Category Archives: Planning


Security Policies IRL (Part 1)

If you’ve been following the news lately you would have heard about a large real estate group in China with a large debt problem. In short, the Chinese government decided to reduce risk by limiting the amount of debt held by Real Estate companies. To accomplish this, they implemented a new policy which could play out to a major disaster.


  • Implementing a policy without consultation could lead to chaos
  • Creating policy requires lots of communication and solid knowledge of the macro and micro environment
  • Consultation with functional units and effective policy metrics serve as good indicators as inputs for current and new policy

Now here lies the problem: by implementing a new policy in a short space of time meant that, companies that are heavily exposed without adequate cash flow are suddenly unable to service their debts. Evergrande is one of those companies with large unserviceable debts.

You have probably seen this in the InfoSec realm, policies that are dysfunctional, out of place in the real world? We’re not talking about the no personal floppy disk policy rather, policies that prevent the business from, well, doing their business. If you ever heard the phrase, sorry, you can’t do that because it’s against security policy then that is the problem right there.

Take a step back for one second, remember why you are creating the policy in the first place? It is to protect and enable the business to operate in a secure manner (add your own seasoning to that but generally speaking, it is in the same theme/spirit). However, if you are creating policies without business consultation, you’re effectively creating policy in a vacuum, leading to distrust, policy circumvention and ultimately, a policy fail.

Back to Evergrande for a second, while this is not a suggestion that Beijing created their policy in a vacuum, they knew companies were in debt but had to take corrective action they, pulled the plug to available credit expecting the problem to resolve itself or worse still, actually implemented a policy without stakeholder consultation.

Beijing is now playing a game of chicken, either Evergrande resolves their debt issue or they will step in. Why? Beijing does not want an economic meltdown, citizens losing funds, supply chains closing, etc at the same time they can’t afford to bail Evergrande out as other companies would then seek to request funds. Damned if you do, damned if you don’t, the intent was good but the execution, not so.

Unless if your operating within an authoritarian organisation, then a democratic approach to the solution is required to enable the business. You still want the business to curtail risk while consultation will allow the policy makers to understand the current situation and devise an appropriate strategy to level out risk over an appropriate timeframe to a mutually agreed, manageable level.

Well, where to I start? How does one know if a policy is causing fires within the organisation? Simple, ask the people on the ground for feedback. For existing policies, if the people on the ground have used the phrase, it’s against security policy so many times, well, it’s time for a review. Naturally, there are reasonable bounds in which the business may operate but if this the phrase is being used time and time again, it is time to change the policy or devise a solution that is capable of fulfilling the request.

Does this mean that the policy is bad? Not necessarily, it could be as simple as tweaking the wording, providing standards, guidelines to supplement the policy or a test case to identify how the policy could satisfy all parties. The point being is that all of the mentioned solutions cannot be completed in a vacuum, they all require consultation, constant, regular consultation.

Secondly, if you caught on to the fact that the phrase sounds like a policy metric, that’s because it probably is. Consultation will allow for open lines of communication for feedback, any feedback positive and negative is a metric. No consultation, no feedback, no metric, simple. What about other ways of obtaining policy metrics? You may not have time to consult all the business units, communicating that there’s a feedback line is a start or better still, speak to the front line staff, establish regular catchup sessions.

Other metrics could be obtained through other business functions, Shadow IT is just one example, the fact that it exists could suggest that a policy could be hindering the business. Assuming that you have a procurement function, significant IT purchases for assets or services that are not completed through approved procurement channels could suggest a policy failure. However, you would never know if you have not established a communication channel with Finance/Procurement.

Another way is to employ technical means to verify the effectiveness of the policy. It could be as crude as leveraging your support ticketing system and categorising the tickets. If there is trust in the establishment, expect constructive feedback. Unless if there is a structural problem with your policies, you should not expect an avalanche of responses either because it working or there is no trust and your policies are being circumvented.

So what happens if my policies are circumvented? Well, aside from implementing a dictatorship, asking your IT support, security teams in ways to look for holes would be a first step. They may also provide information on technical solutions such as infrastructure monitoring to provide metrics.

Now this is no means a comprehensive list, context is required to devise an suitable approach and effective solution but let it be known that, unchecked, ineffective policies leads to a divisive environment for ripe for abuse but change is possible and assistance can be provided by starting one simple constructive dialog.

In the next blog we will discuss policy development.



