COVID-19: Making sense of cybersecurity for home workers

(Photo by Ali Yahya on Unsplash)

Countermeasures against COVID-19 infection has changed the way we work and communicate. Everyone who can work from home are advised or forced to do so. Some are experienced remote workers, but many are at the first time working out-of-office weeks or months in a row.

Many (if not all) cybersecurity companies and authorities are publishing remote working security guidelines. Despite good advice and intentions, in my opinion many are missing the point. At least from the large organization's point of view where employees use company managed devices.

The advice I've seen typically has a mix of several target audiences: IT departments, remote workers in general, remote workers stuck at home and even individuals using personal devices. It may be difficult to figure out what's home worker's responsibility.

Here´s what is special for remote working currently:

• People are working at home - not at cafes, libraries or other public spaces.
• The whole family is working at home, kids included.
• Everyone is worried on bigger issues than cybersecurity: health of their family, job security, money, etc.
• Everyone is extra stressed because of social distancing and lockdowns. 

The following advice is given from typical large organization's point of view, where remote workers use company provided devices and software, and have professional IT team supporting them.

Do NOT worry:

• Security of your company provided devices. It´s the responsibility of the IT team to make sure that devices, network connections and access to applications are secure: encrypted hard disk, VPN access to company network, strong authentication, anti-malware software in place and all software up-to-date.
• How the security of your home network may affect remote work. It´s good to change default password of your home wifi access point and check the device configuration in order to protect you home. However, your company devices should be protected regardless of your home network. They are configured to allow access also in random cafes after all.
• Absolute confidentiality of work related matters. In reality there may be several family members at home working around the same kitchen table. Do your best and try to find a private corner for the most confidential discussions, but don't stress too much about it.

What you CAN do to protect work related confidential information and company network:

• Follow the company guidelines. Each company may have some special requirements depending on the work and selected tools. Make sure to follow internal communications and act accordingly.
• Use and protect the company device. Keep your company device to yourself and lock the screen when not in use. Sorry, but you need to get personal devices for your own and your family's leisure use. 
• Keep the data at company network or device. Use only your company provided device and file/document storage to store data. If you must handle printed material, make sure to destroy them later in accordance with your company guidelines.
• Keep your passwords to yourself. Nobody - and I mean nobody - should ask and get your password. Not even your trusted IT team or service desk. Do not reuse company password in services which are not work related.
• Think (extra carefully) before you click. Use your common sense when receiving surprising or suspicious emails or other messages. Do not open attachments or links without checking their authenticity. Criminals are busy trying to profit from fear and uncertainty. Phishing and scams are now more common. 
• Ask for help. If you are unsure what to do, see something suspicious or accidentally click a phishing link, contact your organization's service desk or IT support. Better safe than sorry.

In these extraordinary times organizations should take as much cybersecurity burden from employees as we can. Following the simple advice above the users are the strong link of security while the other strong link must be your IT which takes care of technical protection.

Note, that if the use of employees' own devices is allowed to access company network and confidential data, then a totally new can of worms is opened. Don't want to go there now. Good luck.

Take care and stay safe!

Book recommendations for CSOs and CISOs

I read 20-30 books per year. I've been keeping track of my readings on my web-site since started experimenting with HTML (needed some reason to update the content regularly). Lately I've been using Goodreads as well. I read to keep myself up-to-date professionally. It means topics from security, risk management, business and leadership. When I need something more relaxing, I turn to scifi, fantasy or crime mostly.

I went through my list and decided to give some book recommendations for Chief Security Officers and Chief Information Security Officers. We all need more to read right? First tried to keep the list short with 10 books, but quickly realized that it's too hard and settled with 15 recommendations.

So, here you are, 15 great books I recommend.

🌟Security Engineering by Ross Anderson 

Probably the best security book ever and should be found on every security professional's bookshelf. The book covers security topics broadly including not only technical security, but also topics like psychology and economics. First and second editions are available online and Anderson is just writing third edition.

