Inside out: managing the insider threat

News of a data breach at the UK software company Sage is a reminder of the potential damage which can be done by an insider. Sage is a FTSE 100 company and provides business management software for companies in 23 countries. It has reported the breach to the City of London police and has informed customers who they believe may have been affected that the personal informaton of employees at 280 firms may have been compromised by someone using an internal computer login.

The insider threat can take the form of malicious and non-malicious activity. From an attacker (or attackers) with inside access who are consciously stealing or using internal information for their own gain and / or to harm the organisation, to an individual accidentally emailing information to the wrong recipient or leaving documents on a train. Research suggests that the malicious insider is the most costly threat facing organisations.

What can your company do the mitigate the insider threat?

  1. Access to information should be based on the principle of ‘need to know‘. Ensure that this is in place with an access rights review and set up procedures to make sure that IT is informed, and amends access accordingly, when employees move jobs or leave the organisation. Data should be segregated, with network segregation at least according to department.
  2. Train employees in cybersecurity, instilling them with an understanding of the threats and of the impact that their behaviours can have on keeping information safe.
  3. Situational awareness is important on an organisational, as well as individual, level. Participate in threat sharing communities if at all possible. Communicate with peers to develop and maintain awareness of the threats which they are managing and consider what this means for you. Remain aware of current cybersecurity threats hitting the headlines.
  4. Look at your password policy, and practices of employees. Do people leave passwords on post-it notes on their desks, or share them with colleagues? If so, this increases the potential for unauthorised insider access and could be an indication that you should simplify your approach to passwords.
  5. Consider your other cybersecurity policies. Have you clearly and concisely communicated how you expect employees (and anyone else with access) to handle information? How are the policies communicated and enforced? It’s really important to understand where people find workarounds in the policies and procedures – what they routinely don’t comply with as a means of getting their job done. These workarounds shows where policies and procedures are hindering the business and inducing risk. Work with the business to address these in a proportionate way – how can you find a balance that enables people to get their job done whilst maintaining security of information?
  6. Review how employees and contractors access your network. Remote working and Bring Your Own Device (BYOD) open up new risks and so you may need to consider how you can support flexible working whilst minimising those risks.
  7. Encrypt data at rest and in transit. Don’t make it easy for unauthorised people to access and view data.
  8. Look at your personnel and physical security. How easy would it be for an attacker to take advantage of an internal weakness, such as tailgating, poor CCTV or a lax approach to wearing name badges? A social engineering test is a good way of attaining an ‘attacker’s eye view’ of your organisation.
  9. Keep logs. Many organisations don’t make this a priority, and whilst logs of course will not protect you from the insider threat, they will provide an audit trail to help you unpick what has happened and provide supportng evidence in a criminal trail, should it come to that.
  10. Have an incident response plan, which outlines roles, responsibilities and avenues of communication – and test it. Again, an incident response plan will not protect you from the insider threat, but it will enable you to respond as quickly and effectively as possible. However, it will only do this if you test it to ensure that when you really need it, the theory works in practice.

Some of these tips are aimed at minimising the insider threat, whilst others are about managing an incident should one occur. Ponemon’s latest data breach report highlighted that having an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of a data breach.

Finally, remember that the definition of an insider threat is not limited to employees, but rather relates to anyone (employees, contractors, third-part suppliers) who accesses your information or networks.

By Dr Jessica Barker

Read More

Cyber by any other name would smell as insecure: the language of security at Bsides London 2016

Photo by Sir Jester

At Bsides London 2016, I gave a presentation on a topic I’ve been thinking about for a long time: why we should embrace the term ‘cyber’.

There’s a tendency for the industry to roll its collective eyes at the term cyber. There’s an unwritten rule that it’s not credible, that it’s a buzzword which means nothing and is used by people who don’t really belong in the field. Actually, it’s not an unwritten rule at all: you see references to it in memes and tweets all the time. Obviously as someone who describes herself as a ‘cyber security consultant’ and publishes on this domain name, I don’t prescribe to that view. I wanted to speak at bsides about why, and why I would like more people in the industry to consider embracing cyber, too.

We have many terms for what we do. Information security, cyber security, information assurance, data security, IT security; the list goes on. While they all technically have their own definitions, as consulting NIST will confirm, we often use them interchangeably. In different contexts and speaking to different people, the terms get muddied and even contradict themselves. Only one of the terms is in the dictionary:

cyber security definition

Words go in the dictionary when they’re used a lot. Only one of the different terms that we use to describe what we do has gained enough traction outside of our industry to go in the dictionary.

