BladeSec IA Logo

Introduction

CLAS Consultancy
CESG Certified Professionals
CESG Certified Cyber-Security Consultancy

Company Information

Company profile
Certifications and qualifications
News and comment <
Why choose BladeSec IA?
References

Products and Services

Typical work
Specific highlights

Domestic Travel Advice

Website

Contact us
Terms and conditions
Privacy statement
 

Archived news and comment from 2013.

Please note: Because this is an archive of articles published on the BladeSec IA website in 2013, not all links may work.

Comment: 2013/12/31 - Worst security film in the world - ever.
Here at Birnie Towers, we generally watch a horror film on the lead up to the bells. (After this, it has to be the ceilidh on BBC Alba - but that's not the point.) My son had wanted to see The Purge when it was in the cinema.

Despite the fact that it was set slightly in the future, (and indeed ignoring the fact that it wasn't real), it really was a step too far. It showed a number of fundamental security flaws that designers of computer server rooms, datacenters and other sensitive areas wouldn't make. (A single security layer? No sacrificial protection? No option for retaliation? [Sorry - that one's for network designers]). It also didn't help that they broke so many of the rules for surviving horror films.

Happy New Year!

Comment: 2013/12/25 - Merry Christmas!
From everybody at BladeSec IA.

Comment: 2013/11/06 - Hallowe'en Security.
This is scary. But I can't help thinking that it's just a Hallowe'en joke.

News: 2013/10/11 - The Scottish Local Authority Security Group.
Yesterday, BladeSec IA (along with colleagues from The Sopra Group and Pen Test Partners) attended a meeting of The Scottish Local Authority Security Group.

Ten years ago, BladeSec IA director, Owen Birnie took over the inaugural chair of the group from Tony McNair, at CoSLA. The group was in its infancy, but despite the bumpy ride, it went to show that there was strength in numbers and the benefits of collaboration. The fact that the group has gone from strength to strength is a testament to the way it has been run, and to the on-going usefulness of the forum.

Following his defection to CLAS, Owen always wanted to go back to present to the group, so being given the opportunity to field questions about politics, network design, the Public Sector Network, Windows Mobile, security in Apple products, Government Security Classifications and a whole myriad of other topics made it better than a day in the office. It was even better to catch up with old friends and colleagues - some of which had not been seen for a number of years. In truth, Owen cannot help thinking that the consultants got away very, very lightly!

It was a thoroughly enjoyable day, and BladeSec IA would like to express their thanks to the current Chair, Paul Dick of Perth & Kinross Council, Andy Lawson of Aberdeenshire Council for hosting it, Steph Dawson of The Sopra Group, Neil Boyd and Tom Roberts of Pen Test Partners.

Comment: 2013/09/24 - Mobile worlds.
Google knows the password to your wireless network. This is scary when combined with the large scale data vaccuum that the Google cars undertook

Apple TouchID has been broken within nine days. It's been ten years since I did a talk on biometrics. Back then, under perfect conditions fingerprint biometrics worked 98% of the time. In less than ideal conditions, it quickly dropped to 60% or even less. Seems things may not have improved.

News: 2013/09/09 - BladeSec IA Specialised Risk Briefing.
BladeSec IA are pleased to announce that they will shortly be undertaking a series of specialised risk briefings - with a difference. E-mail events@BladeSecIA.com to be kept up to date.

News: 2013/09/07 - Egress Switch.
I became a fan of Egress Switch rather unexpectedly. I had never heard of it, but my accountant used it to send my approved accounts back to me last year. At first, I was a bit reluctant to register to use it, but as I picked over the website, there were a number of things that were familiar to me in my day job, that gave me reassurance in my personal life.

As things have moved on, I've deployed Egress Switch in a couple of places. I like the assurance that the company gives me regarding the product. Things, such as the fact that it was certified under the legacy CCTM and is currently under evaluation with the CPA go a long way in government circles.

I keep encountering Egress in the most unexpected places. Indeed, one of my colleagues has suggested that as government moves more and more on-line, products like Egress Switch will be the best delivery mechanism to get secure material to the citizen.

Egress are hosting an event. Go along. Ask them difficult questions. I think you'll be impressed. See you there!

(Other than the fact that I've used Egress Switch personally and professionally, there is no relationship between Egress and BladeSec IA. They haven't paid anything to be recommended.)

Comment: 2013/07/31 - Professionalism
I predict that the number of CLAS Consultants is going to be severely diminished this year. It was not rocket science to apply, and if anything, it was less onerous than other years. The fact that there was another "time bound" stage in the application process meant that some CLAS Consultants will wake up on the 1ST of October and have to change their CV to read, "Security Consultant with significant HMG experience". That said, I daresay that there were a number of consultants that failed to see any benefit in maintaining CLAS and will have made a conscious decision to opt out.

