This Week's Gurus

As pen testers, we often test the same system every year.   In an ideal world, the security of the system would get better every year as the issues we find are fixed and lessons learnt and in theory, you should end up with an ever smaller list of issues.   Unfortunately this isn’t usually the case. In fact it is a particular problem for large companies. In the larger companies we typically find an...

Today sees a change at the top of the Cyber Security Challenge, with founder Judy Baker stepping down to be replaced by Bob Nowill as chairman.   Announced this week, Nowill is a former security leader within GCHQ and BT and has served on the board of the Challenge since early 2014. I asked him why he felt it was time to step up to the plate, and he said it was not a time...

The domain name system is incredibly vulnerable, but at the same time it can be your biggest ally in detecting threats.   Talking to Cricket Liu, chief DNS architect at Infoblox, he pointed out the that the major flaws that hit the DNS, most notably the Kaminsky flaw of 2008, were often just cache poisoning and the “plumbing” of the internet does not get the attention of security that it deserves.   With other flaws,...

It’s a common belief that security training is one of the largest bugbears for CISOs. Why do you think this is, and how can it be resolved? I must step back a couple of decades to argue who needs IT security training and why.   I’ve been involved in information security throughout that time, which includes the time before IT was a staple of office life. In those days, before the internet and office networked...

If communications are monitored and encryption is still Pretty Good, is the bigger challenge not only maintaining control of keys, but ensuring that those deem the websites to be safe are trusted at all? In FireEye's 2015 M-Trends report, authentication-based attacks were identified as the third threat for the abuse of VPN certificates. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, said that the problem is the bad guys are using encryption...

Recent announcements that GCHQ will host summer camps to boost interest in cyber and improve skills, as well as the ongoing Cyber Security Challenge, show that there is a need to draw people from outside of IT to fill the skills gap.   One idea that could be better exploited, following a model used in Israel, is utilising skills learned in the armed forces. I recently met with Tracy Andrew, head of information security and...

I recently attended an event hosted by the Charity Security Forum (CSF), where one of the speakers spoke on the difficulties of people with disabilities using technology. Maybe this is something that you have not thought of before, but for the delegates, the experiences of Robin Christopherson, head of digital inclusion at Ability Net, proved to be very interesting and at the same time, shone a difficult light on the reality of technologies. In the talk,...

Yesterday we featured people hacker and social engineer Jenny Radcliffe on typical signs of an attacker who is trying to get at you from outside of the business.   That person has a considerable disadvantage though – they are not able to access the systems and network that a person inside the business can. The insider threat has never gone away, and Jenny said that in many cases of inside attacks, watching the human behaviour...

Anyone who has had the pleasure of seeing social engineer and people hacker Jenny Radcliffe speak will know what I mean when I say that she can see beyond the conventional eye.   Sitting with her at a recent conference where she spoke in front of the charity security community, I wanted to get her thoughts on what the modern IT professional can do to better spot that attacker both inside and outside of the...

The various breaches and attacks of 2014 has led to more interest into “whodunnit”. This in turn has led to more interest and development in the concept of threat intelligence. Last year Proofpoint completed the acquisition of NetCitadel to add threat intelligence to its portfolio, whilst I recently met with another new firm offering services, iSIGHT Partners. Rather than offering products, it offers threat intelligence that its global team of analysts collect and delivers to...