My band, Metaltech, supported the mighty KMFDM this week at the Classic Grand in Glasgow. Now this was by no means the biggest gig we have played, having had successful gigs at the Wickerman, Belladrum and Rock Ness festivals etc., but in terms of pure awesomeness it wins hands down.
Trauma Inc. - a local Glasgow band kicked off, despite one of their number being hospitalised earlier in the week with an extreme allergy. Their sound is becoming more polished every gig.
Our gig was the best we have ever had - the house sound and light guys did us proud, we had an amazing mix, and KMFDM's fans really got into our set. Having them crammed down the front jumping (and singing) along really took us to a new level of excitement and fun. Our dancers, the Kamikaze Girls, from Edinburgh attracted a lot of attention too - big thanks to them for spicing up the dance floor! Barry, who runs the Classic Grand, made the entire evening run well, including an excellent after party. As ever Barry - apologies for the general mess we tend to leave...
And huge thanks have to go to Sascha, Lucia, Steve, Jules and Andy and their road crew for not only being an utterly lovely bunch of people and superb musicians, but for making us feel like part of the family for an evening. They delivered the promised Ultra Heavy beats, and made time to party with their fans, the support acts and generally hang out. Despite the obvious KMFDM influences in Metaltech's beats, I had never seen them live and I was soooo impressed at the skill each individual had (including Sascha and Lucia's wee daughter who joined in with soundcheck, despite being only 4 - there's a girl who is destined to be on stage!)
Hanging out with Lucia.
Already acquired the KMFDM WTF? t-shirt, so am a happy bunny
Steve, Lucia and Sascha rocking out!
The energy KMFDM have is amazing. This gig is 5 from the end of a long tour and they still give it everything...even through technical difficulties (a mic failed halfway through)
Aside from a gig tonight at the Cabaret Voltaire, I think Metaltech's 2011 live shows are at an end (next one isn't until January) but it has been an awesome year, with our album launch, festivals, loads of headline gigs, our Acoustech sideline and now this.
Let's see what 2012 brings for Metaltech.
Friday, November 18, 2011
Monday, September 12, 2011
So Alsop Consulting is on hiatus for a bit
I have happily taken on a new role - back in Big-4 consultancy - despite really enjoying owning and running my own company, and despite proving to myself that it is more relaxing and more profitable to run my own company!
After the experience of the best part of ten years working in, and then leading Ernst & Young's security team in Scotland, I was pleasantly surprised to be offered a very similar role in PricewaterhouseCoopers - to build and lead an information security team in Scotland.
The remit is nice and wide, the market is good, and I can draw on the experience and skills of a wide UK and global team in the short term while I grow local capability and resource.
Really looking forward to the next couple of years!
After the experience of the best part of ten years working in, and then leading Ernst & Young's security team in Scotland, I was pleasantly surprised to be offered a very similar role in PricewaterhouseCoopers - to build and lead an information security team in Scotland.
The remit is nice and wide, the market is good, and I can draw on the experience and skills of a wide UK and global team in the short term while I grow local capability and resource.
Really looking forward to the next couple of years!
Friday, July 08, 2011
Exciting Happenings in Security Stack Exchange
You are probably aware I am one of the pro-tem Moderators for the global Security expert knowledge exchange Security.StackExchange.com, which was created as a public beta in November.
Well, we are almost at the stage of graduating to full Stack Exchange membership, with over 3000 users, and around 1000 visits a day, and the growth is increasing. Like the parent Stack Exchange group (currently with 57 sites live and over 19 million unique visitors) this question and answer site provides valuable information and guidance from experts and experienced professionals to a wide range of users.
A very cool visual identity has been crafted, and is almost finalised - check it out in this post by Jin.
To support this growth and transition to a full site, we have also created the Security Stack Exchange Blog - we went live this week. Check out the About page for a list of topics we are likely to cover, or request topics, either relating to questions, through our Question of the Week posts or by asking in the DMZ, our chat room.
On twitter, follow the hashtag #stacksecurity
Well, we are almost at the stage of graduating to full Stack Exchange membership, with over 3000 users, and around 1000 visits a day, and the growth is increasing. Like the parent Stack Exchange group (currently with 57 sites live and over 19 million unique visitors) this question and answer site provides valuable information and guidance from experts and experienced professionals to a wide range of users.
A very cool visual identity has been crafted, and is almost finalised - check it out in this post by Jin.
To support this growth and transition to a full site, we have also created the Security Stack Exchange Blog - we went live this week. Check out the About page for a list of topics we are likely to cover, or request topics, either relating to questions, through our Question of the Week posts or by asking in the DMZ, our chat room.
On twitter, follow the hashtag #stacksecurity
Tuesday, July 05, 2011
The White Hat Rally 2011
The 2011 Carry-On themed White Hat Rally was fiercely fought last weekend, with teams from all over the UK taking part, and raising money for and the NSPCC's Childline, with a total raised by Sunday topping £25,000.
Across the sunniest 3 days this summer we travelled from Brighton to Blackpool, following clues, competing in challenges, suffering japes, sabotage and mechanical issues, and enjoying the hospitality of towns along the way, as well as getting to know a like-minded bunch of security professionals all trying to make a difference.
