Monday, 2 May 2016

Infosec? What Country Is That?

In this comparative article, Alina Stancu, Marketing Coordinator at Titania, talks about the struggles of discussing information security to outsiders and the similarities she experiences discussing her country of origin, Romania. Alina joined Titania whilst completing her final year studying; Advertising, Marketing and Public Relations at the University of Worcester. Alina has since become a valued member of the marketing team and during her time at Titania has developed an enviable amount of knowledge about the industry and the importance of cyber security.

I am familiar with the pains of discussing information security with “outsiders”, thanks to my Romanian origins. Explaining my country to non-Romanians is not much different to talking to non-technical people about security. Everyone has a vague idea of what it is, everyone knows a couple of standard stereotypes (thank you, Hollywood!), everyone has some expectations of what its inhabitants should look like.

Note: All the questions below have been posed to the author at one point or another, by various friends, acquaintances, strangers on the bus. You always start the conversation with the premise that no one will know what you are talking about, so you must accommodate the interlocutor and provide some context about the information security industry, clarify it’s a self-standing profession, and not to be confused with the more generic IT-support.

Interlocutor 1: So, is Romania a part of Russia?

Alina: No. Part of the former eastern European communist bloc of countries, but that ended in 1989, with the revolution. We’ve been aboard a merry democratic transition ever since…

Interlocutor 1: Ah… so it was part of Russia?

Alina: No

Interlocutor 1: I don’t get it. Sorry, I wasn’t very good at Geography. To be honest I don’t know much about Romania. It’s one of those places that you know they exist, but you don’t really hear much about.

Alina: That’s ok. It wasn’t ever part of Russia. We have lost Moldova (which is occupied by Romanians) to Russia, but Romania was never assimilated.

Interlocutor 1: Is it civilised? Do you have normal amenities?

Alina: What’s a normal amenity?

Interlocutor 1: Don’t know… electricity?

Alina: Mhm. We kinda need it. For, you know, essential living arrangements… like heating, lightning, Internet. Don’t get me wrong, we like living in caves heated by fire, as much as the next guy, but once in a while the iPad runs out of power.


Then, the dialogue seems to get a little more on track as people start recalling some names, or stories they may have read in the news. Hacking stories are not necessarily the most high-profile, but they do manage to draw some interest, awe or fear. Hollywood does drive some form of cyber awareness, at least. Problem is Hollywood also has a knack for exaggerating.

Interlocutor 2: Ah! Romania… I remember… Ceausescu. And that vampire… Dracula, right? He was some kind of a leader or king in your country, wasn’t he? Was he really a vampire?

Alina: Leader, yes. Vampire, not quite. Hollywood hasn’t got a great track record with sticking to facts and accuracy.


Then follow the natural confusions between the bad guys (cyber criminals) and the good guys (ethical hackers). Changing the perception that not all hacking is bad hacking and explaining that there is an actual need for ethical hackers (or penetration testers) to use their knowledge for good is always a challenge.

Interlocutor 3: I read that there are lots of Romanians begging on streets, in many European countries. Doesn’t make your people look very good. You see them in the news. I have to say it is a bit worrying.

Alina: Only a small proportion of the ones reported in media are actually Romanian. However, semantics, misleading information and lack of interest result in a wide-spread confusion outside of Romania’s borders.

Altogether, we have good and bad just like anywhere else, but when you’re an immigrant, you get scrutinised under microscope. Social issues get magnified to suit political agenda, and you find yourself in a very generic box with the label “dangerous” attached to your forehead.


Next, you explain the language. The technological lexicon can put off even the most patient, well intended ear. Most of the lack of interest towards cybersecurity stems from the intrinsically discombobulating vernacular attached to the industry. All the while, the more popular siblings such as mobile apps, web clients, social media have entered the colloquial jargon thanks to necessary integration into people’s professional and social lives. You would be hard pressed today for example, to find people not knowing what Microsoft Office is, or how to operate Skype.

Interlocutor 4: What kind of language do you speak in your country?

Alina: Romanian

Interlocutor 4: Is it like Russian, Polish? It sounds a little like it.

Alina: Haha! More like Spanish and Italian rather. Romania is part of the countries speaking
Romance (or Latin) languages

Interlocutor 4: What did you say it’s called?

Alina: Romanian

Interlocutor 4: I don’t believe you.

Alina: …


Finally, gently break the expectancies of what the information security professional should look like. These particular stereotypes are a direct result of media portrayal of “geeks” as socially awkward people, mostly men (which in turn reflects the gender imbalance the industry deals with), that have little else in their lives aside from computers and gizmos. Is there any wonder that future generations may not want to be associated with these negative portrayals?