The history of cyber

Cyber is perceived to be a pretty new word, and is often accused of being a word which means nothing. In fact, it actually has quite a long heritage:

  • In Ancient Greece, the term kubernao was used to mean “steer a ship”
  • The Latin kubernetes gives us “cybernetes“
  • The Romans turned kubernao into guberno, from which we get “govern”
  • Plato used “kubernetika” to mean skill in steering
  • In the 1940s the American mathematician Norbert Wiener used “cybernetics” to mean “control and communication theory, whether in the machine or in the animal”
  • In the 1980s, William Gibson coined the phrase ‘cyberspace’ in his short story Burning Chrome; it became popular after he used it again in Neuromancer

The association of these terms with cyber and cyber security is obvious to me: cyber security is about governing information, it is about where humans and machines meet.

Survey findings

For the presentation I didn’t want to simply rely on my own assumptions and biases, so I did a couple of surveys to explore the terms which resonate most with people.

To elicit the opinions of my peers, I did a twitter poll. I was relying on the fact that most of my followers work in the industry, and most of their followers – if they retweeted it – probably do, too (according to my twitter analytics, 89% of my followers are interested in tech news, 76% in technology and 67% in network security).

The poll got a good response: over 8,000 impressions, 403 votes and a fair bit of discussion. Thanks to everyone who voted in it, commented on it and shared it. The wording of the question is of course open to criticism (it could have been more precise / it could have been more general) and I’m relying on the assumption that most of the people who responded to the poll are involved in, or identify with, the industry. I’m happy with those caveats and feel pretty confident that the poll is a good reflection of the industry, in which most people identify with the term ‘information security’ (over twice as many as ‘cyber security’).

As much as I was interested in the poll results, I was also keen to hear people’s opinions. Some which stood out to me, and summed up what others had to say, were:

 

I also did a survey with the UK general public. I asked the same question and got over 700 responses:

cyber smells sweet survey

 

So, based on 737 responses, cybersecurity* was the top response. Information security, in contrast to the twitter poll, was the least favourite response. Most tellingly, it was less popular than e-security, which I put in on a bit of a whim (it was omitted from the twitter poll because you can only give four answer options on twitter). I have never heard anyone use the term e-security, so to discover that it was ever-so-slightly more popular with the general public than information security was pretty surprising.

Why does it matter?

If research tells us that the industry and the general public use different terms to refer to the protection of information, does that matter?

I think so.

Language has existed for perhaps 150,000 years, at least 80,000 years – it is mainly used as speech, evolving as we talk. Language changes a lot, from Ye Olde English to textspeak. There are many words we use now which used to mean something completely different. So, for people who resist the use of ‘cyber’ because it meant something altogether different 20 years ago, I would say: that’s the nature of language, it changes. When we say something it is always ambiguous and when people speak, they do so with the intention of being understood by the listener, or perhaps to intimidate and impress. Language relies on mutual understanding and cooperative communicators consider the listener’s assumptions, knowledge and prior experience.

In our industry, we are trying to engage with, and change the behaviours of, individuals, organisations and society. At the micro, meso and macro levels, we want people to listen to us more. We want individuals to better protect themselves, for example with password managers, two factor authentication and taking care of what they post online. We want organisations to be more responsible with the data they are entrusted with, we want them to build security into their products and give us the resources we need to do our jobs. We want the media to understand what we do so that the most important messages are represented, which helps us communicate more effectively with individuals and organisations. We want the law to reflect the realities of our jobs and the challenges we face, and the justice system to punish people intelligently and appropriately (i.e. criminals not researchers). If we truly want those things, then we can’t afford to reinforce silos of communication where everyone speaks a different language and fails to understand one another.

In psychology, heuristics are simple rules of thumb that explain how people make decisions and why they act in a certain way. The fluency heuristic explains that the more clearly, skilfully and elegantly an idea is communicated, the more people will engage with it. The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.

William Gibson has spoken about the process he went through in coining the term cyberspace:

“Data space didn’t work and infospace didn’t work but cyberspace! It sounded like it meant something or it might mean something… My whole delight was that I knew it meant absolutely nothing so I would then be able to specify the rules for the arena”

Cyber is here to stay. We have a choice as an industry whether to keep trying to resist and undermine it, or whether to embrace it, engage with it and start shaping the rules of the arena ourselves. Otherwise, we can continue allowing businesses, governments and the media define it for themselves.