🌟Thinking, Fast and Slow by Daniel Kahneman 

Nowadays it's more and more understood that good security solutions must take human behavior into account. Unusable security guidelines are disregarded and bad solutions are circumvented. Kahneman's book explains thoroughly human biases and behavior. It's also helps CSO/CISO to understand what may affect his own decision making and how better influence others. If Kahneman's feel a bit too heavy, try first Dan Ariely's Predictably Irrational, The Upside of Irrationality and The (Honest) Truth About Dishonesty.

🌟Unsecurity by Evan Francen 

After working couple of decades as a security professional one starts to wonder why same problems exists year after year and general information security level seems to decrease instead of getting better. Increasing complexity of digital world is of course one reason, but security industry and profession has also failed in many areas. Francen's book nicely summarize what's wrong with information security.

🌟Weaponized Lies - How to Think Critically in the Post-Truth Era by Daniel J. Levitin 

We are choking to information, data, statistics and infographics. All this can presented - accidentally or on purpose - in a misleading way. Skills to navigate through all figures, tables and graphics are critical as well as an ability to evaluate their trustworthiness. As Levitin says in his book: There are not two sides to a story when one side is a lie.

🌟Geekonomics, The Real Cost of Insecure Software by David Rice 

Software is running the world and code is law as Lawrence Lessig has famously said. We tend to concentrate too much on devices and networks when protecting digital world. We must focus more on software, applications, code. Rice's book is about software industry and reasons why we have so much bad software. It's also good to check Gary McGraw's classic Software Security: Building Security In.

🌟Transforming NOKIA: The Power of Paranoid Optimism to Lead Through Colossal Change by Risto Siilasmaa

Excellent and rare inside look how the Board of large, global company works. Useful for CSOs and CISOs who are working with executive teams and boards - interesting to everyone. Siilasmaa coined the term paranoid optimism, which means combining vigilance and a healthy dose of realistic fear with a positive, forward-looking outlook expressed via scenario-based thinking.

🌟Team of Teams: New Rules of Engagement for a Complex World by Stanley McChrystal

Organizations want to be agile and move from hierarchical organizations to networked models where employees and teams get more autonomy. Modern communication tools, network and data enables that, but not without leader's deliberate efforts to allow and nurture decision making at all levels. McChrystal writes about his experiences how traditional, hierarchical  military organization was changed to a network of empowered individuals and teams.

🌟Factfulness: Ten Reasons We're Wrong About The World - And Why Things Are Better Than You Think by Hans Rosling

Rosling explains why our world view is mostly wrong and how to avoid common misconceptions. When thinking of poverty, education, population growth, income, life-expectancy, etc. the world is much better place than generally thought. Even highly educated people, business leaders and decision makers often don't understand what the world is like today - neither did I.

🌟The Lean Startup: How Today's Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses by Eric Ries

A startup can be defined as a human institution designed to create a new product or service under conditions of extreme uncertainty. A startup can also be a part of large organization, not only a new, small company.  The book explains Build → Measure → Learn loop and how to minimize the total time through this feedback loop. Today almost everything imaginable is possible to build (with enough time, money and other resources), so the question today is not can it be done, but should it be done. There's also a bestseller This Is Lean by Modig & Åhlström,

🌟Homo Deus: A Brief History of Tomorrow by Yuval Noah Harari

Homo Deus is amazing look at the human history and predictions of the future of human evolution with algorithms, robotics and artificial intelligence. I would also recommend reading Harari's Sapiens to put current state of world in perspective and 21 Lessons for the 21st Century for today's challenges.

🌟Liars & Outliers: Enabling the Trust that Society Needs to Thrive by Bruce Schneier

Most of Schneier's books are good. For here I picked Outliers, since it gives a thorough look at trust and what makes us trustworthy. The role of trust is increasingly important in our digital environment - organizations, products, applications and services cant success without employees, customers and citizens to trust them. Interesting claim in the book was that some level of rule-breaking is needed in the society in order to innovation and social progress become impossible. Schneier's latest Click Here to Kill Everybody is good read about Internet of Things challenges.

