyone else, otherwise.  This kind of person is everywhere, in every industry. However, we do seem to tolerate them more in information security than I’ve seen in other industries.  Let’s not let them define our culture. As Ben Hughes argues, we need the space to be vulnerable. The outpouring of responses to my poll implies that many people feel vulnerable and want the opportunity to share that. The comfort many took from reading that other people feel like they do, and in fact people that they look up to, demonstrates the value of having such a space.
  • Introversion. We spend a lot of time on our own working on laptops and computers. Most people spend a lot of time online, undoubtedly more than in a lot of other industries. The danger with this is that your world can narrow and you can lose perspective. You forget that you are more than your job and that your worth is a lot more than your professional output.
  • Technology over people. The industry has tended to neglect the human dimensions of our interactions. From my point of view, this limits our success, as we fail to adequately address the human elements of cyber security, but it also negatively impacts the culture within the industry.  It is hardly surprising that issues like imposter syndrome, depression and anxiety are a problem, in an industry more comfortable and concerned with the black and white of 1s and 0s than the ambiguities of people and their emotions.
  • The pace of change. It is pretty impossible to keep up with the pace of change in this industry and yet, we feel that we should. In many ways, that’s a good thing, as it drives us to learn more and keep our knowledge up-to-date. Our employers and clients certainly benefit, but the cost can be a feeling of being always on and never knowing enough, which drives anxiety and the feeling that we aren’t good enough.
  • Burnout. Considering the work done by Jack Daniel and Chris Sumner on burnout, there seems to be a cyclical relationship between burnout and imposter syndrome. Jack Daniel suggests that feeling a lack of self-efficacy (your belief in your ability to succeed) is an indicator of burnout. I found this blog article helpful in describing the way burnout and imposter syndrome can take hold.
  • Criticism. Criticism dominates this industry. By nature, we tend to be a cynical bunch who look for the flaws in everything. This is inevitable and of course valuable, but it can have a damaging effect on individuals. As a few people commented in the twitter thread, this industry can build people up and then tear them down very quickly, which ultimately undermines us all. It damages not only the person being targeted, but those who see it happening and hold themselves back for fear they will be next.
  • Bullying. For some people, feelings of imposter syndrome stem from bullying in previous jobs or at school. If someone has been in your ear, undermining your confidence and constantly telling you that you’re not good enough, it can really damage your self-esteem and cloud your vision: you can lose sight of the fact that it is the bully with the problem, not you. We all have a tendency to hold on to the negative things said about us and not attach the same significance to positive comments. When the negative comments have been repeated over a period of time, this can be very hard to shake off.

 

What to do about it?

 

Some suggested that they find the feelings helpful, as a way of motivating them to keep learning and working hard. Robin Wood‘s discussion of worrying about not making a mistake on a penetration test ties into this, as he discusses the way it helps to make sure that he does his best on every job. This is how I approach it, too: when I worry that I’m not up to the task or don’t know as much as others in the industry, it drives me to work harder and learn more. However, for some it seems the feelings are more self-destructive and can lead to procrastination. It can limit the extent to which they make their voices heard or put themselves forward, which is a loss for them and for the industry as a whole.

If that’s the case for you, many people shared approaches that they find useful to overcome the feeling of being a fraud:

  • Surrounding yourself with positive, supportive people that you can talk to. Many people commented that it helped to see, via the twitter thread, that they are not alone in feeling like this.
  • Don’t stop working – procrastination feeds the feelings, and you can end up beating yourself up for a lack of productivity, too.
  • At the same time as I say don’t stop working, I’m also going to say take a break. Schedule something where you take time – and most importantly, your brain, off work. Hang out with friends, visit family, have fun, go offline and spend some time in nature. See the bigger picture.
  • Fake it (confidence) til you make it‘ (but don’t fake skills or knowledge – that will not help with feeling like a fraud). This really helps me when I’m giving a talk, for example to a technical audience who I know are experts in a lot of things I am not. As commented by one person in the thread – there is no difference to the viewer between confidence, and fake confidence. Sometimes behaviour drives feelings, so if you can change your behaviour and appear more confident, that confidence eventually becomes embedded.
  • Remind yourself what you do know and where you have proven successes. For me, this takes the form of keeping track of what I’ve done, as well as what I’ve got to do. I use a simple form of agile working to keep track of my to do and done lists, and I also keep a list of conference presentations and media appearances.
  • Feel the fear and do it anyway. For me, it’s helpful to do something outside of work that I find scary or have not done before – I find that pushing myself out of my comfort zone in one sphere helps build confidence all-round.
  • Don’t be defined by any failures. Everyone makes mistakes and no-one is perfect. Of course, no-one likes to fail but, when it happens, resist beating yourself up and instead focus on what you have learnt and how you can use it to do better next time.
  • If you’re in a junior position, acknowledge that you do still have a lot to learn and that’s fine. No-one expects you to know everything. If you feel like you’re learning things which everyone else already knows and you’ll never find your own path or have your own expertise, just stay on the bus.
  • Recognise that you don’t have to hold on to imposter syndrome to stay humble and be a nice person. Some respondents seemed to feel that if they overcame feeling like a fraud, they would automatically go to the other end of the spectrum and become egotistical. Others, who didn’t have imposter syndrome, replied or sent me DMs to say they wondered what it said about them that they’re not plagued by self-doubt. There’s a big difference being comfortable and confident with what you know, and thinking you know everything and are better than everyone else. There is nothing wrong with healthy self-confidence and self-belief. In fact, isn’t that the aim?
  • Look after yourself. Eating well, sleeping well and exercise are all proven to be positive contributors to good mental health, and I’m sure play a role in keeping imposter syndrome at bay. But, more than anything, I think the key to looking after yourself is not beating yourself up for negative thoughts. If you start to doubt yourself and your abilities, don’t compound it by kicking yourself for having those thoughts.

 

Thank you to everyone who voted in or commented on the Twitter poll – the discussion here is a reflection of your contribution. Feel free to contact me if you have any comments on imposter syndrome or this article. If you’ve found other ways to overcome the feeling of being a fraud, I’d love to hear from you.

By Dr Jessica Barker

Read More

Smartphone Security

sky news smartphones

This afternoon I appeared on Sky News to discuss smartphone security. The news item was based on reports that cyber criminals are increasingly targeting mobile phones.

My key points:

  1. Smartphones are computers and as such are just as vulnerable to cyber insecurity as our PCs. In fact, probably more so: we carry them with us everywhere we go, there are more of them in the world than PCs and they contain a great deal of personal, sensitive and valuable data. With geographic tracking, internet browsing, email, photos, messaging, third-party applications, mobile banking and the rise of mobile payments, it’s no surprise they are increasingly being targeted. Criminals go where the money is so the more we use our phones for money transfers, the more they will be targeted.
  2. Smartphone providers are working on security. For example, Nokia have signed deals with F-Secure and Symantec to provide anti-virus subscriptions to their consumers. At the hardware level, work is being done to develop a separate and protected portion of memory in which applications can be verified and then run securely. And, at the enterprise level, operators are finding ways to monitor and filter malicious downloads and spam.
  3. So, there are lots of things operators can and are doing to make mobile phones more secure. However, as with a lot of security, the key to being as secure as you can be lies in how you interact with your device. To better protect yourself, it is recommended that you:
  • Be wary of links you click and apps you download
  • Consider adblocking to prevent malvertising
  • Have wifi turned off by default and only connect to known, trusted networks. Do not trust public networks, for example in coffee shops, as these can be easily spoofed by criminals who can then exfiltrate your data.
  • Keep your phone updated, as this updates the security to fix any vulnerabilities which have become known since the last update.

By Dr Jessica Barker

Read More