By Dr Jessica Barker

*Notes: I haven’t tackled the fact that sometimes we use ‘cyber security’ as two words and sometimes (and in the dictionary) ‘cybersecurity’ as one word. As a habit, I have always used the term as two words and in the public survey it was a typo / auto-correct error that I compounded them. An interesting thought made by someone at the end of my presentation: ‘information’ and ‘security’ have many meanings and can be applied to many contexts. ‘Cybersecurity’ has one meaning. This seems like a very valid point to me and combined with the fact it’s the term used in the dictionary, is making me think I should compound the words in future.

Read More

How to Hack a Human: my infosec 16 keynote

Photo by Soraya Iggy

At Infosecurity 2016, I gave a keynote talk on the elements of human nature and social norms which make us so susceptible to social engineering attacks. Infosecurity invited me to give the keynote drawing on my background in sociology and experience helping organisations mitigate against social engineering.

What is social engineering?

Social engineering is about using psychological tools such as charm, manipulation and deceit to elicit information or access to places and systems from people who should be keeping it safe. We associate social engineering with cyber security, because the way we use technology – the way we share, store and use information on the internet – has increased the attack space. This is why phishing attacks are at a 12 year high.

However, social engineering has undoubtedly been around for as long as mankind. History is littered with examples of it, some of which have been pivotal in social, economic and global development. For example, when the American industrialist Francis Cabot Lowell visited England in the early 1800s, he feigned ill health to win the sympathy of Lancashire mill owners and, using this sympathy combined with flattery, he was given tours of the cotton mills. In doing so he took the opportunity to memorise the mill blueprints. He used this information to build the mill towns of Massachusetts, enabling the United States to become the global leader in the cotton industry.

Why is social engineering so successful?

Whether online or not, we fall for social engineering attacks because they take advantage of human nature, fundamental parts of how we all tend to think and act, and social norms, the cultural and social pressures to do what is generally expected of us. For example, some argue that reciprocity is part of human nature. Our ancestors survived by sharing goods and services before we had currency and governments and so, it is argued, reciprocity is ingrained in our survival instincts. Even when a favour is uninvited, people feel obliged to repay someone who gives them something. This explains why 47.9% of people gave away their password when they were given chocolate immediately before being asked for it.

Much like reciprocity, humanity is innately curious, which brings many benefits. It underpins education, innovation and social interaction. But, when it comes to cyber security, curiosity can be a huge obstacle. Phishing emails thrive on the irresistibility of curiosity, enticing the reader to open the email and click a link or download an attachment. Curiosity may have killed the cat, but it makes a phish live.

People have a tendency to believe stories, whilst being sceptical of facts. Even the most senior and successful people can be taken advantage of by a well-crafted story and their success makes them more likely to both be targeted with social engineering attacks and, arguably, more likely to fall for them, too. This was the case in the recent example of the Austrian aerospace CEO who fell for a spear-phishing attack that cost the organisation £40 million, and cost him his job.

Use of social media has risen phenomenally in the last decade or so, with 20% of the world’s population now on facebook. At the same time, narcissistic personality traits have risen sharply. While a correlation has not been proven, research does suggest narcissism is related to the way young people use social media. Research suggests that the desire to have as many friends as possible, and to want those friends to know what they are doing, is higher among young people with narcissistic traits. This provides perfect breeding ground for social engineering attacks.

We have a tendency to assume that people are rational, and always make rational decisions. But when you’re running between meetings, hurriedly checking emails across devices and you receive a phishing email that plays to base emotions like those outlined above, taking time to make a rational, security-conscious decision is not the priority. Getting through the backlog of emails and progressing business issues is the priority. Mindlessness reigns and, as Dr Helen Langer commented a recent Security Through Education podcast, “when you’re not there, you’re not there to know you’re not there”. As Sunstein and Thaler outline so eloquently in Nudge, our brains are a battleground between Homer Simpson and Dr Spock – a rational, long-term planner trying to reign in a short-termist, impulsive thrill-seeker. Our challenge in battling social engineering attacks is encouraging people to engage more with the Spock in their brain and less with the Homer.

