Link to the Powerpoint file:
Dearly beloved, we are gathered here today to discuss Information Security.
Join me around the campfire and let’s start…
Mandatory "who's this guy and what's all of this about" slides.
I decided to make the presentation available to the audience beforehand to allow every participant to follow the presentation at his own pace.
Also, please note the LEGAL DISCLAIMER as I was expressing my own opinions and not the ones of my employer.
Heard in 2002: “If you’re not paying for it, you’re the product” but what does it mean?
Link to Wall Street Journal article:
https://www.wsj.com/graphics/how-pizza-night-can-cost-more-in-data-than-dollars/
It all starts it a text message “Wanna come for pizza and a movie?”
Consider the Data provided vs. Data collected.
Just some highlights:
So… what can we do about it?...
Let’s take a step back….
"Passwords are like underwear: change them often and don’t show them in public."
I have a friend that ends up losing a credit card every 3 months or less J
The downside: she has to send new credit card data for every new actions, for every product ordered, for Netflix, for Android Pay, for Parking payments.
The upside: she gets a new card every 3 months which reduces the chances of exploit
But... does this make any sense?!
It’s pretty much the same we’re asking:
"Change often, has to be complex, 12 chars, 4 symbols, a drop of blood from your firstborn child and a tear of a unicorn."
And then we blame the user when things go wrong!
And if we’re really smart, really into these SECURITY stuff, we all know we should use 2 factor authentication.
Because SAFETY!!! Yes, at its all about safety, that will keep us safe, right?
Well, no, not really…
We have been nagging users about password for the last 20 years…
But it’s never the user password to be blamed for any significant data security breaches.
We must solve this:
The consequence is personal data abuse and society being controlled by The Others (Brexit, Trump, Bolsonaro)
Lets talk about management systems
Everyone can bake a cake at home
We can handle interruptions. We can handle supply issues. Most of the time it’s a one off. We are the client, no need to meet needs or expectations.
Very small IT footprint, maybe a computer running ERP / CRM / Excel / minimal website.
You now have procedures to handle raw materials when they arrive, laws to abide, periodic maintenance on machines, financial goals.
You’re working with a context, with shareholders, suppliers, clients, employees, neighbour, authorities…
You have to meet the needs and expectations of interested parties if you want to survive.
So we make plans.
Suddenly…
Your supplier changes, Your target clientele changes, Your raw materials are no longer available, You have to abide to different regulations, You want to move into a different market, Your country foolishly decides to leave the EU, Your employees die, You die.
Allow me to introduce you to some nice friends…
Deming and a lovely lady.
The PDCA/CI cycle.
Management systems: Not the hero we call for, but the hero we need.
That means, defining processes, monitoring, keeping tabs on what went wrong and what went right.
But its pays off every time.
Risk is positive and negative that can and will happen.
Is all about figuring out what can change, its impact and whether we wish to mitigate or reap the benefits.
The future, as we can see it
Robotized Cake Factory, very few people.
Confidentiality, Integrity, Availability
Access (physical/ user access management)
Operations (backup pentest, scan, logs)
Network protection
Secure software development (lifecycle) (plug the holes NIST OWASP framework libraries)
Well, no, not really.
We’ll look into a real world scenario… but first…
The ability to wing it, sometimes referred as one of the greatest Portuguese assets only provides a short term, sub-standard solution.
It will kill you in the long run.
Up until now, fines limited to 500k
Data breaches before and after GDPR
GDPR comes with a very loooong enforcing stick. Giving people’s rights even before they realise they have them.
Huge impact on data subjects rights. Humongous!
If you lose a dead hard disk stored in a drawer for the last 3 years, that’s a data breach
If tapes go up in flames, that’s a data breach.
You have to determine a justifiable data retention policy. And then abide by it.
When the user asks for the data back you must provide it. If you lost it (and didn’t report), you’re in trouble.
If you decide on a loan, your client has the right to know your profiling algorithms.