Interlocutor 5 (knowledgeable in ethnic physiognomy): I like Romanian girls. You don’t really look Romanian.

Alina: What does a Romanian look like?

Interlocutor 5: More blonde, with paler skin… I mean you obviously have a light skin, but you are not blonde, are you?

Alina: No. Neither is a large proportion of my co-nationals. But go on, what else should a Romanian look like?

Interlocutor 5: Don’t know, but they are usually very pretty. Alina leaves pondering over her national identity… and over her hair colour.


Much like a state, the information security industry has a different language, interesting people, its own pet hates, achievements, heroes and villains. That is not to say that it should remain marginalised and isolated from the rest of the society. Ignoring computer security is no longer a choice anyone can afford to make.
A country’s need for tourism, foreign policy and defence drives the national brand marketing. For an industry, bridging the communication gap means patience, cutting through the jargon and breaking stereotypes through education.

There is another problem that plagues the industry, and that is the “tired professional”. The IT professionals that after many years spent working with IT illiterates have got fed up with explaining and prefer to keep the strangers outside. Putting this in the same perspective of encountering people from all over the world, should you stop explaining to people where you come from just because they don’t know? Should they stop explaining to you about things you don’t know? Is there any point in harvesting knowledge, if it can’t be shared with others?

Credits goes to -

New England (and Connecticut in Particular) Showing PUC Leadership on Security

NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs.  California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.

But now I'm going to tell you about my part of the world: New England.  Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.

Now comes this comprehensive, 30-page report this from Connecticut's Public Utilities Regulatory Authority (PURA): "Cybersecurity and Connecticut's Public Utilities," released earlier this week.  While giving credit to the two regulated electric utilities in its jurisdiction for doing a good job on cybersecurity so far, it also tackles head on key challenges and next steps, including:
Setting performance criteria (hmmm, sounds like measurement maybe)
Seeking concurrence regarding the role of regulators
Establishing consistent regulation
Identifying reporting goals and standards
Sharing information and best practices
Maintaining confidentiality of sensitive cyber information
Rethinking procedures for ensuring personnel security
Defining appropriate cost thresholds and cost recovery guidelines
Identifying effective training and situational exercises
Integrating public utility cyber issues into Connecticut's emergency management operations.
All good stuff.  However, the report notes that municipal utilities, while providing essential services, are not regulated by PURA. This is true across all 50 states and presents a massive power sector security regulatory blindspot.

Before the report wraps up, it presents regulators and other stakeholders with a few questions (in third person) to be asked about utility cyber preparations:
Do the leaders in the public utilities serving Connecticut and their boards pay appropriate attention to risk management in general and cyber as part of that challenge?
Do they have skilled personnel and necessary hardware and software? Are their budgets for cybersecurity adequate?
Do they train and keep up with the constantly evolving set of threats?
Do they run mock drills with outside assistance to test the strength of their deterrence?
Do they have access to outside consultants and experts to stay up to date and to fill in gaps not covered by their own personnel?
Are they active participants in trade association activities geared toward sharing best practices?
There's more to say, but you're better off reading the report in full when you have a chance.

Visit the real page here -

Seven Tips for Personal Online Security

Last year I wrote Seven Tips for Small Business Security, but recently I decided to write this new post with a different focus. I realized some small businesses are in some ways indistinguishable from individuals, such that advice for personal online security would be more appropriate for some small businesses. In other words, some businesses are scaled such that one or a few people are the entire business. In that spirit, I offer the following suggestions for individuals and these small businesses.

1. Protect your email. Email is the number one resource most of us possess, for three reasons. First, imagine that you forget your password to just about any Web site. How do you recover it? It's likely you request a password reset, and you get an email. Now, if you no longer control your email, an attacker can reset your passwords and take control of your Web accounts. How does an attacker know what accounts you own? That is answered by the second key to email: content. A quick check of your emails will reveal the organizations with which you do business. The content can also provide means to access other accounts. The third reason email is so critical is that it is essentially your online identity. An attacker can use your email to impersonate you and try to gain access to those that trust you.

So, how should you protect your email? I offer four recommendations. First, select a provider who gives you plenty of insight into how your account is used. Would you get an alert when someone logs into your account from a foreign country, for example? Second, select a provider who offers two-factor authentication. This means you can choose to log in with more than just a username and password. Third, select a provider who has experience with confronting and defeating intruders, and who takes actions to continuously improve their security. For consumers, I prefer Gmail. Of course, I am not of fan of being monetized by Alphabet and Google, but the trade-off is worth it for most of us.