So, what can organisations do to mitigate social engineering threats? Having a robust cyber security culture, in which staff are empowered to challenge and prioritise security appropriately is the key. This culture provides the framework on which policies and procedures are designed and adhered to with security in mind. To achieve this, consider the following:

  • Awareness-raising training should be focused on changing behaviours and making people conscious of the most prevalent threats and how they relate to them. So, for example, senior executives and finance staff should be made particularly aware of ‘CEO Fraud’ phishing emails.
  • Procedures should be in place to ensure that financial transactions have to be signed off by more than one person. Pressure points in the process, such as a particular member of staff being overworked, need to be identified and managed so that people have more time to follow security procedures whilst meeting business requirements.
  • Receptionists should be trained to stick to security procedures regardless of the apparent seniority of the visitor. Senior staff should be trained to know that this is a good thing for the organisation and everyone’s security, not an affront to their status.
  • Wearing security passes in a company premises should be mandatory – as should taking the passes off when outside the premises (so that copies cannot be easily made).
  • The organisation should have a social media policy which takes account of social engineering attacks.

Developing a strong cyber security culture is not straight-forward and it takes time, but it is worth it.

If you’d like to discuss your cyber security needs and how I might be able to help, or you would be interested in having me speak at your organisation or event, please email me at mail@drjessicabarker.co.uk.

By Dr Jessica Barker

Read More

Would the real imposter please stand up?

Having had a number of separate conversations recently with people in this industry, some very experienced and incredibly well-respected, I was struck by how prevalent it is to feel like a fraud. This prompted me to do a quick twitter poll on so-called ‘Imposter Syndrome’.

Update: after doing the poll and writing this blog post, I gave a talk on this subject at Steelcon

Imposter syndrome is defined as individuals who are successful by external standards but have the illusion of personal incompetence; they attribute their success to luck and interpersonal skills, rather than hard work, talent and experience. The ways it manifests has been very well described by Scott Roberts in this blog post.

 

Findings

 

I set a twitter poll for 24 hours asking ‘infosec people’ how often they feel imposter syndrome and gave the options of:

  • All the time / daily
  • Often / weekly
  • Sometimes / monthly
  • Never

The poll got a large response and generated a lot of discussion: 37,976 impressions, 2,212 engagements, 813 votes and 79 replies. I feel pretty safe in assuming that’s the biggest response I’ve had to a tweet, which implies that my question struck a nerve.

 

 

As you can see above, 84% of respondents feel imposter syndrome at some point. The majority of respondents, 64%, feel it either on a weekly or daily basis. The largest response was ‘all the time’, at 34%.

Twitter polls don’t facilitate demographic analysis and so there is no way of knowing whether age, experience, seniority, gender, sector etc. influence feelings of imposter syndrome. Some argue that it exists more in women than men (and so it would be surprising that it was prevalent in a male dominated industry), but research suggests that it is experienced by men just as much as women (Chrisman et al., 1995).

 

Causes

 

The replies and discussion which followed was, for me, the most valuable and insightful part of the poll. Many very successful and well-known leaders in the field replied to share their feelings and it seemed from the replies that the feeling was not dependent, as many would assume, on experience and standing in the industry. In fact, for some, the more senior they became, the more they experienced the feeling – as Ben Hughes describes in an excellent, eloquent and thought-provoking blog post which he wrote after responding to the poll. I’m not even joking when I say this: I felt nervous about writing this blog post after reading what Ben had shared as his article is so good.

And, isn’t that part of the problem? Having conducted this poll, had lots of great responses to the tweet and thought about imposter syndrome a lot over the last two weeks, some of the causes, or exacerbating factors, seem to be:

  • Insecurity (Alanis Morisette could write a fitting lyric about the insecurity felt by a bunch of people working in security). The feeling we have to be as good as one another surely contributes to imposter syndrome, especially given the fact we work in a hugely diverse industry which is based on distinct specialisms that vary hugely. As many commented, we meet someone or watch them talk at a conference and feel intimidated and concerned when we don’t know what they know. We worry that we can’t possibly truly understand the field, and belong in it, in the way that this person does. We often forget that we actually don’t need to know what this amazing person does, that our job is not the same as theirs and that we probably have a bunch of knowledge and experiences that they don’t. We don’t acknowledge that the most vocal people in this field are the minority, they are the 2% of this industry as research by both Adrian Sanabria and Lawrence Hecht shows. If we all knew the same stuff, this industry would be a lot worse off. In fact, aren’t we always saying we need more diversity?
  • Bravado. There’s the notion that all hackers are egotistical. Of course, there are the loud mouths who like nothing better than to point and laugh when someone messes up or doesn’t display a perfect level of knowledge. As far as I’m concerned, these people are probably the most insecure – tearing someone else down is usually a sure sign that you’re not very happy with yourself and you’re desperately trying to convince yourself, and everyone else, otherwise.  This kind of person is everywhere, in every industry. However, we do seem to tolerate them more in information security than I’ve seen in other industries.  Let’s not let them define our culture. As Ben Hughes argues, we need the space to be vulnerable. The outpouring of responses to my poll implies that many people feel vulnerable and want the opportunity to share that. The comfort many took from reading that other people feel like they do, and in fact people that they look up to, demonstrates the value of having such a space.
  • Introversion. We spend a lot of time on our own working on laptops and computers. Most people spend a lot of time online, undoubtedly more than in a lot of other industries. The danger with this is that your world can narrow and you can lose perspective. You forget that you are more than your job and that your worth is a lot more than your professional output.
  • Technology over people. The industry has tended to neglect the human dimensions of our interactions. From my point of view, this limits our success, as we fail to adequately address the human elements of cyber security, but it also negatively impacts the culture within the industry.  It is hardly surprising that issues like imposter syndrome, depression and anxiety are a problem, in an industry more comfortable and concerned with the black and white of 1s and 0s than the ambiguities of people and their emotions.
  • The pace of change. It is pretty impossible to keep up with the pace of change in this industry and yet, we feel that we should. In many ways, that’s a good thing, as it drives us to learn more and keep our knowledge up-to-date. Our employers and clients certainly benefit, but the cost can be a feeling of being always on and never knowing enough, which drives anxiety and the feeling that we aren’t good enough.
  • Burnout. Considering the work done by Jack Daniel and Chris Sumner on burnout, there seems to be a cyclical relationship between burnout and imposter syndrome. Jack Daniel suggests that feeling a lack of self-efficacy (your belief in your ability to succeed) is an indicator of burnout. I found this blog article helpful in describing the way burnout and imposter syndrome can take hold.
  • Criticism. Criticism dominates this industry. By nature, we tend to be a cynical bunch who look for the flaws in everything. This is inevitable and of course valuable, but it can have a damaging effect on individuals. As a few people commented in the twitter thread, this industry can build people up and then tear them down very quickly, which ultimately undermines us all. It damages not only the person being targeted, but those who see it happening and hold themselves back for fear they will be next.
  • Bullying. For some people, feelings of imposter syndrome stem from bullying in previous jobs or at school. If someone has been in your ear, undermining your confidence and constantly telling you that you’re not good enough, it can really damage your self-esteem and cloud your vision: you can lose sight of the fact that it is the bully with the problem, not you. We all have a tendency to hold on to the negative things said about us and not attach the same significance to positive comments. When the negative comments have been repeated over a period of time, this can be very hard to shake off.

 

What to do about it?

 

Some suggested that they find the feelings helpful, as a way of motivating them to keep learning and working hard. Robin Wood‘s discussion of worrying about not making a mistake on a penetration test ties into this, as he discusses the way it helps to make sure that he does his best on every job. This is how I approach it, too: when I worry that I’m not up to the task or don’t know as much as others in the industry, it drives me to work harder and learn more. However, for some it seems the feelings are more self-destructive and can lead to procrastination. It can limit the extent to which they make their voices heard or put themselves forward, which is a loss for them and for the industry as a whole.

If that’s the case for you, many people shared approaches that they find useful to overcome the feeling of being a fraud:

  • Surrounding yourself with positive, supportive people that you can talk to. Many people commented that it helped to see, via the twitter thread, that they are not alone in feeling like this.
  • Don’t stop working – procrastination feeds the feelings, and you can end up beating yourself up for a lack of productivity, too.
  • At the same time as I say don’t stop working, I’m also going to say take a break. Schedule something where you take time – and most importantly, your brain, off work. Hang out with friends, visit family, have fun, go offline and spend some time in nature. See the bigger picture.
  • Fake it (confidence) til you make it‘ (but don’t fake skills or knowledge – that will not help with feeling like a fraud). This really helps me when I’m giving a talk, for example to a technical audience who I know are experts in a lot of things I am not. As commented by one person in the thread – there is no difference to the viewer between confidence, and fake confidence. Sometimes behaviour drives feelings, so if you can change your behaviour and appear more confident, that confidence eventually becomes embedded.
  • Remind yourself what you do know and where you have proven successes. For me, this takes the form of keeping track of what I’ve done, as well as what I’ve got to do. I use a simple form of agile working to keep track of my to do and done lists, and I also keep a list of conference presentations and media appearances.
  • Feel the fear and do it anyway. For me, it’s helpful to do something outside of work that I find scary or have not done before – I find that pushing myself out of my comfort zone in one sphere helps build confidence all-round.
  • Don’t be defined by any failures. Everyone makes mistakes and no-one is perfect. Of course, no-one likes to fail but, when it happens, resist beating yourself up and instead focus on what you have learnt and how you can use it to do better next time.
  • If you’re in a junior position, acknowledge that you do still have a lot to learn and that’s fine. No-one expects you to know everything. If you feel like you’re learning things which everyone else already knows and you’ll never find your own path or have your own expertise, just stay on the bus.
  • Recognise that you don’t have to hold on to imposter syndrome to stay humble and be a nice person. Some respondents seemed to feel that if they overcame feeling like a fraud, they would automatically go to the other end of the spectrum and become egotistical. Others, who didn’t have imposter syndrome, replied or sent me DMs to say they wondered what it said about them that they’re not plagued by self-doubt. There’s a big difference being comfortable and confident with what you know, and thinking you know everything and are better than everyone else. There is nothing wrong with healthy self-confidence and self-belief. In fact, isn’t that the aim?
  • Look after yourself. Eating well, sleeping well and exercise are all proven to be positive contributors to good mental health, and I’m sure play a role in keeping imposter syndrome at bay. But, more than anything, I think the key to looking after yourself is not beating yourself up for negative thoughts. If you start to doubt yourself and your abilities, don’t compound it by kicking yourself for having those thoughts.