In effect, there is going to be three different questions that customers have:-

  1. Is it okay to engage with someone on that says they have significant HMG experience? (Ignoring word of mouth.)
  2. Is it sufficient to be a CESG Certified Professional?
  3. What does engaging with a CLAS Consultant give you over and above the previous two points?
I support professionalism in all industries and I believe that customers do to. It is wrong to use staff that do not have relevant experience, knowledge and access to up-to-date information. For answers to the questions above, e-mail us for the BladeSec IA view.

Comment: 2013/07/30 - Interesting snippits
Courier Fraud has been around a while now, but at least one UK newspaper is highlighting that the fraudsters are generating a fake dial tone so that even people who listen for it after hanging up are likely to get fooled. Bottom line: Do not use the same phone to call your bank when returning a call that has apparently come from your bank.

(As an aside, I have a reputation for being brutal when it comes to cold calls. I had one such call a week or so back. In this case, the caller was overly familiar. When challenged, they then went on to be vague about who they worked for and what they wanted to achieve from the call. I can only conclude that openness, honesty and integrity means nothing to them and I do not deal with such individuals. That's three strikes - you're out!)

The question of assurance and integrity of foreign firms providing technology for government departments and agencies (and the UK CNI) is again in question. Rumour control would have us add Lenovo, to the list of foreign suppliers. The list already, justifiably, contains Huawei. Who's next? Kaspersky? McAfee? QnetiQ? (I say "justifiably", as there clearly has been a cock-up on allowing Huawei to audit themselves. There is no assurance in a scheme that is not independent.)

Comment: 2013/06/24 - Real World Security
As a security professional, I'm always intrigued by the real world application of security. In the current climate, there is always a drive for cost effectiveness. That's why, I was interested in two particular aspects of security at a recent music festival that I attended with my son.

The first element, was the ineffectiveness of the physical pat-downs and bag inspection on entry to the arena. It was never entirely clear what purpose they served, but I assumed that it was to enforce the admission policy. It was fairly clear that there was a failure on that front as several "banned" items made it into the arena over the three days.

On the other hand, having a three day pass, admission is granted by means of a wristband. The particular design employed by this festival had a large plastic bead with a mechanism inside to prevent the wristband being taken off easily. Whilst I resisted the urge for all of the three days, by the time Monday morning came, I was keen to get my parasitic attachment off. Cutting the wristband was one option, but I confess that curiosity got the better of me. It took exactly three minutes of close examination before I was able to remove the wristband - undamaged. Just to prove it wasn't a fluke, I showed my son how to do it, and he repeated the exercise.

Whilst the terms and conditions prohibited the transfer of the wristband, I doubt that it was sufficiently tamper evident for this purpose. It was, however, perfectly adequate to ensure that it could not accidentally slip off as well as providing an elementary resistance to casual removal. As far as I can see, the wristband was a reasonable security countermeasure, but the physical security was less effective unless....

Could it be that the countermeasure is not the physical security, but the security theatre generated by it? Is it feasible that it's designed to dissuade exactly the same level of casual disobedience that the wristband is, rather than enforce the admission policy?

And I hasten to add that whilst I am critical of the purpose of the security staff, they carried out their duties with incredibly good humour....

Comment: 2013/06/11 - PRISM and Privacy
The press has been devoting rather a lot of attention to PRISM of late. I am not going to perform an analysis of whether the scheme is legal in America. I am not going to produce any meaningful insight on whether GCHQ have made use of PRISM sourced intelligence to monitor UK based subjects. (These particular topics are currently being done to death.)

Instead, I would like to highlight a different facet - and this one is controversial.

I suspect that my generation was the first to grow up with computers that were easily recognisable as computers. In order to get them to do things, you had to write code. In a home environment, they were never networked. Photographs were sent away on film in envelopes and returned a week later on paper. Music may have been starting to get digital (on the Compact Disc), but it was still bought in shops, next to vinyl and tape. Mobile phones eventually began to appear, but their battery life and functionality limited their impact. The only loyalty scheme was Green Shield Stamps.

The next generation had computers that were cleverer and were starting to get networked. It may have been dial up internet access, but information began to be easily exchanged including open source software and illegal pirated software. Digital cameras were beginning to appear, but the image quality was not great. Music had migrated almost completely to Compact Disc - occasionally bought from on-line retailers. Smart phones had begun to appear, but largely the "Short Message Service" delivered from a numeric keyboard had yet to give way to "texting" from a reduced sized QWERTY one. The supermarket loyalty card appeared and the shopping faithful got rewarded with vouchers for groceries they had been buying in competitors' shops.