I joined the NUKSG team in Leeds on Thursday, and we drove the Yellow Peril (an ancient Dodge Caravan bought for £350, bright yellow with an interior entirely covered in red velour) down to Brighton, where we met the other teams for a pleasant social...quite late on, due to starter motor issues, traffic, and the Yellow Peril's lack of a top speed (among other issues)
Day one - we met up at Brighton beach, a motley collection of classic cars, sports cars, agricultural and emergency vehicles and bangers. The day involved a lovely journey across the South Downs, following clues and ending up in Cheltenham. Each team had GPS tracking apps to allow the organisers and families to see how we were doing. At our first checkpoint stop the Pirates O' Pentest opened up the back of their ambulance to display a fully featured and functional cocktail bar - which went down very well at each stop for the next 3 days - raising extra money for charity. Lunch was hosted at Brooklands Museum, the birthplace of British motorsport and aviation, and included a speech by the Green Goddess, who also led us in some mild aerobics, despite being in her 70's. I was delighted to sit on the banking, poke around the classic cars and aircraft and play on the F1 simulator.
Due to a minor organisational hiccup, The StoryTeller restaurant in Cheltenham were not made aware of the party of 67 until a couple of hours before we arrived, but they coped amazingly well - getting us all seated and providing a lovely dinner.
The Scavenger Hunt in Cheltenham attracted a few entrants, but we didn'tfind out the results until Sunday night.
Saturday saw us winding through the countryside up to the oldest brewery in the UK, the Three Tuns in Shropshire, for lunch, a tour of the brewery and tasting of some new brews. I also met the lovely Clare Marie - the hostess of Dr Sketchy's London art events. The afternoon drive then led us up to Buxton and the Palace Hotel for our evening stop. Once again we were provided with an excellent dinner, this time at the Railway, and a Carry On quiz.
Sunday was a relatively short run, with some straightforward clues that got us to Blackpool, and the Big Blue hotel - which is where we were finally joined by 2 of our number we hadn't seen for the entire event...because they cycled the entire way!! Fancy dresses were out in force, and everyone had a great time on the rollercoasters and rides before dinner (can't believe I stayed on the Big One for 3 laps - I'm terrified of heights!) and prizegiving at the White Tower.
Team NUKSG did not win best dressed car, best fancy dress, or prize for quiz or scavenger hunt, however we did raise the most money so we were the overall winners and took home the star prize - a bottle of the Three Tun's Cleric's Cure each!
We are obviously keen to keep raising money so please visit our sponsorship page.
I will edit pictures in here, but the official picture page is here at Picasa.
Many thanks again to my sponsors:
The Scavenger Hunt in Cheltenham attracted a few entrants, but we didn'tfind out the results until Sunday night.
- Virgin Money - Virgin's banking department, and the providers of Virgin Money Giving - the only not-for-profit charity payments site.
- Security Stackexchange - Global security Q&A and education site
- Metaltech - my Rock band, preparing for new album launch party in August (@metltek and #burnyourplanet on Twitter)
Tuesday, June 28, 2011
Security & Cybercrime Symposium
Slides from my presentation at the Security & Cybercrime Symposium are up.
I had a bit of a hectic day, having hosted the ISACA Scotland AGM in the morning, but I made it to Napier University in time to catch the majority of the speakers, as well as to present my piece on where we need to fix the problems with IT and Information Security.
Bill Buchanan and team did a grand job of organising the day - it was an excellent networking opportunity and had some thought provoking presentations.
The list of speakers was:
Tony Mole - Head of the Scottish Drug Enforcement Agency (SCDEA)
Ian Bryant - Principal Information Security specialist at HM Government
Fred Piper - Royal Holloway
Don Smith - Dell SecureWorks
Tabassum Sharif - Flexiant
Rory Alsop - Alsop Consulting
Mike Dickson - SCDEA
Alan Moffat - Scottish Information Assurance Forum.
Russell Scott - Scottish Police
Nigel Jones - 2Centre
Martin Borrett - Director of the IBM Institute of Advanced Security in Europe
John Howie - Head of Cloud Services within Microsoft plc
I had a bit of a hectic day, having hosted the ISACA Scotland AGM in the morning, but I made it to Napier University in time to catch the majority of the speakers, as well as to present my piece on where we need to fix the problems with IT and Information Security.
Bill Buchanan and team did a grand job of organising the day - it was an excellent networking opportunity and had some thought provoking presentations.
- Not with eductaion security professionals - we know this stuff - and not with developers - in general developers want to get this right...
- It's persuading the business owners to give a **** about it, to sponsor it, to require secure code, to budget for it etc.
- And to do this we need to get much better at talking their language. No-one in business is going to learn to speak IT Security, so we need to talk business risk, operational risk, real impact to the organisation.
The list of speakers was:
Tony Mole - Head of the Scottish Drug Enforcement Agency (SCDEA)
Ian Bryant - Principal Information Security specialist at HM Government
Fred Piper - Royal Holloway
Don Smith - Dell SecureWorks
Tabassum Sharif - Flexiant
Rory Alsop - Alsop Consulting
Mike Dickson - SCDEA
Alan Moffat - Scottish Information Assurance Forum.
Russell Scott - Scottish Police
Nigel Jones - 2Centre
Martin Borrett - Director of the IBM Institute of Advanced Security in Europe
John Howie - Head of Cloud Services within Microsoft plc
Sunday, May 29, 2011
White Hat Rally for Childline - 32 days to go
Many of you will know of the White Hat Ball and the White Hat Rally - professionals from the information security world raising money for Childline. I have attended the ball a couple of times, but always in the past I have missed out on the rally so I'm delighted that this year I'm taking part.
