The Psychology of Information Security book reviews

51enjkmw1ll-_sx322_bo1204203200_

I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

More

Presenting on cyber security at UCL

ucldark_0.jpg

The UCLU Technology Society invited me to deliver a talk on information security to UCL students. Together with my colleague, I discussed various aspects of information security focusing on both technical and non-technical topics.

We talked about Advanced Persistent Threats and common misconceptions people have about them. When referring to protection measures, I emphasised the importance of considering human aspects of security. I described typical causes of a poor security culture in companies, along with providing some recommendations on improving it.

I concluded the evening with a discussion on managing and communicating the necessary changes within the organisation and the skills required to successfully do that.

Cyber Wargaming Workshop

ID-10071890

I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.

Day 1
Introduction
Course Objectives
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?

  •         Teams
  •         Interaction
  •         Moves

Module 2 Cyber Fundamentals

  •         Practical Risk Management
  •         Problems with risk management
  •         Human aspects of security
  •         Conversion of physical and information security
  •         Attacker types and motivations
  •         Security Incident management
  •         Security incident handling and response
  •         Crisis management and business continuity
  •         Cyber security trends to consider

Module 3: Introducing a Case Study

  •         Company and organisational structure
  •         Processes and architecture
  •         Issues

Module 4 Case study exercises

  •         Case study exercise 1: Risk Management
  •         Case study exercise 2: Infrastructure and Application Security

Day 2
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:

  •         How organisations responded from a business perspective
  •         How organisations responded to the attacks technically
  •         How affected organisations were by the scenario
  •         How they shared information amongst relevant parties

Feedback to the participants
Course wrap up

Image courtesy zirconicusso / FreeDigitalPhotos.net

Removing Unused Firewall Rules

ID-100234172

Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.

I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.

Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.

As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.

Image courtesy renjith krishnan / FreeDigitalPhotos.net

Industrial Control Systems Security: Information Exchange

There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.

The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):

They also highlight the risks of wireless connectivity of physical security systems

Similar information exchange centres were established in Japan and Spain,

For the introduction to Industrial Control Systems Security see my previous blogs (Part I, Part II, Part II) or ICS Security Library

SC Awards, BSides London and Infosecurity Europe

It was a busy week for security professionals in London; InfoSecurity Europe, BSides London and SC Magazine Awards were happening almost simultaneously.

IMG_4721

We were provided with a booth at the InfoSecurity Europe conference & exhibition to host another NextSec event entitled “Finance and Cyber Security: How Banks Are Evolving To Combat The External Cyber Landscape”. Two global financial institutions discussed how they are reacting to the cyber threats that affect them, and how they are looking to combat that threat.

Attendees had an opportunity to gain insight into how financial institutions are dealing with cyber threats on both strategic and operational levels as well as to understand challenges and approaches to managing information security risk in large financial organisations

cyber-academy-service-478x185

I was also invited to attend the SC Magazine Awards as part of KPMG’s Cyber Academy team. I helped to develop KPMGs IT Security Concepts course and also delivered it internally. It was a great honour to know that the course’s quality was recognised beyond the firm.

BSides2015

Finally, BSides London 2015 was great as always. KPMG were running a lockpicking competition, where I managed to make it to the Top 30. It was also nice to catch up with Thom, Javvad, Lawrence, Iggi and other great professionals in the field.

Global Industrial Cyber Security Professional (GICSP)

I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.

This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.

GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.

Here are some useful links for those of you who are interested in sitting the exam:

Exam FAQ

Flashcards

Certification Handbook

Application Security Project

ID-1008705.jpg

Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network.  I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:

  • Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
  • Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
  • Embedded continuous application testing capabilities.
  • Helped raise awareness of application security issues within internal development teams and third parties.
  • Prompted the decommissioning of legacy applications.

Image courtesy Danilo Rizzuti / FreeDigitalPhotos.net

Database Security Project

ID-100187848

A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.