The current generation must now be on-line whether it is by always on internet connection or by 3G/4G signal. The smart phone has developed a variety of non-communicative functions including a camera and a satellite navigation system. Photos taken with them are geotagged with their exact location and uploaded to photo sharing sites for family, friends and indeed, the rest of the world to view. Music would seemingly be rarely paid for, and even more rarely delivered on any form of physical media. Music is licensed to the purchaser for their life and no longer. Even the High-Definition Personal Video Recorder under your television has the facility to change adverts to ones that the "parent corporate" thinks you're more likely to watch. Huge corporations crunch all the data that they can get about you in order to better separate you from your money.

What's the point of this?

I'm pointing out that personal technology has moved on so quickly, with new features at every release. Every generation has given up a little piece of their privacy in return for some short-term perceived benefit. These things are largely cumulative, and are being exercised by the general population who once upon a time accused people like me of being nerds for "being into" computers. These are the same people that think I am some sort of Luddite for not being on Facebook, iTunes, Twitter or LinkedIn. How perspective changes?

So. What's all this about?

Here's the rub. I would suggest that in general, the population have no interest in maintaining their own privacy. It's not cool to read the Terms & Conditions of web services. They think it's okay to illegally copy anything that has no substance. They don't understand that the data they willingly hand over is being mined by commercial organisations who only wish to exploit that data. They think nothing of the value of the data they leave behind as they switch credit cards, banks, energy suppliers or mobile phone provider. They don't understand the risks of their lives lived permanently on-line. They don't get that the photo they posted to Facebook whilst drunk may well come back to haunt them - regardless of their security settings. They don't understand that as features on technology creep onwards, that it may have an impact on how they should use that technology. Frankly, it's difficult for even an expert to make this judgement call. How can the privacy illiterate(*) be expected to manage?

PRISM shows one set of problems - but what about the millions of people who have sleep walked into their technical, always-on lives. At some point, possibly like Neo in The Matrix, will they wake up and become horrified at what they have got themselves into? That will make PRISM look like a storm in a teacup.

(*) The privacy illiterate - I predict that this group will be given a name. Suggestions can be mailed to the usual address.

This narrative represents the personal opinion of Owen Birnie.

Comment: 2013/05/27 - Social Responsibility (Was Corporate Ethics, Part 2)
Over the weekend, I watched, "The Social Network". I confess that I enjoyed it more than I expected to. It was fascinating watching the corruption, greed and exploitation that surrounded the creation of the world's foremost social network (my words). It was equally thought-provoking when set against the very recent backdrop of a number of large, international technology firms being accused of not paying enough tax in the UK jurisdiction.

I have said for many, many years, companies have a responsibility. And that responsibility exceeds being ethical, or being green, being charitable, being socially responsible or being a caring employer. Sometimes it's about doing the morally right thing.

Here is a link to the current Code of Conduct for CESG Certified Professionals. You can be sure that BladeSec IA adopt not only the letter of this, but also the semantic meaning - even if it costs us work. Don't just judge us by our words, judge us by our actions. There's a reason that BladeSec IA uses trust@BladeSecIA.com.

News: 2013/05/24 - Corporate Ethics.
It has come to BladeSec IA's attention that an organisation has been falsely representing the availability and potential supply of Director, Owen Birnie to third parties.

There is a watermark-type feature in all BladeSec IA proposals that delivery partners follow. Customers who have seen Mr. Birnie's name, qualifications or experience listed on a proposal and wish to confirm his involvement are invited to e-mail for confirmation.

BladeSec IA Services will not fulfil through organisations who undertake such unethical, underhand activity.

Comment: 2013/04/08 - Autism Rocks - Perthshire Battle of the Bands.
(This is not a BladeSec IA news item, just a statement from a very proud Father.)

On Saturday night, my son, Jack, and his three friends, Blair, Cameron and Teague won the Perthshire Autism, Autism Rocks Battle of the Bands at The Corinna in Perth. Performing as "Paradise Found", they were the youngest participants and saw off five other bands.

As a Dad, you always hope they manage to hold their own, but this was their third ever gig - and they absolutely nailed it.

A video of them playing Seven Nation Army on the night is available from YouTube here.

News: 2013/03/28 - CESG Certified Professional.
Many within the security field know that the CLAS scheme is changing. BladeSec IA are proud of the role that they play in supporting professionalism in the industry and are therefore delighted to announce that Owen Birnie has been awarded a certificate for Security and Information Risk Advisor (SIRA) as an existing IISP Member with up-to-date ITPC.

More information on the CESG Certified Professional scheme is available, here.

Comment: 2013/03/19 - Cloud E-mail Upgrade
This evening, we're migrating our e-mail to a public cloud service. Any e-mail sent between 18:00 and 23:00 may be delayed.