This year the theme is Carry On Driving, running from Brighton to Blackpool from the 1st to 3rd of July and I have joined team "8485 80085" the Northern UK Security Group (NUKSG) team.
I will obviously be looking for as much sponsorship as possible, and there are a couple of options open - donations through the Virgin giving site, or sponsorship to get your logo on the car, on our t-shirts etc:
- the donations page
- corporate sponsorship
All donations welcome!
This year the theme is Carry On Driving, running from Brighton to Blackpool from the 1st to 3rd of July and I have joined team "8485 80085" the Northern UK Security Group (NUKSG) team.
I will obviously be looking for as much sponsorship as possible, and there are a couple of options open - donations through the Virgin giving site, or sponsorship to get your logo on the car, on our t-shirts etc:
- the donations page
- corporate sponsorship
All donations welcome!
Monday, May 23, 2011
Moving on from 7 Elements
So - we have come to the end of the wee project we set up last year, and I thought I should pop down some of my lessons learned and my thoughts on my next moves:
For me, the contrast between the global world of Ernst & Young, and our local 7 Elements world has shown that some things are the same at any scale. Interestingly the same people engaged me working as a small company as I would have expected from my previous role leading a team across multiple countries. The key is the people relationship - if someone likes and trusts you they will want to work with you.
I have definitely discovered what I enjoy least and most in day to day infosec work, and confirmed what is most valuable to me - my family first, then my profession. Being able to take my kids to school most days is a wonderful return to sanity.
I really enjoy meeting people who are either committed to security or those who aren't really security literate but want to understand and implement secure code or controls. It's also very rewarding to come into a 'greenfield' environment and make a distinct improvement in their security posture (I know, I used the 'P' word...)
OnStartups - part of the StackExchange family has been an incredibly good source of information. Kind of wish I'd hung out there before we founded 7 Elements!
So, not exactly sure what is happening now. Am looking at two sets of options - couple of really interesting permanent roles are being created at the moment, and a few companies have asked if I can do some consulting work over the next few months. So I guess we'll see. If it's consulting I have my Alsop Consulting company - check out www.alsop.net and if it's full time then I'll let you know:-)
For me, the contrast between the global world of Ernst & Young, and our local 7 Elements world has shown that some things are the same at any scale. Interestingly the same people engaged me working as a small company as I would have expected from my previous role leading a team across multiple countries. The key is the people relationship - if someone likes and trusts you they will want to work with you.
I have definitely discovered what I enjoy least and most in day to day infosec work, and confirmed what is most valuable to me - my family first, then my profession. Being able to take my kids to school most days is a wonderful return to sanity.
I really enjoy meeting people who are either committed to security or those who aren't really security literate but want to understand and implement secure code or controls. It's also very rewarding to come into a 'greenfield' environment and make a distinct improvement in their security posture (I know, I used the 'P' word...)
OnStartups - part of the StackExchange family has been an incredibly good source of information. Kind of wish I'd hung out there before we founded 7 Elements!
So, not exactly sure what is happening now. Am looking at two sets of options - couple of really interesting permanent roles are being created at the moment, and a few companies have asked if I can do some consulting work over the next few months. So I guess we'll see. If it's consulting I have my Alsop Consulting company - check out www.alsop.net and if it's full time then I'll let you know:-)
Penetration Testing? A Taxonomy
Initially while I was at Ernst & Young, then through my 7 Elements time, and with the help of many others from vendors and industry have been putting some thought into how penetration testing is currently sold and delivered and how we can improve the process for customers and suppliers. This is a consolidation of posts from other areas, and ideally should be built into the process along with the Penetration Testing Execution Standard.
One of the key issues that we see is that there are different reasons to go broad, or deep. A wide review could aim to identify a range of areas which should be improved, whereas a targeted attack simulation could give good information on what an attacker could do with an opening in the perimeter, combined with weak access controls for example, but may not find many vulnerabilities.
The second issue is with vendors that sell you a "penetration test" but only deliver a lower level of assessment and this can lead to a false sense of security.
So the problem with the "penetration test" term is that most people associate it with this idea that you'll also get coverage of security issues, rather than a focus on specific weaknesses and how they're exploitable.
At the end of the day, an attacker only needs to find one exploitable vulnerability, so while there are certain situations where allowing security testers free reign to go for the crown jewels may be the best option, due to the prevalence of the perimeterised "hard on the outside, soft on the inside" security model, organisations may find a broader approach provides greater assurance for the same budget.
So there is almost a forked model of testing. Typically you would begin with discovery, scanning for common vulnerabilities, and then assessment of those vulnerabilities. After this, the split could be towards Security Assessment (the broad review to find as many vulnerabilities as possible and assess the risk to the business) or towards Penetration Testing (the attempt to exploit and penetrate the organisation to gain access to a particular target).
There will be occasions where these two forks could join up again, where you want a broad review with added information on the extent to which a real world attacker could penetrate.
In order to make it easier to discuss the various stages, our taxonomy is as follows. Please leave comments if you feel improvements are required, and we will develop the taxonomy accordingly:
Discovery
The purpose of this stage is to identify systems within scope and the services in use. It is not intended to discover vulnerabilities, but version detection may highlight deprecated versions of software / firmware and thus indicate potential vulnerabilities.
Vulnerability Scan
Following the discovery stage this looks for known security issues by using automated tools to match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor. This can be supplemented with credential based scanning that looks to remove some common false positives by using supplied credentials to authenticate with a service (such as local windows accounts).
