Extending the Perimeter



Posted in Uncategorized | Leave a comment

FireEye Technical Briefing 19th March 2015 part 2


Posted in Uncategorized | Leave a comment

FireEye Technical Briefing 19th March 2015 part 1



Posted in Uncategorized | Leave a comment

SC magazine best security team finalists



Posted in Uncategorized | Leave a comment

I’m moving

I’ve finally got round to setting this blog up at my actual URL –


All historical posts have been moved there, and that will be the home of all future posts.

I have been looking at ways of separating out sport and IT / security posts into two separate blogs on the same site, however despite UK2 assuring me this was possible with their normal hosting package, it transpires that I would need to invest about three times as much per month to have their business package in order to be able to host two personal blogs.. The search continues, but I will be setting up clearer tagging and some links at the top of the home page to take you directly to content of interest.

The site is still a bit of a work in progress so the appearance and links may change a bit over the next few weeks.

Looking forward to seeing you there!


Posted in Uncategorized | Leave a comment

Training update 1..

Well I’ll obviously have to think of some more catchy titles for training related posts than 1..2..3.. but that will do for now. (ideas welcome!)

So I said I’d be posting these under the training page, however it seems WordPress doesn’t really like that idea and wants to just dump everything on the home page so we’ll just use category tags for now. There does appear to be come ways to change this by adding code to the pages / posts so I will probably look into this at some point, although it’s not exactly high on my agenda of interesting things to be getting on with!

Recent progress includes completing the foundation course at Crossfit Antaeus (http://crossfitantaeus.com/) and beginning to work more on cleans and false grip. False grip is a gymnastics inspired way of holding rings / the bar that makes the transition from chin up to dip more feasible in order to do muscle ups – they will be next on the list once I have mastered the grip.

Double unders continue to elude me in any real form – I can do one, then a few singles, then one and so on. I’ll no doubt get there soon.

Motivation is currently very high, and progress is in reality good although it is easy to get frustrated as I know where I want to get to and want to get there now. I have to keep reminding myself I have an 18 month to 2 year plan, not a 3 month plan!

In terms of gym, I can’t speak highly enough of Antaeus and Matt the head coach – he is an excellent coach and annoyingly good at all the technical movements.

This week has included, power and squat cleans, thrusters, skipping, rowing, kettle bells, push press, false grip chins, ring dips and squats amongst other things. In terms of strength I have dropped in a lot more low rep work so much of my squatting is 5 rep sets, and we also tend to do one or two 1 rep max sessions a week as well. This is great and a real departure from the approximately 10 reps per set for everything rut I was in before.

Tonights WOD was Elizabeth, first time I have done that one, and second set of cleans this week.. Took 11.32 which is pretty poor, but lots of room to improve once I get my clean act together. Luckily dips are easy so provided some respite! (Elizabeth = 21, 15, 9 reps of 60kg squat clean and ring dips. Shredded hands are an added bonus!)

I want to cover of diet in some detail as well, but I’m at the gym again in the morning so it’s time for bed!

Read this today which amused me;
Basically work hard and don’t be lazy :)


Posted in Crossfit | Tagged , , , | Leave a comment

Security Awareness Training – Worthwhile?

One of the topics that I sometimes think about is the value of security awareness training.

This tends to be a topic that many people in the security industry seem fairly passionate about, either for or against the value of it.
Vendors of software / programs such as Wombat, PhishMe, SANS etc. are all very pro user awareness training and regular programs to raise security awareness.
Conversely companies who sell products and not training are likely to strongly advise security budget is spent on tools rather than awareness training. To renforce this point at RSA Europe last year I actually asked a couple of senior RSA guys about the value of awareness training when they did a presentation around improving security and where to spend, and was told somewhat strongly that awareness training was basically a waste of time.

So the question is who is right, or do both sides have a fair point?

On the for side – how can users be expected to act securely and know how to act securely without some training? People need to learn and understand how to spot phishing emails, why it is bad to send anything non public externally without it being encrypted, why stronga and unique passwords should be used, how to spot social engineering etc. Security awareness training and campaigns can serve a dual purpose –
– Ensure users learn more about security for both their work and home IT / online lives
– Raise general awareness – a continual program of advice and varied messages keep general security and secure methods of working on peoples minds – this should not be a once a year process.
Any increase in security awareness and reduction in the attack surface that is the human user must be a good thing right?

On the against side – what is the most effective way to spend a limited security budget? Does spending budget on training offer the sam improvement in overall security as say adding a further layer to the defence in depth strategy or hiring extra dedicated IT security personel? Even with training a significant number of users will stil click the link in a phishing email or give out details they shouldn’t to a social engineer, so you still need all the other defences, both technical and personel even if an extensive security awareness program is undertaken.
– Users will always be a large security risk, so it’s best to treat them and their actions as untrusted and create a security posture accordingly.

So which side is right? I think to a large extent they both are. Depending on which report you read, something like 60-80% of all APT (Advanced Persistent Threat) attacks are initiated via social engineering – e.g. getting a user to do something for the attacker. So the most insidious attacks that are very difficult to detect and currently being used by the security industry as the driver for selling new security tools tend to start with the user. Then surely reducing the chances someone will succumb to social engineering much be a good thing? Yes you’ll never get to 100%, but then no actual security device ever detects or prevents 100% of attacks. So why do security tool vendors not like awareness training? Likely money and profits.

A balanced approach is key, understand the environment and threat landscape your company operates in and create a holistic security program encompassing the necessary tools, skilled security personal and user awareness training.

So, how can awareness training be made as effective as possible? Along with mixed and continuous messages and taking the time to make security part of the culture, the key thing is to get the message to people and make them want to take it on board. I think there are two components to make this successful;
– Fear – not with lies or exaggeration, but highlight real stories, as especially stories that people will relate to so think Playstation and Bank / online shopping hacks.
– Make it relevant – Link the secure ways of working to peoples home lives so highlight how they can be secure online, not fall for scams, use social sites as safely as possible, shop safely etc.

To conclude my opinion is that security awareness training does add real value and should be part of any security program. It does not however replace in anyway the need for a strong defence in depth strategy aligned to your business and threat landscape. What do you think?


Posted in Security | Tagged , , , , , , | Leave a comment