Canals, Law Firms and InfoSec – Lessons learned from the Mossack Fonseca data breach

Another day, another leak.

This time the victim of the leak is Mossack Fonseca, a Panama Law firm which has been exposed for facilitating shady tax arrangements. The size of the breach is enormous, the volume alone could displace what Panama is traditionally known for, the canal.

Naturally, findings from the breach would never see the light of day but speculation is always fun so…what could we learn from this breach?

1. Trust is king otherwise use identity management and access control

The locks in the canal serve to direct water to the right places.

No one knows if this was an inside job but one thing is certain, ‘John Doe’ who conducted the breach had the motivation to carry out the leak. If this was an inside job, this person would have had a lot of access within the organisation. Identity management, separation of duties and access control limit the amount of data any one individual has access to. In any organisation handling sensitive data, all of this is very important to limit the potential loss of data from a disgruntled employee.

2. Don’t forget physical access

A hole in the lock allows water to seep through where it’s not supposed to.

John Doe could have access to backups, tapes, systems, USB ports, you get the idea.

3. Are you looking – Egress points

If no one is inspecting the locks for leaks, how do you know if there is a problem?

Süddeutsche Zeitung, the newspaper organisation reporting the breach acquired about 2.6 terabytes of data. Let’s assume for a second that the person doing the leak was not an insider who stole mirrored drives from Mossack Fonseca servers or copied the data to a USB hard drive, how did the 2.6 terabytes of data get out?

If it was done remotely, that’s 2.6 terabytes over the wire. If you had a SOC/NOC in a law firm, one thing that you should be keeping an eye out for is mass exfiltration, out of hours transfers and any other anomalous activity. Sure, John Doe could have been drip feeding but with 2.6 TB of data, that would take an excruciatingly long time. If your NOC is not talking to your security team, well, that too is a problem.

4. Data loss protection is not a silver bullet

Just stopping blue coloured liquid will not stop leaks.

Süddeutsche Zeitung reports that the haul consisted of e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database. A quick review of the leaked documents shows that Mossack Fonseca was handling both structured and unstructured data. Documents derived from a predefined template eg: official company letterhead form structured data. Passports, share certificates and other documents that do not adhere to MF’s document management standards is classified as unstructured data. Documents could also be tagged specifically for DLP. DLP works by detecting structured or tagged documents ‘moved’ to an ‘unauthorised’ location where DLP would then block the movement or trigger an alert for further action.

Doing DLP right, MF would have to identify all critical/sensitive documents, tag or convert documents to a standard format before it could be picked up by DLP. This requires a lot of work and failure to do so means that data could slip right under the watchful eye of DLP. Not to mention that there are ways to circumvent DLP which, segways nicely into our final point.

5. Security is like an onion

A failure in one lock should not prevent the entire system from failing.

The hot topic of encryption makes another entrance. Encrypted data makes life hard for inspection based systems such as DLP and that’s assuming that inspection based systems can detect and decrypt the encryption in the first place. A tagged document could be encrypted in a password protected ZIP/RAR/<insert favourite exfiltration format here> and if you’re lucky, inspection based systems may only log the activity. In this scenario, you will need all of the above to reduce the risk of the data breach from occurring.

There may be other lessons learnt from this breach, feel free to share below.


The ethics of vulnerability disclosure

Badlock, a newly publicised vulnerability is making the rounds with a catch…the patch is not available for another 3 weeks. However, marketing hype is already doing the rounds.

What makes this vulnerability big is the hint that it affects SMB used in SAMBA/Windows File sharing and as SAMBA is open source, vulnerability researchers good and bad will be scrambling through the code.

How, given the wide spread reach of the vulnerability, the hype is not called for. Three weeks in information security land is a lot of time and the wide spread use of SMB means organisations could be sitting ducks.

People that wield power must act sensibly, if you know something that could affect a lot of people use power with discretion, report vulnerabilities to vendors and ensure that a working fix is applied by customers before causing mass mayhem. Defenders already have a hard time keeping people out, we shouldn’t be fighting amongst ourselves.

As always, opinions welcome. Thanks to Steve Regan (@SteveD3) for exposing this.


Cross published on Peerlyst:


edit: 24/3: typo

Project Management Fundamentals

One of the tools required for a consultant is the ability to project manage. The entire engagement may have sub projects, involve a lot of staff and stakeholders all of which increases complexity. Complexity increases the risk profile for engagements, hence any reduction in complexity is always welcome.