Vulnerability Assessment
This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context.
Security Assessment
Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorised access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to.
Penetration Test
Penetration testing simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage.
Security Audit
Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterised by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed (vulnerability assessment, security assessment, penetration test).
Security Review
Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilises build / code reviews or by reviewing design documents and architecture diagrams. This activity does not utilise any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit)
One of the key issues that we see is that there are different reasons to go broad, or deep. A wide review could aim to identify a range of areas which should be improved, whereas a targeted attack simulation could give good information on what an attacker could do with an opening in the perimeter, combined with weak access controls for example, but may not find many vulnerabilities.
The second issue is with vendors that sell you a "penetration test" but only deliver a lower level of assessment and this can lead to a false sense of security.
So the problem with the "penetration test" term is that most people associate it with this idea that you'll also get coverage of security issues, rather than a focus on specific weaknesses and how they're exploitable.
At the end of the day, an attacker only needs to find one exploitable vulnerability, so while there are certain situations where allowing security testers free reign to go for the crown jewels may be the best option, due to the prevalence of the perimeterised "hard on the outside, soft on the inside" security model, organisations may find a broader approach provides greater assurance for the same budget.
So there is almost a forked model of testing. Typically you would begin with discovery, scanning for common vulnerabilities, and then assessment of those vulnerabilities. After this, the split could be towards Security Assessment (the broad review to find as many vulnerabilities as possible and assess the risk to the business) or towards Penetration Testing (the attempt to exploit and penetrate the organisation to gain access to a particular target).
There will be occasions where these two forks could join up again, where you want a broad review with added information on the extent to which a real world attacker could penetrate.
In order to make it easier to discuss the various stages, our taxonomy is as follows. Please leave comments if you feel improvements are required, and we will develop the taxonomy accordingly:
Discovery
The purpose of this stage is to identify systems within scope and the services in use. It is not intended to discover vulnerabilities, but version detection may highlight deprecated versions of software / firmware and thus indicate potential vulnerabilities.
Vulnerability Scan
Following the discovery stage this looks for known security issues by using automated tools to match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor. This can be supplemented with credential based scanning that looks to remove some common false positives by using supplied credentials to authenticate with a service (such as local windows accounts).
Vulnerability Assessment
This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context.
Security Assessment
Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorised access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to.
Penetration Test
Penetration testing simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage.
Security Audit
Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterised by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed (vulnerability assessment, security assessment, penetration test).
Security Review
Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilises build / code reviews or by reviewing design documents and architecture diagrams. This activity does not utilise any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit)
Sunday, March 06, 2011
Report: Joint IISP and ISACA event in Scotland - 17 Feb
(Copied over from my old blog post)
The Scottish branch of the IISP and ISACA Scotland hosted a joint talk on the 17th of February at the English Speaking Union with our guest speaker, Louise Behan, of the Lothian And Borders Police Specialist Fraud Unit.
Louise described the remit of the fraud unit, which includes investigation of contraventions of the Company, Insolvency and Bankruptcy laws, all public sector corruption enquiries, major or complex enquiries involving offences against the financial industry, major embezzlements, particularly those perpetrated by professional persons such as solicitors, accountants and bank officials, enquiries from government departments, the Procurator Fiscal and the Crown Office Fraud Unit, multiple account enquiries, e.g. cross-firing of cheques, collusive merchant enquiries, counterfeit credit cards, major credit/debit card enquiries as well as complex enquiries from other Forces and Agencies.
A significant amount of casework the fraud squad deals with originates in people misusing systems in place or getting round technical controls. In terms of honesty, Louise pointed out that a recent survey showed that most people (80%) are not 100% honest. When times are hard, as now, crime tends to increase, as people struggle with difficult economic circumstances. Very often, the cases dealt with by the Unit have as their main suspect someone with no criminal record. This also means that profiling fraudsters is hard – and of course the best ones are very good at hiding it.
Louise estimated around a third of the fraud she personally sees is internal – with an employee or manager of a company discovering a weak control that can be subverted, and using their position to hide the evidence of fraud. She provided a quick look at some niche frauds, where a criminal has found an area where they could make money in the short term – such as forging one pound coins. It’s unexpected, and when the fakes were good enough, it remained undiscovered for many years. Even ‘small’ frauds can evidently mount up to significant losses, and so the point is that a long term ‘small’ scheme can have just as much impact as a short term ‘big hit’.
In subverting IT controls for financial gain, the risk can be perceived by individuals as very low, whereas the reward can be very high. For example, mortgage fraud can net large sums of money. For the fraud unit investigating these crimes, the issue is that if the controls are too poor, gaining enough evidence to present a reasonable case can be a challenge – so if you don’t keep solid audit logs and implement strong access controls, this may lead to insufficiency of evidence when your systems are breached, without which the Procurator Fiscal cannot take the case forward to prosecution.
The nature of fraud means that investigations often take some time, and there are evidential requirements which can take some time to fulfil, such as obtaining and executing warrants to obtain information, which requires to be appropriately authenticated, and continuity of evidence ensured during seizure. Recovery of money or loss depends entirely on the criminal - if there are recoverable assets, the police always look at the potential for compensation, however, if the fraud is remote (for eg, perpetrated from outwith the UK) the likelihood of recovery tends to be less. And if the criminal has no assets then recovery isn’t possible.