🌟How to Measure Anything in Cybersecurity Risk by  Douglas W. Hubbard  and Richard Seiersen

It's a common argument that security can not be measured properly, hence we have lots of qualitative metrics instead of quantitative ones. Hubbard argues that anything can be measured, also security and cybersecurity. Good reading to understand how statistical models can help measuring the security status with raw data. The Failure of Risk Management is another Hubbard's book worth reading.

🌟The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries by Andrei Soldatov and Irina Borogan

So much is written about US NSA surveillance methods that it's refreshing to have a look what Russia is doing. The book documents the history of Russia's surveillance system development. It starts from the pre-Internet era, explains how the SORM system was developed, describes Russia's attempts to change Internet governance via ITU and ICANN, documents the Sochi Olympics surveillance efforts and didn't forget the story of Snowden getting an asylum at Russia

🌟Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn

If you have been in business long enough, you may remember CarderPlanet and Russian Business Network. It's useful to read a bit about criminals and law officers trying to catch them. Especially because Menn tells the story from the perspective of the good guys.

🌟The Adventures of an IT Leader by Robert D. Austin, Shannon O'Donnell and Richard L. Nolan

This is fictional story where a business manager is appointed as a new CIO of the company. Since he doesn't have any ICT background he needs to learn how everything works and how he can keep track of ICT functionality and business requirements. Useful from security management point of view to read how a new CIO gradually finds ways for better communications and metrics. Also, the biggest challenge the fresh CIO faces is a serious security incident.

Many great books left out so you better check my site or Goodreads where I have more books with ratings. My ratings are of course timebound. How I've rated the book depended on my knowledge, skills and interest at the time of reading. Goodreads also creates nice yearly statistics.

Happy reading and let me know what I should read (or nowadays also listen) next.

What, me hacker?

I spent week 4/2018 on EC-Council Certified Ethical Hacker (CEH) training. After over 13 years in CSO position looking corporate security mostly from governance and risk management perspective, this may not be the most obvious choice. Let me explain.

Last spring Finnish Information Security Association awarded me as the CISO of the year 2017. As if the honor wouldn't been enough, I also got a free place on CEH course (sponsored by Arrow ECS). I postponed the opportunity nine months, but decided to attend the training now before the offer expires. Course normal price is 3,500€ after all.

I haven't been on full week's training in ages. I think the previous time was in 2011 when I attended SABSA security architecture training. By the way, got my first security certification, CISSP, 20 years ago. I attended the first ever CISSP training held in Finland 1998.

It certainly was interesting (and tiresome) week. Huge amount of information and loads of hacking/auditing/pentesting tools not to mention hands-on labs. The courseware had about 1800 slides and 20 hours' worth of labs. The instructor presented maybe one third of the slides with quick pace pointing out the most important stuff. The material was from 2015 and therefore a bit outdated, but the instructor filled in the gaps. Expectation was, that after nine-to-five day in classroom, students would continue studying and doing labs at home in the evening. I spent hour or two every evening to browse through the days material and did some labs.

The following topics were covered:

Introduction to Ethical Hacking Footprinting and Reconnaissance Scanning Networks Enumeration System Hacking Malware Threats Sniffing Social Engineering

Session Hijacking Hacking Webservers Hacking Web Applications SQL Injection Hacking Wireless Networks Hacking Mobile Platforms Evading IDS, Firewalls, and Honeypots Cryptography

I was surprised how well I still remembered network protocols, attack methods and basic auditing tools. It's after all over 15 years from my consultancy days and more than 20 when I knew Unix security inside out. Of course, I follow information security threats, trends and technology closely all the time. Security expertise requires lifelong learning.

I expected that the course would have emphasized ethical questions more. It's CEH, not CH, right? Ethics of hacking was discussed briefly a few times, but not so thoroughly as one would have expected. CEH code of ethics can be found here.

At the end of the week we had an opportunity to take certification test. There's 4 hours to answer 125 multiple-choice questions and have to get 75% correct in order to pass. Here's a site where you can test your skills, if you will. Whatever certification test you are taking, I've found that practice tests are very useful way to prepare yourself. You need to set your brain in to the right mode and understand how you are expected to answer.