 

Thank you to everyone who voted in or commented on the Twitter poll – the discussion here is a reflection of your contribution. Feel free to contact me if you have any comments on imposter syndrome or this article. If you’ve found other ways to overcome the feeling of being a fraud, I’d love to hear from you.

By Dr Jessica Barker

Read More

Smartphone Security

sky news smartphones

This afternoon I appeared on Sky News to discuss smartphone security. The news item was based on reports that cyber criminals are increasingly targeting mobile phones.

My key points:

  1. Smartphones are computers and as such are just as vulnerable to cyber insecurity as our PCs. In fact, probably more so: we carry them with us everywhere we go, there are more of them in the world than PCs and they contain a great deal of personal, sensitive and valuable data. With geographic tracking, internet browsing, email, photos, messaging, third-party applications, mobile banking and the rise of mobile payments, it’s no surprise they are increasingly being targeted. Criminals go where the money is so the more we use our phones for money transfers, the more they will be targeted.
  2. Smartphone providers are working on security. For example, Nokia have signed deals with F-Secure and Symantec to provide anti-virus subscriptions to their consumers. At the hardware level, work is being done to develop a separate and protected portion of memory in which applications can be verified and then run securely. And, at the enterprise level, operators are finding ways to monitor and filter malicious downloads and spam.
  3. So, there are lots of things operators can and are doing to make mobile phones more secure. However, as with a lot of security, the key to being as secure as you can be lies in how you interact with your device. To better protect yourself, it is recommended that you:
  • Be wary of links you click and apps you download
  • Consider adblocking to prevent malvertising
  • Have wifi turned off by default and only connect to known, trusted networks. Do not trust public networks, for example in coffee shops, as these can be easily spoofed by criminals who can then exfiltrate your data.
  • Keep your phone updated, as this updates the security to fix any vulnerabilities which have become known since the last update.

By Dr Jessica Barker

Read More

Talking passwords on BBC 5 Live

I was interviewed on BBC 5 Live this morning about whether we have reached ‘peak password’. I gave some advice on how people can better manage their passwords and, having been asked by 5 Live to write five top tips for password management, wanted to expand on my thoughts here:
1. Don’t use something personal for the basis of your passwords as we often share personal information online, for example referring to our family members, pets and favourite sports teams on social media.
2. Your password should be something memorable but not personal. For example on your desk you may keep a stapler next to a blue mouse mat, in which case a password could be ‘staplerbluemouse’. To make it more complicated, swap some of the letters for numbers and special characters, and use uppercase as well as lowercase letters. So the password could become ‘St@p1erbluem0usE’.
3. Another good approach is to base passwords on sentences, for example from your favourite books, poems or songs. For example, ‘I see a black door’ could be ‘Iseeablackdoor’ which becomes ‘Is33@bl@ckd00R’ when we add in numbers and special characters.
4. Your passwords should be long and use a mixture of upper and lower case letters, as well as numbers and special characters. This is because attackers use tools to crack passwords that contain large dictionaries of normal words. It can be hard to remember a lot of complicated passwords so you may want to consider a password manager.
5. Where it’s available, enable two-factor authentication. It sounds complicated but it’s actually very simple – and effective. It basically means that if you use a device that you don’t usually use to log into an account, you’ll be texted a short number which you have to input to get access. This means that if your password is compromised by an attacker they can’t get in to the account. It also means that if an attacker tries to get into your account, you’ll receive a text with the code. You’ll know that you didn’t prompt it and so it acts as a warning that someone is trying to access your account and you may want to strengthen your security. Unfortunately, a lot of people are not aware of two-factor authentication; if you want more information, check out https://twofactorauth.org/.
For more about managing your passwords, read what Per Thorshiem has to say here.