The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.

I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.

I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.

I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.

As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.

I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.

Image courtesy ddpavumba / FreeDigitalPhotos.net

Managing the Cyber Threat: Insights from Senior Leaders

I’m happy to announce that the registration for the NextSec June 2014 Conference is still open.

Location: Investec Bank plc, 2 Gresham Street, London, EC2V 7QP, United Kingdom
Date: 5th June, 2014

Agenda:

18:00 – The role of a CISO in a cloud, mobile and social world

Speaker: David Cripps, Investec CISO

David is the Information Security Officer for the Investec Group and is responsible for the Group’s information security programme; ensuring that the risks to their information assets are identified and appropriately managed. He has a strong technical and networking back- ground in the finance and telecommunications industry. David has also worked as an elec- tronics instructor in Sri Lanka.

David has been awarded a master’s degree in Internet and Telecommunications Law (LLM). He is a Certified Information Security Manager (CISM), Information Systems Auditor (CISA) and Information System Security Professional (CISSP). David has also been awarded an Ad- vanced Professional Certificate in Investigative Practices (APCIP).

18:25 – The rule of three: cyber resilience in a fast-changing world

The rule of three: cyber resilience in a fast-changing world

  • Three walls to structure controls and contingencies against cyber attack
  • Three principles to drive the design of practical and focused cyber defences
  • Three strategies to maintaining agile, adaptive and sustainable counter-measures to meet the cyber challenge

Speaker: Daniel Barriuso, BP CISO

Daniel Barriuso is the Chief Information Security Officer (CISO) at BP. He is responsible for cyber security across the Group, including strategy, governance, architecture, education, counter threat operations and incident response. Daniel is a frequent speaker and contribu- tor at security forums and events. Prior to joining BP, Daniel was CISO at Credit Suisse and coordinated a number of security initiatives across the financial services sector including the ‘Waking Shark’ response exercise. Daniel also dedicates his time as a Professor at the ‘Universidad Politecnica de Madrid’, where he lectures and researches in the areas of IT governance and information security investment.

18:50 – From Graduate to VP: My journey in the realm of Network Security

Speaker: Raghu Nandakumara , Citi Network Security Manager

Following completion of his MSc, Raghu joined Citi in 2004 as part of the UK Technology Graduate Programme and was placed in the EMEA Information Security Services team. Initially working in Operational Support he was part of a team that were responsible for the maintenance and stability of all perimeter security infrastructure in EMEA, including firewalls, proxies and remote access. He moved into the Network Security Engineering organisation in 2008 and was initially responsible for security service delivery on business projects (including handling large scale divestitures and acquisitions) as well as build out of security infrastructure in Citi’s new strategic data centre in the region. Having spent the last few years being the SME for a few Network Security products he now runs the Net- work Security Engineering Tools and Automation team.

19:10 – ISACA’s Cyber security Nexus (CSX) Program

Overview of ISACA including Cybersecurity Nexus (CSX), ISACA’s recently launched pro- gram that provides insights and resources for cybersecurity professionals.

Speaker: Allan Boardman, ISACA International Vice President

Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, is a risk officer at Morgan Stanley and International Vice President at ISACA. He began his career with Deloitte in Cape Town and has over 30 years experience in IT assurance, risk, security and consultan- cy roles at organizations including JPMorgan, Goldman Sachs, KPMG, PwC, Marks and Spencer, and the London Stock Exchange. He is a past president of ISACA London Chapter and has served on the BCS’ Information Risk Management and Audit Committee. He is a member of ISACA’s International Board of Directors, currently chairing its Credentialing and Career Management Board, and is a member of ISACA’s Strategic Advisory Coun- cil. He has served on ISACA’s Leadership Development Committee and chaired ISACA’s CISM Certification Committee. He was a volunteer at the Paralympics in London 2012 and Sochi 2014, and is a school governor where he chairs the Finance Committee.