Paul Appleton

Paul is an information security dude and, in his spare time, a master of Spinjitsu. He likes eating red and blue pills, reading about Paris Hilton's Sidekick and listening to Captain Crunch.

Security, Pedantry and Parking Tickets

No Comments »
May 23rd, 2012 Tags:
Posted in Technology

“There’s another name for traffic wardens. Revenue Protection Inspectors is one.”

Some crevices of civilisation attract the traffic warden personality. We see them lurking in children’s sporting competitions, in business communities, in our social lives where they slip just under the anti-bullying-bar. In popular culture we know them as Jobsworths, popularised by television (That’s Life) and in film (Beatles’ Help).

One particular organisational Petri-dish for this is the Business Risk discipline. Particularly when dealing with regulated systems security.

The information systems security advisor, ossified into making a business decision reacts by reducing personal risk, without regard for the contingent business implications. Imagine that there is a business imperative to post a letter. The post box is on the street corner; the street corner has double yellow lines.

The security advisor’s solution: “The Road Traffic Act says one can’t park on double yellow lines. You must park in the town-centre car park and catch a bus to the post box. I’m not making a decision, but I can document the risks and ask someone else to break the law”.

The risk opinion goes up the tree, no one wants to challenge perfectly reasonable logic until the business unit who wants to post the letter realises the additional costs and then does their own analysis:

The pragmatic business: “We could be purists, at huge cost, or we could park up and take a chance. But what I think we’ll do is drive with a colleague, park up, I’ll jump out why my colleague keeps watch and drives round the block if anyone comes.”

The answer to this behaviour lies in the interstices of security and risk. The security purist says “no”, the risk manager says “no but”. Unlearning behaviour is hard, the information security trade tends to attract a certain personality type who is personally risk averse, prone to pedantry and tends to think in the language of protection, defence, doing less and stopping things happening. Turning our security teams into business teams is a start, followed by extracting security from IT and reporting into the business, or at least the business risk function.

Making a decision is scary, but extracting value from the risk teams means empowering and enforcing decision-making behaviour, viewing security as a tool to enable business imperatives, changing the language we use to reflect that security can help an organisation grow as well as defend. There are many examples of this: from the trivial of bringing your own iPad through to enabling secure financial transactions and using security as a selling point.

If we don’t do this, we risk the security trade being relegated to the organisational cul-de-sacs where their deontological minds will ensure they are perceived as an Immanuel Kant and called Traffic Warden behind their backs.

Password Book Of Death

1 Comment »
May 22nd, 2012 Tags:
Posted in Technology

I don’t know which demonic spirit invented passwords, but if the intent was to burden us with a hopeless cause I think that the demons are still batting and we need to retire from the game.

 

How many passwords do you have to manage? By passwords, include your card PINs, your on-line banking details, the proliferation of “secret questions” and your mother’s maiden name(s). I have more than sixty. If I count only those that I really care about, that is those that can do me financial harm such there are at least forty. And I’m a simple soul, I have a handful of cards, bank accounts, mortgages and deal online mainly with Amazon.

 

The curse gets bigger when I include the mandatory sign-up screens for temporary web sites and spreads again when I include my work passwords.

 

I even need a password to open the door to my office! Four more digits (I use 1234).

 

Why do we put up with this? How do we manage it? In part, we put up with it because we have to. If one wants an account, one needs to play by their rules. One solution is to avoid the accounts. One solution is a digital password safe. One solution is to write your passwords down.

 

I have a password book and I have a File of Death. The File of Death is the file to go to when I die, where all my credentials are located. Given how easy it is to check in to the digital world, but how hard it is to check out (even when one checks out of the real world) it’s imperative to have a mechanism to close down FaceTwit in lieu of those organisations actually taking their user’s privacy seriously enough. Before I die, there’s my password book. The only way to effectively manage all my passwords is to write them down and to have a sensible pattern. Possibly obfuscated, certainly re-used.

 

I like bananas. I used to like apples but about five years ago web sites started imposing password lengths and apple was just too short. Now I’m up to banana216% which seems to satisfy all the current complexity requirements.

 

Of course, I’m not completely stupid. I don’t use banana for all my accounts, only the ones that don’t personally do me harm (like work and those peculiar themed websites we all deny using). I have “fishcake” for the really high risk systems.

 

So, what’s the solution?

 

Reducing the proliferation of passwords can make our online life more secure. There’s no reason why forums and other socially social sites can’t just rely on oAuth and accept FaceTwitOogle credentials: indeed some are doing this already, but not enough. I can’t say I like the idea of authenticating to my bank account through Twitter, but I’d accept it for those sites that can’t directly do me harm.

 

Incorporating a FaceTwitOogle credential reduces complexity for the site (no access control lists to manage), it improves the user experience (simple sign on), it’s socially-webby (so it must be good in a 2.0 way) and it’s an amulet against the password proliferation. If the site absolutely must have an email address, then they can ask for it: and we can use Mailinator if we wish.

 

But in the absence of common sense and the system owners thinking through why they want a password, what risk the password mitigates and the unintended consequences, I’ll continue to use the only useable alternative.

 

My password book of death.

There’s no business in snow business

No Comments »
December 13th, 2010 Tags:
Posted in CIO Agenda, Strategy & Innovation

Snow. Don’tcha just love it? A licence to slack, for sport, for making snow angels and snow men. It’s what, ahem, “working from home” is all about.

You can’t trust your employees. They are basically children with money. You can’t trust ‘em if you can’t see ‘em. If you can see ‘em then they must be working. Hard.

The recent and ongoing debacle with the white stuff shows that organisations need to take a consistent line on remote working: either provide the tin or don’t come to the party. Either trust or judge by presenteeism. If you trust then it is essential that the necessary support services are in place, but that’s more than merely the technology. Any organisation can invest in collaboration tools, laptops with video, remote meetings, agile telephony and virtual team. Indeed, any organisation that does not have these tools is rightly judged to be a laggard with skewed priorities. If you don’t trust, then make it clear: your staff’s value is the warmth they give to their chair.

read more