The aim of the unit is to make the life of the fraudster as unattractive and uncomfortable as possible. It’s not likely to be an aim with an end in sight-fraud is only limited by human ingenuity, but we continue nonetheless to try to keep up, or sometimes get ahead a little.
So what can you do to help?
- Keep an eye out for known individuals – the Fraud Squad and SCDEA do provide information to intelligence departments in banks
- Audit rigorously and log everything
- Use mystery shoppers to test in store security procedures
- Make examples of the ones who get caught – especially for internal fraud
- Understand the mind of the fraudster – how would YOU subvert your controls.
The Scottish branch of the IISP and ISACA Scotland hosted a joint talk on the 17th of February at the English Speaking Union with our guest speaker, Louise Behan, of the Lothian And Borders Police Specialist Fraud Unit.
Louise described the remit of the fraud unit, which includes investigation of contraventions of the Company, Insolvency and Bankruptcy laws, all public sector corruption enquiries, major or complex enquiries involving offences against the financial industry, major embezzlements, particularly those perpetrated by professional persons such as solicitors, accountants and bank officials, enquiries from government departments, the Procurator Fiscal and the Crown Office Fraud Unit, multiple account enquiries, e.g. cross-firing of cheques, collusive merchant enquiries, counterfeit credit cards, major credit/debit card enquiries as well as complex enquiries from other Forces and Agencies.
A significant amount of casework the fraud squad deals with originates in people misusing systems in place or getting round technical controls. In terms of honesty, Louise pointed out that a recent survey showed that most people (80%) are not 100% honest. When times are hard, as now, crime tends to increase, as people struggle with difficult economic circumstances. Very often, the cases dealt with by the Unit have as their main suspect someone with no criminal record. This also means that profiling fraudsters is hard – and of course the best ones are very good at hiding it.
Louise estimated around a third of the fraud she personally sees is internal – with an employee or manager of a company discovering a weak control that can be subverted, and using their position to hide the evidence of fraud. She provided a quick look at some niche frauds, where a criminal has found an area where they could make money in the short term – such as forging one pound coins. It’s unexpected, and when the fakes were good enough, it remained undiscovered for many years. Even ‘small’ frauds can evidently mount up to significant losses, and so the point is that a long term ‘small’ scheme can have just as much impact as a short term ‘big hit’.
In subverting IT controls for financial gain, the risk can be perceived by individuals as very low, whereas the reward can be very high. For example, mortgage fraud can net large sums of money. For the fraud unit investigating these crimes, the issue is that if the controls are too poor, gaining enough evidence to present a reasonable case can be a challenge – so if you don’t keep solid audit logs and implement strong access controls, this may lead to insufficiency of evidence when your systems are breached, without which the Procurator Fiscal cannot take the case forward to prosecution.
The nature of fraud means that investigations often take some time, and there are evidential requirements which can take some time to fulfil, such as obtaining and executing warrants to obtain information, which requires to be appropriately authenticated, and continuity of evidence ensured during seizure. Recovery of money or loss depends entirely on the criminal - if there are recoverable assets, the police always look at the potential for compensation, however, if the fraud is remote (for eg, perpetrated from outwith the UK) the likelihood of recovery tends to be less. And if the criminal has no assets then recovery isn’t possible.
The aim of the unit is to make the life of the fraudster as unattractive and uncomfortable as possible. It’s not likely to be an aim with an end in sight-fraud is only limited by human ingenuity, but we continue nonetheless to try to keep up, or sometimes get ahead a little.
So what can you do to help?
- Keep an eye out for known individuals – the Fraud Squad and SCDEA do provide information to intelligence departments in banks
- Audit rigorously and log everything
- Use mystery shoppers to test in store security procedures
- Make examples of the ones who get caught – especially for internal fraud
- Understand the mind of the fraudster – how would YOU subvert your controls.
Friday, February 18, 2011
B Sides San Francisco
Day 1 of B-Sides San Francisco
The awesome guys at Security Stack Exchange got me 8000 miles across the world to blog B-Sides San Francisco, and it was an amazing opportunity to mix with Infosec professionals from various industries.
All my photos from this trip are on my Picasa page.
My highlights from Day 1:
Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.
In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?
Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.
Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
To provide an alibi? Maybe.
To create a perception of your lifestyle? Possible.
To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.
Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
Automate tools in advance
Be prepared for things to break
Get to the best person as quickly as possible
Segregate response functions to avoid neural congestion
Design to scale up and down
Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
it's broken (minutes count)
it's bandaged (hours count)
it's fixed (days count)
learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)
The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.
After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (we ended up coming 2nd in the Metal category of the Scottish Alternative Music Awards)
Day 2 of B-Sides SF (pictures all up now on my Picasa page)
After very little sleep, headed over to Zeum early and as one of the volunteers was missing presumed sick I volunteered to be a Roamer for the day. Red T-shirt (would this mean I wasn't going to return to the Enterprise?), earpiece and simple duties (keep an eye out for people going where they shouldn't.)
There were so many good speakers on Day 2 I found myself dotting between them to try and pick up content, but I did enjoy Anton Chuvakin's talk on SIEM. Key point he made was that you need to plan resource for it. I quote "If you only have an hour a month to do SIEM, stick to log management. Dedicate at least 50% of someones time"
Andrew Hay, Richard Bejtlich and Travis Reese's talk on Cyber Security Marketecture was well received as well. Some arguments about particular points, but in a generally productive spirit. I think they focused a little too hard on APT to the exclusion of all else, but they did cover APT in a rational way, unlike the usual FUD. I like the comment about Stuxnet - not very advanced or persistent but definitely a cyber warfare threat.