Having said that, the core items relating to basic project management are often overlooked. There are legitimate reasons behind this but the truth remains that there is no excuse for not getting things right in the first place. Yes, I’ve been here but hopefully have learnt something from the experience and will not do it again.

This is a short list of common mistakes that some PMs make and tips which I have learnt or have gained from working with some brilliant PMs.

You might ask: What does this have to do with Security?

Security is a rapidly changing area. All security professionals work to very short delivery dates. Mistakes, job reworking, delays are extremely costly, especially in a recovery situation. The importance of ‘getting it right’ the first time is critical!

Define and enforce Scope

Scope creep is a project killer. It happens and could be one of the following (not an exhaustive list): poor planning, inadequate requirement analysis, lack of funding.

Define the boundaries and stick to the scope at all costs, enforce the scope. Don’t allow scope creep to set in. It is a matter of pride, both yours and the project sponsor.

Going the extra mile: if it changes, get the person requesting the scope to justify the change. Discuss alternatives and embed a ‘penalty option’ for the requester. The penalty provides contrast to the alternatives as you will need more resources to get the job done and provides a balanced view of the scope change.

Metrics for everything

How do you know if you hit a milestone if you have no way of measuring it?

Anything that impacts on the project: time, resources, funding, etc. must have a metric.

It provides tangible evidence for a lot of things: due diligence, coverage, costs, elapsed time, you name it.

Going the extra mile: If there is no metric, think of what the goal of the metric is, think of a suitable metric, keep it simple and create one. Sometimes, you can’t retrospectively create a metric. There is no such thing as a small task that should not be measured. Finally, repeatable automation of metrics gathering is a lifesaver!

Do not underestimate the power of the Subject Matter Expert (SME)

Assumptions are risks!

Unless if you are the SME, the SME is your friend. More often than not, they will have a better idea on what is possible (or impossible).

Iterate through each assumption and ask for their input. Where possible and if appropriate, go through the entire plan and show them the bigger picture.

They may also have a better way of doing the task which may improve on delivery. Win-win situation.

Going the extra mile: Engaging SMEs as early as possible will make them feel important and their input would be valuable. Keep in mind, they are SMEs and may not have a PM mindset, so get them to think like a PM, take them to an area free of distractions and ask them, ‘what is required to get the task done? What do you need to get the job done? etc…’.

Dreaded Deadlines

Like scope, stick to it. Enforce a dead line for your subordinates. Deadlines make people accountable. Deadlines are more important when tasks are on the critical path. As mentioned, slippage is expensive.

Don’t consider the deadline as the end of the task, try to get the task done before the deadline, even if you have included contingency time.

Going the extra mile: be people friendly when defining deadlines, don’t call it a deadline. Importantly, to get them to be part of ‘the team’, you have to understand their deadlines, constraints! when you relate to their world, it builds rapport, they are more likely to proactive.
They could also go the extra mile by getting extra resources, re-prioritising your task as a high priority, etc.

Importance of communications

Communication is core to getting everyone working in unison.

Is a phone call necessary, is an e-mail necessary? Consider the criticality of the message you’re trying to send across. Scheduling a meeting, can be done via e-mail and chased by phone if an urgent response is required.

Think closely about the aim of the communication, articulate that clearly.

Everyone is time poor, unless if they really need to know, avoid paragraphs full of information.

Mass communication should be structured in a way that a primary school kid should be able to understand and importantly, acknowledge/follow.

Going the extra mile: important points first (including actions), what the goal is, what is involved, keep it positive, be short and succinct.

While there are may other areas of improvement and each point can be explained in much detail, consider this to be the start of a well oiled consulting/project management experience.

Integrating Security with Asset Management Part 2


  • Business alignment with security projects will help persuade the decision makers to  approve and endorse security projects
  • Being creative helps to obtain business alignment

As mentioned, when looking at frameworks eg: ISO27001, SANS top 20, etc. several of them mention Asset Management as an action and it is a task quite high on the list.

Several things will need to be done:

  • Out of scope for this blog but a procurement structure is in place so that staff know who to go to for acquiring equipment.
  • Procurement and security policies, standards and guidelines, covering acquisitions to securing devices in place
  • Policies are communicated to staff

All is good now but how does it provide benefits for the business?

Well, this is where metrics come in.

The decision makers will want to know how successful your project will be and they will be interested in how the project has saved the business money, increased productivity, etc. Metrics is a way to provide this information.