Scope: An American company creating a user account for a Japanese guy is within the scope of GDPR (because he’s in Slovenia)
Data minimisation. Collect only the information you need. GDPR killed the big data star.
Privacy by design. Look at your software development lifecycle and include GDPR compliancy on the earliest of stages.
When things go wrong you’re in trouble. YOU MUST ABIDE BY THESE RULES!
I’m just the messenger. You don’t have to agree we me. You can even say it’s just #ProjectFear…
But in the end, “Talk to the hand, because the judge is not listening.”
January 2019
"You can not say Information Security and Android in the same sentence with a straight face."
Who agrees with this? … It’s OK if you don’t agree with me.
The real world example with an iOS app:
Can you spot "Informed consent" on this picture?
Let’s look at the same app, developed in Xamarin, a cross platform environment...
HOUSE RULE: If you have the latest version you can shut up now and the reason is twofold: You’re still irrelevant (belong to the 3%) and that didn’t addressed the root cause.
This was a company very conscious on data privacy, they handle personal identifiable information and personal health information and have been managing for the last decades and have a quite impressive system.
What went wrong?
Requesting consent while installing, not when required.
Either you accept all of these or you don’t use the app.
Even Microsoft Office apps on Android ask for access to your phone call log, SMS content, information on machines on your corporate network. And these are high profile apps. What about low-grade, dodgy looking junk apps. Everyone’s guess.
Access to data without even hacking is the Android de facto standard.
Low visibility on what it really means
Low granularity. Fixed on the latest version? Yeah right…
Average age of operating system version is… 3.5 years and that includes 80% of devices.
By 2022 you’ll still have +30% of devices built upon a GDPR non-complaint philoshopy.
Explanation on “CONSENT” was buried on the Terms & Conditions….
.... on the Terms & Conditions….
.... on the Terms & Conditions….
.... on the Terms & Conditions….
We must fix this...
… "with a great power comes a great responsibility."
This is one of the most important blogs home security
ReplyDeletethat I have seen, keep it up!
When i benefit your existing document. It might be top notch to examine everyone reveal with text throughout the coronary heart in conjunction with lucidity due to this vital difficulty may very well be easily viewed. idm crack
ReplyDeleteGreat slideshow, data backup solutions for small business are one of the major applications for information security policies.
ReplyDeleteThe accumulated onto your blog site despite the fact paying off acceptance just many tid little submits. Gratifying strategy for honest, I will be bookmarking before you start acquire merchandise realization spgs right in place. windows 8.1 activator
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIm no expert, but I believe you just made an excellent point. You certainly fully understand what youre speaking about, and I can truly get behind that. keyword: idm crack
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work idm crack
ReplyDeleteYes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks latest pakistani news
ReplyDeleteHello! I simply would like to give you a huge thumbs up for your great information you have got here on this post. If you are facing cash app down problems then visit our website cash app customer service
ReplyDeleteHello My self fernando Halstead and i am from United states. If you have any problem with Garmin express visit our website and solve your problem. call us at - +1 844-902-0609
ReplyDeleteGarmin login
ReplyDeleteThanks for such a great post and the review, I am totally impressed! Keep stuff like this coming. Security Consulting
ReplyDeleteHey there! I simply would like to give you a big thumbs up for your great info you've got right here on this post. I'll be coming back to your web site for more soon.
ReplyDeleteLyrics of all the Hindi songs from movies and albums. In addition, we have the translations for these songs.
List are Here:
Song Lyrics
bollywood song lyrics
bhojpuri song lyrics
hindi song lyrics
haryanvi song lyrics
punjabi song lyrics
english song lyrics
ReplyDeleteI’m impressed, I have to admit. Rarely do I encounter a blog that’s both equally educative and amusing, and without a doubt, you have hit the nail on the head. Garmin express not working mac
The tone is so powerful and conceivable.
ReplyDeletenuclear explosion
Your style is very unique in comparison to other folks I've read stuff from. Thanks for posting when you've got the opportunity, Guess I will just book mark this blog. Roadrunner Email Settings
ReplyDelete