Sunday, October 31, 2010

Discussion re the Penetration Testing Industry

Chris over at Catch22 just posted up this excellent blog article.

A huge amount of commonality in thinking - Some extra thoughts on this:

Communication - over the last 12 or so years I have tried various training for testers along business lines etc., and there are very few who I would say are at the top of their game in both testing and reporting in business language. The few around are worth their weight in gold, but very rare, so my fallback solution was always to have a member of the team responsible for business QA and reporting. They'd still need to be at a high level of technical expertise, but the focus is different. (I do like Chris's idea of a tech reporting course though!)

Relevance - understanding the customer's needs is definitely key. As we've discussed, working with the customer so they understand what their options are, the value in different services etc., should be a part of every engagement.

Accountability - two thoughts on this. One is the name and shame as Chris mentions, but there are bound to be legal challenges, so the alternative is to use certifications (eg CREST, SANS etc) to be able to demonstrate to board level that you chose the right testers for the job, as the certification is effectively the entry qualification to the industry. In addition, you could go down the route of extensive logging (also would help for the repeatability section below) so you can prove every step.

Standards - absolutely! See our earlier posts on taxonomy and nomenclature to understand an element of where we see standards going, and we are planning to continue to work with a good range of experienced security individuals to define a set of industry standards.

Repeatability - I think where possible a number of organisations already do this. On a recent project, my customer wanted at least a minimum (including the parameters used and screenshots) to allow them to replicate the issue. That is only applicable for certain types of tests, but it goes a long way to help, and it is relatively light on resource so shouldn't price you out of the market.

The great thing is that more and more people are aiming the same direction. This has been a long time coming, but with passionate individuals, organisations and bodies, I think moving from the end of 2010 into 2011 will see a step change in the professionalisation of the industry.

Networking in Scotland

I mentioned the networking I have been doing, as any new start-up must, and I have realised the extraordinary variety in how these things work. Last week David and I went to the Banter in Edinburgh and were very impressed at the way Martin has it organised. Free to take part, hosted in a local coffee shop, Very fluid, come and go as you please, grab a coffee before moving into the group, but he watches for new entrants, and for us after a quick chat to ascertain what 7 Elements Ltd does, pointed us at the most likely useful contacts and carried out introductions.

Similarly the New Media Breakfasts hosted by FatBuzz in Glasgow and Edinburgh is a well laid out affair. Small cover charge, but the one I went to was at the Tower Restaurant, so the bacon butties were superb! The hosts (from FatBuzz and Winning Entrepeneurs) facilitated well, and carried out relevant introductions.

That facilitation role is the key - without it, you can wander aimlessly, fail to make the right contacts, and could leave the event very disheartened.

Saturday, October 30, 2010

IISP event on 4th November 2010

The next Scottish branch of the Institute of Information Security Professionals (IISP) event on the 4th will be kindly hosted by Napier University in Edinburgh (room F.29 at the Merchiston campus) and will have 2 speakers:

IISP Member - Matthew Pemble: "Preparing for the End - Data Destruction". Matthew is a popular speaker at many conferences and events and from two aspects of his day job has a pretty unique take on this topic. Find out more at Idrach's website.
IISP Programmes Manager and Chief Operations Officer - Triona Tierney: "The IISP Graduate Development and University Outreach Programmes" - if seriously considering information security as a career this talk could be invaluable.

Kickoff is from 6 for 6.30. Please do come along and support your local branch, join in the lively discussion, and meet fellow IISP members in your area. For more information and to register for this meeting, please email

The best source for joining instructions/maps etc is the Napier Merchiston page - it includes a link to Google Maps.

Friday, October 29, 2010

Scottish Financial Crime Group Conference Highlights 2010

This year's SFCG Conference was held at the Corn Exchange in Edinburgh yesterday and was a great success, with a wide range of delegates from Financial Services, Consultants, Vendors, Academia, Public Sector and Law Enforcement (Scottish and Welsh police, and the FBI)

For me the key highlights included:

A presentation by Robert Hartman of KPMG on Bribery and Corruption in the Financial Sector. Some very worrying statistics, but also a down to earth approach to the problem. Robert also highlighted to useful sources of information: Transparency International and Trace Compendium.

A presentation on the risks around Social Media by DI Keith McDevitt of the SCDEA, a topic which is close to my heart and one which I still hope to present on to one of the winter New Media Breakfast Briefings. Lots of interest in this area, and I had a good discussion with a number of delegates afterwards.

The launch of the e-crime Scotland website - with a huge amount of support from the Welsh Assembly Government, who launched theirs some time ago, Scotland now has it's own portal for information on e-crime, a reporting mechanism, and a gateway into the topic.

There was also a surprise talk by Professor Martin Gill, of the University of Leicester, who stepped in when one speaker was held up in transit. He spends a lot of his time interviewing criminals in prison and taking them to the crime scene to demonstrate how and why they commit their crimes. Some of his findings seem very non-intuitive, for example when confronted with the automatic lights homeowners may have fitted to the outside of the house, most burglars use them to scope out the property, identifying tools, escape routes, entry points etc. Not one stated it would put them off, as no-one ever checks when an automatic light comes on! Similarly CCTV was not seen as an issue.

Another useful point which came up was that when asked what they thought the likelihood of getting caught was (when given the options high, medium, low, none) they laughed at the question and said "zero likelihood" otherwise they wouldn't commit the crime, so the corollary to this is if we can persuade offenders that they will get caught at the time they are about to commit the crime then they are very unlikely to do it.

Although his talk was mostly about burglars, shoplifters and murderers, the same concepts hold true for white collar crime, so can we find ways to make criminals less certain they will get away with it at the time?

A member of the local fraud squad did tell me his solution was to push for removal of property under the Proceeds of Crime act, as going in to prison without the reward of a couple of million pounds at the end of the term can suddenly be a less enjoyable prospect, and letting criminals know that 'getting away' with a small stretch is no longer profitable can be a valuable deterrent.

Caught up with Lindsay Hamilton of Cervello - his company carries out database auditing (in fact he has joined forces with The Pete Finnegan to offer an awesome tool for Oracle auditing)

Some interesting exhibitors this year - M86 Security (the guys who incorporated Finjan into their product line) had some good chat around secure web gateways.

It was as ever a great networking opportunity - I always meet a lot of old friends and colleagues, as well as clients old and new, and these events give a good chance to catch up. One individual surprised me, as out of context I did not recognise her - a detective constable with the Specialist Fraud Unit. Turns out she sings with the Lothian and Borders Police Choir (who I play session guitar for on an occasional basis)

Wednesday, October 27, 2010

Been having an interesting time over the last couple of weeks meeting people at networking events. It is very reassuring to me that the basic business model underpinning 7 Elements Ltd appears to fit the needs of so many organisations.

We are providing services that are practical and effective for small or large organisations - and that work even in the current economic environment.

I presented for 45 minutes last night on behalf of ISACA Scotland to an audience, mostly from IT audit, from a range of organisations with a strong Scottish presence, and I have never seen so many people take notes throughout an entire talk! Usually a particular segment may interest one person, and another will want something else, but I think we got the right balance. The topic was "key security risks, and practical remediation steps" and drew on examples from the OWASP Top Ten, the Verizon data breach survey and the WHID white paper as well as my own experiences to indicate the highest risk areas which can be easily remediated.

The presentation will be up shortly on ISACA Scotland's web site as well as on 7 Elements.