Read More

Cyber Security Skills: part one

Unknown unknowns are a fundamental part of cyber security. Attribution of attacks, the scale of the problem, the amount of data and money lost and stolen: the list of things we don’t know is long and unlikely to shorten anytime soon. However, we can be certain of the demand our industry faces, the vacancies we need to fill and the variety of skills we need to better-meet our challenges.

In 2004, the global cyber security market was worth $3.5 billion; by 2017 it will be worth $120 billion. By 2019, the industry is set to offer over 4.5 million more jobs worldwide. Pretty much every company I know is recruiting. We need to hire more people. We also need to get better at attracting more women. Only 11% of the industry are women and so we are largely neglecting to hire 50% of the population. Over the last few years, the industry has also woken up to the fact that this is not a wholly technical subject and we need to hire people with more diverse backgrounds and experience.

Amidst all of this, awareness of cyber security has never been higher. Data breaches and cyber attacks are in the news on a seemingly daily basis. Thanks to shows like Mr Robot, CSI Cyber and even dramas such as The Good Wife, cyber security is increasingly in our living rooms as entertainment as well as news.

One of the biggest issues facing the skills gap is the lack of clear pathways into the industry. There are a variety of certifications, training courses and an ‘alphabet soup’ (to quote George Osbourne) of agencies and organisations involved. This is a confusing situation if you’re within the industry, but if you’re just starting out it must be pretty overwhelming. One of the best ways to move ahead is to get talking with people who are more established and seek their advice. Another is to determine which aspects of cyber security interest you the most.

It is for these reasons that initiatives such as TeenTech and the Cyber Security Challenge are so valuable. By taking part in a TeenTech Cyber day or a Cyber Security Challenge event, you’ll meet leaders in the industry, listen to how their careers have developed and seek their advice. You’ll be able to test existing skills and be guided in developing new ones. Importantly, you’ll also have fun and meet like-minded people.

If the thought of putting yourself forward freaks you out, that’s normal. If you don’t believe me, take a look at how many people in this industry (probably many that you admire) suffer from ‘imposter syndrome’. Please don’t let it hold you back. If you want, contact me and I’ll answer any questions I can, or will find people who can answer your questions if I can’t. I’ll also do my best to convince you to feel the fear and do it anyway. Trust me, it’s worth it.

Take a look at this video to find out more about TeenTech. And, don’t miss the opportunity to take part in the Cyber Security Challenge European Competition.

By Dr Jessica Barker

Read More

2016 Cyber Security Conferences – update

This week has seen some important changes in news about UK cyber security conferences:

  • I’m sorry to see that 44CON Cyber Security won’t be running this year, although I  have no doubt the main 44CON event in September will be as excellent as always
  • Great to see that DC44141 launched in Glasgow and was a very popular night – follow @ZephrFish for news of the next meet-up
  • Impressed to read the submissions for BSides London this year – there’s some tough competition! I hope my talk gets through but, regardless, I’m really looking forward to the day. Voting has now opened so check out the submissions and vote here
  • Tickets for EMF Camp have now closed, but with the promise that more may be available nearer the date
  • Don’t forget that more tickets for Steelcon go on sale next week. This conference is unmissable in my book – an absolute favourite.

Here’s an updated summary of my pick of the best UK Cyber Security conferences and events for spring and summer this year:

Spring Summer Cyber Security Cons 2016 v3

By Dr Jessica Barker

 

 

Read More

Do you think an information security conference of only women speakers is a good idea?

On International Women’s Day, earlier this week, I did a small poll on Twitter about women’s profile at information security conferences:

I usually do research on larger and more random samples but for this question I specifically wanted people in the information security industry to respond, so twitter seemed like the perfect place. The tweet got 231 votes and nearly 9,000 impressions. 52% of people voted against the idea of an infosec conference featuring only female speakers, and 48% voted yes.

women infosec cons analytics

 

 

 

 

 

 

 

As much as I wanted to do the poll, I also wanted to generate discussion and hear people’s opinions. The idea of a conference with female-only participants occurs to me pretty much every time I attend or speak at a conference, as the representation of women is always very low. But, I’ve never been fully convinced that it’s the right thing to do.