I also managed to get brief interviews with Jack Daniel of Astaro and Jon Speer of Tripwire to find out what sponsors get out of BSides. They both had remarkably similar viewpoints. They see value from:
After lunch I managed to win The Manga Guide to Databases in the raffle (Excellent Prize) before the BSidesSF Carousel ride!
Dave Shackleford and Andrew Hay's "A Brief History of Hacking" was also very entertaining, including along the way the good and bad hacker films.
Robert Zigweid of IOActive then spoke about a topic quite close to our hearts here at 7 Elements - Threat modelling taxonomy. He splits out into the following types:
And these impact categories:
Damon Cortesi's talk on Developers also included Threat Modelling - it is becoming pervasive.
The EFF panel were very well received but I only caught a small piece of it: key usage of end to end encryption to avoid compromise from threat sources as well as to avoid misuse by governments and their view that subject lines and text messages are definitely content, and email addresses and IP addresses may be in certain circumstances.
Raffael Marty's log analysis and visualisation in the cloud. This is an area which is likely to become all too important as more and more services are pushed to the cloud. Loggly have the concept of logging as a service, and Raffael's talk included an important piece on the need for visibility of dynamically scaling virtualised environments and the hypervisor, as well as availability.
I then said my goodbyes to the wonderful BSidesSF folks and volunteers - Banasidhe, MikD, djbphaedrus, Duckie, CindyV etc and headed east for the Owasp meet, where we had very worrying discussion around the security of critical national infrastructure...
Day 3 - RSA, ISACA and IISP
After all the B-Sides fun and games, I managed to get an Expo pass for RSA (thanks to the Damballa folks) so thought I should pop in, chat to a few key folks and grab some swag to take home.
Highlights:
The awesome guys at Security Stack Exchange got me 8000 miles across the world to blog B-Sides San Francisco, and it was an amazing opportunity to mix with Infosec professionals from various industries.
All my photos from this trip are on my Picasa page.
My highlights from Day 1:
Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.
In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?
Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.
Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
To provide an alibi? Maybe.
To create a perception of your lifestyle? Possible.
To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.
Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
Automate tools in advance
Be prepared for things to break
Get to the best person as quickly as possible
Segregate response functions to avoid neural congestion
Design to scale up and down
Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
it's broken (minutes count)
it's bandaged (hours count)
it's fixed (days count)
learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)
The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.
After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (we ended up coming 2nd in the Metal category of the Scottish Alternative Music Awards)
Day 2 of B-Sides SF (pictures all up now on my Picasa page)
After very little sleep, headed over to Zeum early and as one of the volunteers was missing presumed sick I volunteered to be a Roamer for the day. Red T-shirt (would this mean I wasn't going to return to the Enterprise?), earpiece and simple duties (keep an eye out for people going where they shouldn't.)
There were so many good speakers on Day 2 I found myself dotting between them to try and pick up content, but I did enjoy Anton Chuvakin's talk on SIEM. Key point he made was that you need to plan resource for it. I quote "If you only have an hour a month to do SIEM, stick to log management. Dedicate at least 50% of someones time"
Andrew Hay, Richard Bejtlich and Travis Reese's talk on Cyber Security Marketecture was well received as well. Some arguments about particular points, but in a generally productive spirit. I think they focused a little too hard on APT to the exclusion of all else, but they did cover APT in a rational way, unlike the usual FUD. I like the comment about Stuxnet - not very advanced or persistent but definitely a cyber warfare threat.
I also managed to get brief interviews with Jack Daniel of Astaro and Jon Speer of Tripwire to find out what sponsors get out of BSides. They both had remarkably similar viewpoints. They see value from:
- Connecting with security professionals
- Learning from and teaching the security community
- Meeting potential employees
- Having fun
After lunch I managed to win The Manga Guide to Databases in the raffle (Excellent Prize) before the BSidesSF Carousel ride!
Dave Shackleford and Andrew Hay's "A Brief History of Hacking" was also very entertaining, including along the way the good and bad hacker films.
Robert Zigweid of IOActive then spoke about a topic quite close to our hearts here at 7 Elements - Threat modelling taxonomy. He splits out into the following types:
- spoofing
- tampering
- repudiation
- information disclosure
- denial of service
- privilege escalation
And these impact categories:
- damage potential
- reproduceability
- exploitability
- affected users
- discoverability
Damon Cortesi's talk on Developers also included Threat Modelling - it is becoming pervasive.
The EFF panel were very well received but I only caught a small piece of it: key usage of end to end encryption to avoid compromise from threat sources as well as to avoid misuse by governments and their view that subject lines and text messages are definitely content, and email addresses and IP addresses may be in certain circumstances.
Raffael Marty's log analysis and visualisation in the cloud. This is an area which is likely to become all too important as more and more services are pushed to the cloud. Loggly have the concept of logging as a service, and Raffael's talk included an important piece on the need for visibility of dynamically scaling virtualised environments and the hypervisor, as well as availability.
I then said my goodbyes to the wonderful BSidesSF folks and volunteers - Banasidhe, MikD, djbphaedrus, Duckie, CindyV etc and headed east for the Owasp meet, where we had very worrying discussion around the security of critical national infrastructure...
Day 3 - RSA, ISACA and IISP
After all the B-Sides fun and games, I managed to get an Expo pass for RSA (thanks to the Damballa folks) so thought I should pop in, chat to a few key folks and grab some swag to take home.