Some may be shocked that a security firm are adopting a public cloud service. BladeSec IA believe that e-mail is a good candidate for migration on the basis that since SMTP was invented, it's never been secure. What is unique is that BladeSec IA have designed a technical overlay that allows it to be accredited for Restricted e-mail. This overlay should be in place - following testing - by 23:00 on 2013/03/21.

Update: Normal e-mail services were resumed by 22:30.

Update#2: The encrypted overlay has been enabled at 15:00 on 2013/03/20. Some testing remains, but things have gone exceptionally well.

Comment: 2013/02/11 - The Public Services Network.
As an acknowledged expert on the various GSI Codes of Connection, I have been asked - more than once - for my thoughts on the PSN Code.

Many organisations are now at the stage of having to submit a PSN Code rather than a GSI, GCSX or GSX Code of Connection. There is a huge amount of misinformation being spread around about the PSN Code and so, to try and cut through the smoke and mirrors, I offer the following. Hopefully, it will be useful and I hasten to add that this is my understanding based on the work that I've been involved in. I also wish to point out that none of the material linked here is protectively marked, it is all publically available from the Cabinet Office website and none of this has been approved by either PSNA, the Cabinet Officer or CESG....

Contrary to many rumours, the PSN Code is, in my opinion, less onerous. There is a far greater emphasis placed on informed risk based decisions. This in itself can be a problem. If an organisation does not already have an established mechanism for managing and owning risk. This deficit is far more serious than filling in a PSN Code and therefore, I'm going to leave that particular predicament....

The official PSN page is here.

I personally dislike this page, as it's too fluffy and doesn't tell you what you need to know. About halfway down, there is a link that refers to the recent documentation from August last year. If you know what you're looking for, that link is the place to start.

The latest, official documentation is available here.

I know that I should tell you to read everything (and you should), but in reality, very few folk actually seem to. I'd suggest that you start with the FAQ.

I strongly advise you to make notes from this document as it contains very useful material about BPSS, what sections to complete, etc..

Next up, the PSN Code. Remember, not all sections need to be completed. It depends on what role your client is undertaking.

Next, you're going to have to wade through the unfathomable English that is the PSN Code Annex B. You'll see that Annex B highlights and cross references different documents. These are all available from the PSN website.

The most important for PSN Customers are:-

The IA Conditions Supporting Guidance is potentially the most useful resource for a PSN Customer.

When ill informed people say that "[the] PSN CoCo is just like the GSI CoCo", in reality, they're referring to the IA Conditions sheet in the PSN Code Annex B spreadsheet. The bad news is that every sheet in the PSN Code Annex B has to be completed to some degree or another. That said, there is more than a passing similarity between the IA Conditions sheet and the Controls sheet on an old GSI Code of Connection. This is reflected in the useful information contained in Annex C of the IA Conditions guidance.

Your client will also need to complete the annex from Contact Details.

Finally, there is a sample PSN Annex B Code. I have to say that I think it causes as many problems as it solves. It's passed off as a Customer PSN Code, but I suspect it's been made to look that way. I would urge you not just to copy the stock answers as I personally believe that there are errors in it.

I have my own sample PSN Code as well as a formatted, partially completed one for PSN Customers.

Comments and more information is available from trust@BladeSecIA.com.

Comment: 2013/01/01 - First Year
It's been a year since BladeSec IA Services was established with some very specific goals in mind. I have thoroughly enjoyed my time. I always knew that I could do government consultancy, but it was the unknowns about running a company that scared me and I confess that I am still learning there. The thing is, BladeSec IA is still here and attracting more and more customers who are drawn to the level of trust and service that the company was built on. It never ceases to amaze me the people that have come out of my past and made a difference. Equally, it surprises me as to the generosity of strangers who are all attracted to my "old fashioned ways".

It's a shame that I can't disclose details of everything that BladeSec IA have had a finger in, or have planned, but there are things that I am immensely proud of. That said, here are some upcoming highlights:-

  • BladeSec IA Services have partnered with a very well known training provider and will shortly be offering former National School for Government courses. Initially, "Fundamentals of Information Assurance in HMG" and "Information Risk Management for HMG IA Practitioners - IS 1 & 2" will be available exclusively in Scotland featuring staff from BladeSec IA. Each course uses material licensed from CESG, is quality assured using experts and awards an externally recognised certification with compulsory personal development points.
  • It is highly likely that we'll be moving to a cloud-based IL3 e-mail solution. The design and implementation is being undertaken by BladeSec IA to ensure that it can be formally accredited with negligible risk acceptance. The clever bit is in the design to ensure that the question of IL3 in the cloud never arises.
  • The services offered by BladeSec IA are currently available through a variety of government frameworks. These are likely to expand within 2013.
For more information on any of these, please contact trust@BladeSecIA.com. Here's to 2013.....

Click here for older News & Comment.