The ability to measure provides opens opportunities to be ‘creative’ with business goals.

Let’s look at business strategies:

  • Saving costs
  • Reducing downtime
  • etc.

Taking the two examples:

  • Saving costs-Asset discovery, license management, lease management, whole of life, power consumption, etc…
  • Reducing downtime-hardware failure, software failure, system performance, etc…

There should be enough information in the Asset Management database to establish metrics to determine the basics:

  • Number of systems
  • Where are they located
  • When systems go out of warranty

Now with some cross matching against other systems you can do things like:

  • Find out which systems have not been on the network for a while and find out where they are (are they in a cupboard, if they are, can they be redeployed saving the cost of purchasing a new system, configuring, etc).
  • Find out which systems are nearing the end of their warranty (if they are going to be out of support, a new system can be pro-actively ordered reducing downtime and for asset management purposes you won’t need to upgrade them, saving time and resources)
  • etc.

All of these are strategies that can be translated to security wins:

  • If you know the system is in storage, you know it requires updates to be compliant or if it is to be deployed to new staff, the status of the device must be updated.
  • If a system is old, there is a good chance that it may have legacy software which may be a security risk

With this intelligence, the asset management would provide a return on investment and help achieve security goals.

Integrating Security with Asset management Part 1


  • First in a sequence of blogs which will outline how to implement security measures with business support.
  • Know what you know and investigate what you don’t know
  • Leverage existing systems but apply some intelligence to achieve security goals
  • Refine by identifying the weaknesses, fix the weaknesses and monitor for improvements.

Simple question: Can you tell me right now, who has disabled their AV?

It’s amazing to find the number of organisations that would not be able to give you an answer to that.

‘You cannot protect what you can’t see’

Consider these scenarios:

  • decentralised procurement/budgets, leading to authorised/unauthorised purchases such as a computer, for one reason or another, the asset is not tracked in the asset register, computer is compromised, leading to security issue.
  • staff connect a custom built system to the network, system gets infected, causes issues on the network, leading to security issue.

I’ve been an advocate of having asset management as part of a security function for quite some time, it may not be managed by the security team but the security team could and should have some input and exposure. Reasoning behind this stem from the implementation of the SANS 20 Critical Security Controls.

The first control is to create an Inventory of Authorised and Unauthorised Devices

The win is that you know what to protect within your organisation, providing the availability of statistics. As mentioned, statistics then can be used for a lot of things: metrics, milestones, forecasting, planning, KPIs, etc.

Remember, before any system is implemented, it is important to note that business support and approval must be obtained otherwise the project will be doomed for failure.

No matter how good your asset management is, you will get rogue purchases, staff circumventing the system. This is where planning, policy and processes are required to stop the leaks.

Not everything has a technological solution, in fact, planning/strategy, policies, procedures and guidelines help drive the technology selection process for an organisation.

Planning/strategy allow for the right decisions to be made so that the company infrastructure can be designed to support the organisation. This also provides uniformity to a common goal for all staff.
Policies are required to steer procurement decisions for the organisation and also used to curb deviations from the corporate norm. (for procurement and delinquent departments)
Standards are defined to ensure alignment with the policies for procurement, IT and all staff. As mentioned, standards are also there for system identification
Guidelines assist planners by outlining what could be used within an environment

With this in place, the laws of the land is set out and referred to by all.

A good resource for policy creation is the SANS Security Policy Project:

The primer is a good read.

Having these in place will help reduce the number of ‘rogue’ devices within the organisation as well as set the framework for a solid asset management system.

Defining Security Scope: Another way of saying ‘know thy enemy’

You cannot protect what you can’t see


  • Know your assets and threats based on industry, size, image, political, social factors, etc.
  • Conduct high level identification and assessment of the threats
  • Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business

Without knowing your assets and understanding the threats against your assets it is extremely  difficult if not impossible to protect your environment.

Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.

Each industry has its specific threats and they range from amateurish to well-funded nation states.

There are models available to help map out what threats your organisation could potentially face.

The areas to consider are:

  • Industry-Is it a high competition industry
  • Size-How large is the organisation?
  • Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
  • Political-do political events affect the organisation?
  • Social-Is the organisation operating in an environment where social tensions work against the organisation?


Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.

To put it into perspective, your corner store is probably not going to be targeted by a nation state.

However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.

For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.

Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.

By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.

Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.