Highlights:
- I got to take apart a real Enigma machine at the NSA booth!
- Almost won a kindle at the M86 quizshow
- Had a good chat with the Australians at the Cryptsoft booth
- Learned all about splunk
- Had to sit through a very content free Kaspersky talk
- Gal Shpantzer gave me a good Becrypt run through
- Had far too many burgers at the Qualys bar
San Francisco trip
So - was over in San Francisco for the B-Sides SF security conference (and also managed to pop into RSA) which I have blogged aboutin a separate post, but as I managed to have some time to see the city and friends I thought I'd blog the non-work stuff as well.
After leaving Edinburgh in freezing temperatures, with ice on the cars, I had an excellent flight over with Virgin Atlantic, despite being in cattle class the whole way. It was a fairly empty plane, so by the time we arrived in SF I had been able to stretch out, watch 4 films and was raring to go. Was picked up from the airport by Danny - and the plan was to celebrate his birthday, so straight back to San Rafael in Marin County where the weekend commenced in 27 degree temperatures!
Marin County is beautiful, and all the restaurants visited were excellent. Definitely recommend Taqueria Bahia! Most of the evening's festivities were courtesy of Country Club Bowl, and then the Mayflower, finishing up with Soul Food on the way home.
Good to meet so many fun and interesting people.
Saturday morning, and off to Theresa and Johnny's Comfort Food in San Rafael - big breakfast saved the day.
We then took in a tour out to Point Reyes, near Inverness, and had a chilled out day, before heading off to watch the B-Side 70's kick off their tour at the Broadway Studios.
Sunday, got a lift into the city to check into the Hilton Union Square. Got a brilliant room upgrade to the 42nd floor, and then met up with Stew, a long term poster on the Empeg BBS who took me for a car tour of SF in his supercharged Honda Del Sol, starting with the corner of Haight and Ashbury :-)
Really enjoyed seeing Lombard Street, Fisherman's Wharf, the drive to Treasure Island to see the city from there, Coit Tower and then over through the Presidio to the Cliff House for dinner with more empeg guys - Hugo and Neil, as well as Neil's wife Lucia. Cheers for an excellent evening guys, and a huge thanks to Stew for driving me round everywhere.
Monday and Tuesday were all about the B-Sides conference, covered over on the 7Elements blog, and then on Wednesday before heading home I managed to take a trip on the trolley cars - in hail and snow (very briefly)
Many thanks again to Danny for the airport runs, as well as putting me up for the weekend and taking me out to some excellent places.
Definitely want to go back!
After leaving Edinburgh in freezing temperatures, with ice on the cars, I had an excellent flight over with Virgin Atlantic, despite being in cattle class the whole way. It was a fairly empty plane, so by the time we arrived in SF I had been able to stretch out, watch 4 films and was raring to go. Was picked up from the airport by Danny - and the plan was to celebrate his birthday, so straight back to San Rafael in Marin County where the weekend commenced in 27 degree temperatures!
Marin County is beautiful, and all the restaurants visited were excellent. Definitely recommend Taqueria Bahia! Most of the evening's festivities were courtesy of Country Club Bowl, and then the Mayflower, finishing up with Soul Food on the way home.
Good to meet so many fun and interesting people.
Saturday morning, and off to Theresa and Johnny's Comfort Food in San Rafael - big breakfast saved the day.
We then took in a tour out to Point Reyes, near Inverness, and had a chilled out day, before heading off to watch the B-Side 70's kick off their tour at the Broadway Studios.
Sunday, got a lift into the city to check into the Hilton Union Square. Got a brilliant room upgrade to the 42nd floor, and then met up with Stew, a long term poster on the Empeg BBS who took me for a car tour of SF in his supercharged Honda Del Sol, starting with the corner of Haight and Ashbury :-)
Really enjoyed seeing Lombard Street, Fisherman's Wharf, the drive to Treasure Island to see the city from there, Coit Tower and then over through the Presidio to the Cliff House for dinner with more empeg guys - Hugo and Neil, as well as Neil's wife Lucia. Cheers for an excellent evening guys, and a huge thanks to Stew for driving me round everywhere.
Monday and Tuesday were all about the B-Sides conference, covered over on the 7Elements blog, and then on Wednesday before heading home I managed to take a trip on the trolley cars - in hail and snow (very briefly)
Many thanks again to Danny for the airport runs, as well as putting me up for the weekend and taking me out to some excellent places.
Definitely want to go back!
Monday, January 31, 2011
February is getting busy: The Scottish Alternative Music Awards 2011, and Acoustech
The Scottish Alternative Music Awards are here for their second year, and this year Metaltech have been nominated for best Metal act. Voting and judging will happen from the 7th of February, leading up to the awards show at the Classic Grand in Glasgow on the 25th of February.
To help us in our quest to win this prestigious award, we need YOU to visit the SAMA page from Monday the 7th of February to vote! Use Metaltech's Facebook Page to tell all your friends. Tweet about us - hashtags #metaltech and #sama11, or retweet my tweets @roryalsop - and buy tickets for the awards event so you can come and enjoy the fun with us. We will have T-shirts and merchandise on sale there. Spread the word, people!