Shared opinions, in response to the poll, can probably be categorised into:

  • No, it’s sexist
  • Gender does not matter, only that the speaker is good at what they do
  • It’s the content which is important, not who is delivering it
  • Do blind submission instead
  • Conference organisers need to try harder
  • Yes

“It’s sexist”

I completely understand and support the argument that women and men should share the stage. That is the ultimate goal. We do not have that at all right now. Quite a few people argued that ‘you wouldn’t have a men-only conference’ which honestly surprised me as we often have conferences and panels which feature only men speaking. Not all conferences, but, at best, there will always be far more men speaking than women. There are more men working in this industry than women, so you would expect more male speakers than female ones, but I feel the disparity in speakers is greater than the disparity in those working in the industry. There is also the concern that we only reinforce the issue of wider gender disparity if women in the industry aren’t seen and heard.

“Gender does not matter, only that the speaker is good at what they do”

Again, in principle, I completely agree. If only society was structured like that. Do people honestly think that only 29% of our MPs are women because they’re the only ones good enough to do it? That less than 10% of UK FTSE100 CEOs are female because the rest of us aren’t up to the task? Or, for that matter, that conferences which feature only male, or overwhelmingly male, line-ups do so because there aren’t any women who are equally as good at what they do?

“It’s the content which is important, not who is delivering it”

See above – do you think that mainly men speak at conferences because the women working in this industry don’t have valuable content? If so, it seems a conference of female-only speakers is not just a good idea, but imperative to challenge such a misconception.

I have sat through countless presentations where the content should be interesting but the presenter does not have great speaking skills. Content is of course very important, but a good speaker can make anything interesting (see Morgan Freeman reading Justin Beiber’s lyrics if you don’t believe me). Of course, I don’t mean to imply that women are better presenters than men, but I wanted to make the point that the person delivering the content does matter.

“Do blind submission instead”

See above. The issue with blind submissions is that some presentations sound great on paper, but delivery matters. This argument also assumes that conference boards are to blame, selecting largely male speakers. However, having spoken at lots of conferences for the last few years, and often being the only woman or one of only a couple of women speaking, I’ve always asked the conference organisers why this is. I’ve lost track of how many times conference boards have told me I’m the only woman to have submitted. Most say that they are very keen to have more female speakers.

“Conference organisers need to try harder”

I agree that this would be very helpful and is possibly the best solution. The support of conference organisers for IRISSCON, Steelcon, Manchester Bsides and EMFCamp has been really encouraging to me over the last few years. However, the flip-side of this is that conference organisers want people who are very keen to speak to submit to their call for papers (cfp). They don’t want to have to convince you, because then the experience will most likely not be particularly enjoyable for you or for the audience. I don’t think this should stop organisers from reaching out to women and suggesting that they submit to the cfp, but it does mean that they are justified in not ‘twisting your arm’.

“Yes”

It would be great to hear more women in information security speaking about their work. It would showcase how many intelligent and inspiring women work in, study and support this industry. It may encourage younger women to consider information security as a career, it could encourage more women to speak at existing ‘mainstream’ events and it would highlight to conference organisers the women who are willing and able to speak at those existing events.

However, despite all of my arguments above, I’m still not convinced that this is the best solution to the issue of a lack of women presenting at infosec conferences. As some people commented, when seeking equality is it beneficial to create a divide? Would focusing on gender mean that the focus is on being a woman in security rather than a professional in security?

I’m inclined to think, as I always have, that this issue is a symptom of a complicated problem which is inter-related with women’s role in society in general, and the lack of women in this industry. What do I mean by that? I mean the man who ‘joked’ about a pre-teenage girl being ‘sexy’ on twitter. The woman who told me she loves working in such a male-dominated industry because there’s less ‘competition’. The man who drunkenly shouted at me, after one of my talks, that I only get work because I’m ‘pretty’ (dude, you could be too: it’s called mascara).

I’m impatient. I want solutions to problems that are taking too long to progress. I know you all relate to that, its information security in a nutshell. But, as with information security, there is no quick fix. One respondent replied ‘in unity is strength’, which I very much agree with. Let’s keep working on being unified.

Ps – shout out to Bsides London where 33% of talk submissions are currently by women. Bigger shout out to all the women thinking of submitting – do it! The deadline for Bsides London cfp is March 28th. For information on other conferences which you may want to attend or – better yet – speak at, take a look at my post on the top infosec conferences of 2016.

By Dr Jessica Barker

 

 

Read More