I finished the certification test in 1,5 hours and passed with score 93,6%. So, I'm Certified Ethical Hacker now :-)

Don't worry. I'm not going after bug bounties. I'm leaving that to those with real hands-on skills. Had a fun week, though, and have even more respect for whitehat hackers who help organizations via bug bounty programs or responsible vulnerability disclosure.

However, next time I'm hiring security auditor, CEH certificate is not enough to impress me :-)

Information security state of the play

It's that time of the year again when information security predictions start pouring in. Many, if not most of them are pretty uninteresting since the world doesn't magically change with the new year. Predictions are also all over the place depending on who made the predictions and what they are selling.

My favorite is Information Security Forum's Threat Report, which is updated yearly and looks two years ahead. The report is mostly intended for business leaders and information security leaders (CSO, CRO, CISO - depending of your organization). I especially like that it's created via studying available research, interviewing experts and running several member workshops to discuss changes seen and expected in member organizations. The Executive Summary is available for download, the whole 50+ report is for members only. (Full disclosure: I'm a member of the ISF Executive Board).

Instead of making my own predictions - as if my 2010 predictions would need an update - I'm presenting how I see the current status of information security. By the way, in my vocabulary information security covers IT security, cyber security and digital security, if you fancy those terms.

User is not the weakest link

We humans are not rational decision makers who analyze pros and cons thoroughly. We mostly try to manage through the day (and IT challenges) with minimum effort, have lots of biases and are clever enough to go around (security) obstacles. It seems that often IT systems and applications are not built for humans. Since the artificial intelligence is not here quite yet, we still need to consider users as part of the solution and build people-friendly systems. Hence, I like the design thinking and service design approach - if only information security would be considered on those workshops.

Regular information security awareness training is required in order to promote secure behavior and build good security culture. We don't want our users to be clueless either. Also, I would recommend security practitioners to study behavioral economics and psychology. 

Most of the information security is a byproduct of good IT governance

When you know and manage your IT assets properly and have basic information security tools and processes in place, you are in a pretty good shape already. Have a good architecture, know your assets, make proper installations, have rigorous change management process, make (and test) backups, patch your systems and keep user accounts up-to-date. You certainly need some security tools and processes: antivirus, firewalls, log collection and analysis for starters.

On top of that there are no end of additional security tools and services which you may consider based on your threat and risk estimation. You have to know what you are protecting and against whom, right?

Most organizations have still lots to do with these basics. It's hard to protect something you don't know.

Information security is too important to be left just to information security experts

You may have started wondering where information security specialists are needed? Yes, all the basics shouldn't need any infosec experts. Architects, sysadmins and network admins worth their salt can manage most of it. Firewalls and VPNs are just network components, antivirus and log management something any sysadmin can handle.

Information security specialists could be hired to promote security, evaluate risks, help with trickiest cases, tackle the challenges with new technology and keep the management aware of the information security status. Remember, however, that it's not the CISO or information security experts who secure the organization. Information security is part of everyone's daily work.

Many organizations have hired just one information security expert, call him CISO, and expect him/her to understand all of information security. That's impossible. Information security covers everything from cryptography to secure architecture to enterprise risk management. Can't expect one poor person to handle all of it. Think about categories: Manage - design - implement - evaluate. Different roles and skills are needed.

Evaluate your service providers information security promise and capabilities

More and more of ICT are acquired from different service or cloud providers. From information security perspective this is usually a good thing, since good security is a lifeblood for most service providers. You need to verify, though. Ask service providers to prove they capabilities. Security certifications, audit reports and documented security promise of the service is a good start for evaluation.

Don't forget to have information security in the contracts as well. I recommend having your own security contract template ready and start negotiations with it. Be flexible, though. Usually it's better to allow service provider to follow its own standards and processes - just check that those are good enough for you. It's difficult to change the service provider processes - exceptions tend to be forgotten.

Go ahead with new technology, but understand your risks

There's a lot of technology innovation going on and of course business wants to follow trying out innovative ways to make use of new, often immature technology. However, the sad truth is that the innovation of information security tools and products has been and is falling behind.