Metaltech, the crazed brainchild of Erik Tricity, Lord Thrapston Flagellator and the Insidious Dr Mayhem has found a common resting place in Scotland. The band have built up a loyal following in Edinburgh through regular gigs since their conception in 2009, and in 2010 stepped up their visibility through touring, a sell out gig at Club Antichrist in London, an evening on Edinburgh radio, the release of their first two EP's (Alkomatik and Sex On The Dancefloor), being asked to remix tracks for Japanese band Psydoll and the Edinburgh based Gin Goblins. They have also provided tracks for local venues' compilation albums to much acclaim.
Metaltech delivered staggeringly popular sets at GoNorth, Rockness, Wickerman and Belladrum Festivals and have carried on increasing their fan base playing venues such as the prestigious King Tut's Wah Wah Hut supporting Swedish band Marionette on their tour.
Metaltech were the support act on all dates of Psydoll's Scottish tour and converted many a punter during an epic gig supporting Alec Empire from Atari Teenage Riot. Return gigs on request in Inverness and Aberdeen have not only helped cement this band's place in the local psyche but have led to further requests for upcoming tours.
Metaltech were the support act on all dates of Psydoll's Scottish tour and converted many a punter during an epic gig supporting Alec Empire from Atari Teenage Riot. Return gigs on request in Inverness and Aberdeen have not only helped cement this band's place in the local psyche but have led to further requests for upcoming tours.
As a full alchemical mix of pounding techno/dance beats, grinding guitars, lyrics smeared with innuendo/tongue in cheek humour, audience participation, ridiculously infectious imagery and gifts for all who attend their live gigs, Metaltech are not only a force to be reckoned with but a force you want to be a part of!
What we need YOU to do to help us win this year's SAMA for best metal act is VOTE FOR US!
---
This year, Metaltech has spun off a weird and wonderful creation, which is playing live in Edinburgh on the 9th of February at the Royal Oak.
Acoustech - does almost the opposite of what it says on Metaltech's tin. There is no metal, there is no techno, no industrial. Instead we have slide guitar, 12-strings and a fretless acoustic bass, and Erik's dulcet tones sans Marshall stacks.
-------------Reviews:
‘the Alkomatic EP IS one of those rare records which is as much at home on the dance floors of the UK’s club fraternity as it is when you’ve just got a few friends around and the alcohol is flowing freely.’
(isthismusic.com)
‘FINALLY a band that put fun into Scotland's music scene. Erik Tricity veers from the languid vocals of The Jesus and Mary Chain to Slipknot's throaty growl.’
(Daily Record)
‘...mix of electronic beats blended with distorted guitars and a voice which sometimes reminded me of Rob Zombie...Guaranteed to make you dance, drink and chant along to the choruses! … and to want to destroy this planet ! Think Orange ! Think MetalTech !’
(Dose Productions)
‘the powerful and loud sounds emanating from this charismatic threesome are theirs and theirs alone! These songs are guaranteed to get your feet moving while your head and ears pulsate uncontrollably with the electronic beats and sequences. But MetalTech have a serious side as well...This versatility in material combined with their mesmerizing stage presence and truly entertaining show makes me certain that it’s just a matter of time before MetalTech (signed to Alex Tronic Records) become mammoth.’
(Tone and Groove)
Remember - Go to Metaltech's Facebook Page and click on [Like] - and then share the link with all your friends. And their friends. And vote on SAMA11.co.uk!
Oh, and if you haven't yet bought either of the first 2 EP's, or T-shirts or badges, get on over to www.metaltech.me for merch links.
Tuesday, January 18, 2011
Improvement and Education in the Security Community
Those of you who know me will know how keen I am on helping the continued professionalisation of information security, and in providing training, guidance and steer back to the community. I get a lot of queries from individuals in IT or Information Security roles asking for more ways to get information, improve their skillset or even just to learn from others.
Many of you may be familiar with the Stack Exchange family of websites - a question and answer site using reputation weightings to help individuals find answers that they can trust.
We have been working with a new one - Security Stack Exchange - near the end of its public beta - that aims to provide security professionals with a forum thttp://www.blogger.com/img/blank.gifo ask or answer questions around security, risk, governance etc.http://www.blogger.com/img/blank.gif
Some examples to show the range of questions already on the site:
Securing the security guy's home office: what should we do?
http://www.blogger.com/img/blank.gif
Although Incident Response is often handled well in larger organisations, it is very relevant for smaller companies
Establishing routines on what to do if a PC gets stolen?
Security around database password hashing:
If I hash passwords before storing them in my database, is that sufficient to prevent them being retrieved by anyone?
If you deal with information or IT security, governance or risk your input could be very valuable, or if you have questions in these areas someone on the forum could help you out. Either way, have a look and see what you think.
Many of you may be familiar with the Stack Exchange family of websites - a question and answer site using reputation weightings to help individuals find answers that they can trust.
We have been working with a new one - Security Stack Exchange - near the end of its public beta - that aims to provide security professionals with a forum thttp://www.blogger.com/img/blank.gifo ask or answer questions around security, risk, governance etc.http://www.blogger.com/img/blank.gif
Some examples to show the range of questions already on the site:
Securing the security guy's home office: what should we do?
http://www.blogger.com/img/blank.gif
Although Incident Response is often handled well in larger organisations, it is very relevant for smaller companies
Establishing routines on what to do if a PC gets stolen?
Security around database password hashing:
If I hash passwords before storing them in my database, is that sufficient to prevent them being retrieved by anyone?
If you deal with information or IT security, governance or risk your input could be very valuable, or if you have questions in these areas someone on the forum could help you out. Either way, have a look and see what you think.
Subscribe to:
Posts (Atom)