My last recommendation is to limit what you store in email. Don't transmit or store sensitive information, like your personally identifiable information (Social Security number, etc.), in your email. As a thought experiment, imagine what it would look like to have your email published online. What would be the consequences? Try to address those concerns by removing such content from your email.

2. If you don't need it, delete it. This general rule applies to applications and data. If you don't need Java or Flash or other applications on your PC, phone, or tablet, remove them. The less software on your device, the better. For data, be judicious about what you store in digital form. Anything stored on a device or in the cloud can be read, copied, changed, or deleted by an attacker. My post “If you can’t protect it, don’t collect it” offers more on this topic.

3. Patch the software you keep. If you use Windows, run a modern version such as Windows 7 or newer, and install patches regularly, for the operating system and applications. On Windows it can be tough to identify just what needs to be updated. A free tool that can help is SUMo, the Software Update Monitor. Download the "lite" version and run it to see what needs to be updated. Pay attention to applications from Adobe, like Flash, Reader, and such. Remember tip 2!

4. Run a modern Web browser. For general consumers, the best Web browser in my opinion is Google Chrome. Make sure it is set to auto-update so you are running the latest version. Install an ad-blocker like Adblock Plus.

5. Back up your data. Research and implement a way to back up the data on your devices. This can be a complicated issue. For example, you may keep sensitive data on your laptop or PC, and you fear putting it in the cloud. One way to address that concern is to store that data in encrypted form on your laptop or PC, such that when it is stored in the cloud it is also encrypted.

Some may argue that certain cloud providers will encrypt your data for you, so why encrypt it locally first? My answer: if an attacker gains access to your cloud backup username and password, he can access your cloud backup provider and download your data, regardless of whether the cloud provider encrypts it or not. If the attacker finds your most sensitive data encrypted within the cloud backup, that means he needs to beat the encryption you applied on your own. Like all the measures in this post, nothing is foolproof. However, introducing challenges to the adversary is the key to security.

Furthermore, don't confuse cloud storage with backup. If you store data in Google Drive, or other locations, don't consider that a backup. I recommend adding a real backup provider to your configuration.

On a related note, enable full-device encryption on devices you are likely to lose. This applies most likely to your phone and tablet. The danger you are trying to mitigate here is physical loss or theft of your device. Be sure you enable a numeric pin such that a thief can't simply log into your lost or stolen device. I am also a fan of services that let you remotely locate your lost or stolen device, such that you can either find them or wipe them at a distance.

6. Buy Apple phones and tablets and keep them up-to-date. This looks like a blatant advertisement for Apple, but I promise you I am not an Apple fan boy. The fact of the matter is that Apple iPhones and iPads, when running the latest versions of the iOS software, provide the best combination of features and security available to the general consumer. They are easiest to operate and to update. Updating iOS and the installed apps is exceptionally easy. Furthermore, the best metric we have regarding software security shows that exploits for iOS devices cost far more than other software or platforms. This means it is tougher for intruders to break into devices running iOS.

7. Consider a password manager, but not for every Web site. Nothing is (or should be) absolute in security. Password managers are applications that assist users with storing, supplying, and even generating usernames and passwords for Web sites and other applications. They are an improvement over using the same username and password at multiple Web sites. However, when using a password manager, you run the risk of a flaw in that manager being used by an attacker to access your username and passwords! It sounds like a tough situation, but in general the benefits of the password manager outweigh the risks. If you choose a password manager, select one that offers two factor authentication, such that accessing your usernames and passwords requires you to enter a numeric code. Also, don't put your most sensitive accounts in the manager. For example, in deference to point 1, don't store your email username and password in the manager.

Bonus: Be vigilant. Wherever you can introduce alerts about how your accounts and data are being used, enable them. For example, does your credit card offer the option to email you when a purchase is made? Perhaps you only care about overseas purchases, or purchases above a certain amount, or at gas stations. The point is to put your service providers to work for you, such that they give you information that informs your security posture. If you learn of a suspicious event and react in time, you can potentially limit or eliminate the damage through swift personal response.

There are many other considerations for individuals, especially with respect to resisting targeted attacks. I didn't address resisting social engineering, phishing, and the like, but I believe that is well-covered elsewhere. To counter the general opportunistic attacker, these are the steps I would recommend to individuals and small businesses.

Go here -