Business may and should innovate, but at the same time we need to understand the possibility of increasing risk. New business models and plans making use of new technology, cloud and apps just have to consider information security risks. Crash test dummies has a very limited use in organizations.

An old infosec dog is learning new tricks - constantly

I regularly see articles and posts demanding that information security experts need to stop being naysayers. I wonder where they have found those old-school security guys who deny everything? In my (fairly wide) circles all my colleagues have been business-oriented and forward-looking for years. Maybe it's time for some business people to see the light and be more open-minded for security-enhancing suggestions? Information security is about enabling business and managing risk.

Business buzzwords like agile, cloud, devops, experimentation, big data, design thinking, API-driven business and machine learning mean that there's no rest for information security experts either. We information security professionals must adapt on agility, insecurity, risk tolerance, openness, user oriented approach and continuous change.

In fact information security practitioners should embrace new technology and trends. Think how to use them for better security instead of trying to delay the inevitable.

It's software, stupid

Everything is running on software. Everything from critical infrastructure to cars and mobile phones. I'm amazed how weak the understanding of secure software development still is. It seems that many organizations are still relying on external audits after their software has been developed. Fixing bugs in production is 100x more expensive than in planning phase. This is age-old software development truth, but apparently not too much cared about. If you don't think security requirements already when sketching your software, you may burn your fingers, sooner or later.

Don't forget to demand secure software from your vendors also - ask for evidence.

CISO on the board - not just yet

There is more and more noise about bringing information security expertise on the company board or management team. Most of the noise is coming from the infosec people, of course. In my experience there are very few - shall I say forerunner organizations - which has raised information security leader on the top management.

In my mind being on the board is not mandatory in order to success as a information security leader. But it's mandatory to have regular dialogue with top management and business. Being at most one hop away from the CEO in the organizational structure is ideal.

Organizational hierarchy is not the key issue. It's critical that the top management shows its commitment to information security and that information security leader has regular access to the top management. I believe that information security leader's most important job is to keep the board and management team aware of information security status, risks and risk mitigation possibilities.

Good luck with 2018 and beyond

Current environment is very complex with new technology, massive amounts of software and global connections. It's difficult - if not impossible - to understand and therefore also extremely hard to protect. Information security standards help and regulation forces us to implement the security baseline. Let's make information security great again with good IT management, risk assessments, user focus, vendor evaluations, secure software development, constant learning and real commitment from the top management.

Threat Cloud 2016

It's time to check again what a word cloud would reveal from different security predictions without reading the actual predictions. There are tons of (cyber) security predictions available from different organizations. I'm using the predictions from the same organizations I used for 2014 and 2015 word clouds in order to see the changes better: FireEye, Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, Trend Micro, WatchGuard and Websense,

The first word cloud is from the combined text of all predictions.



What's the conclusion from that? Mostly attacks against devices and data? Doesn't seem to differ much from last year. One change at least is that word mobile is not visible as it was last year, but Apple is.

The second was created using only the headlines from each prediction paper.



Not much change. It's a bit more clear that predictions included ransomware.

Some companies use "funny" headlines for their predictions (even Star Wars theme) which didn't make sense without reading the full text. Some predictions were even positive (!), but since most were about threats I didn't bother to make any difference between them.

So, in summary 2016 is predicted to bring us attacks against devices (IoT), more malware to take victim's data as hostage and Apple is expected to be a target.

Of course word cloud brings out only the common themes and lots of interesting threats are missed unless you actually read the papers. Problem is that I find many predictions biased and threats are all over the place depending who is making the predictions (and what solutions they are selling). I really would like to see a study analyzing different prediction papers and connections between threats and companies predicting them. Maybe even a study analyzing past predictions and their accuracy.

My favorite threat predictions come from the ISF, which are gathered from it's members and analyzed by the ISF team. Must say that I'm biased here, since I'm sitting on the ISF Executive Board. Favored ISF predictions even before that, though.

ISF Threat Horizon 2017 executive summary is available for download, the full paper is is free for members only. Here're the headlines for your convenience.



I advice you  not to focus too much on threats and media headlines. Threat info just add some spice to your daily security work.