tag:blogger.com,1999:blog-37110250278404627612024-03-13T16:01:51.235-07:00IT Security: The view from hereIT Security in Europe.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.comBlogger272125tag:blogger.com,1999:blog-3711025027840462761.post-46094408959127397982015-08-01T14:23:00.001-07:002015-08-01T14:23:12.852-07:00Security Strategy?I've worked a lot in security environments where strategy is unclear. I've worked a little in places where strategy is very clear. I've NEVER worked in a place where the <strong>security strategy</strong> is clear. <br />
<br />
"That sounds like a sweeping statement, Rob", I hear you thinking... Maybe. But someone, who has to remain nameless sadly, said to me (not the rest of the room unfortunately!) recently in a very large strategy meeting: "Why do we need a security strategy? Don't we just need to reduce the risk involved with following the corporate strategy?"<br />
<br />
This was said more as a statement than a question. The person "asking" was senior within her organisation, so I should have expected it, but it was one of those moments when someone says something SO obvious with such clarity of thought that it floors you for a response. I nodded and muttered something obvious about risk management, and that I disagreed with what we were discussing in the meeting, but my mind was already elsewhere. I am not usually lost for words, less so an opinion, but this silenced me, both verbally and mentally for some time. <br />
<br />
When I had just left University nearly 20 years ago, before phones were ubiquitously mobile in nature. I answered the landline telephone in my parents house and the caller recognising my voice said "Hi Rob, it's Simon" my friend from University, we had lived together for 2 of the 4 years of the course we were both on, so we knew each other well. We chatted for 10 minutes about meaningless things, before a reference to something in my home town made me realise I had never lived with him, but in face he was a Simon I hadn't spoken to since the previous summer, checking to see if I was back from University. A silly digression, but for a couple of minutes my mind went into freefall, trying to work out if I'd said anything that could have revealed me as a pseudo-friend, faux-talker or wrong-Simoner. Realising Simon was still cracking on as though time had never passed, I cracked on. Back in the strategy meeting, my mind was doing the same thing, but over a career spanning 15 years, inspecting strategy documents and management recommendations for evidence of my fraudulence.<br />
<br />
I have spent many days, weeks and months of my career, my life, writing long strategy documents, they all talk about process maturity, risk management, control improvement, architectural patterns, blueprints, yada yada... and whilst it's less bullshit than the "we will identify synergies with the Internet of Things and Big Data" type rubbish that consultancies tend to churn out, it always seemed to me to be more mechanical than a strategy.<br />
<br />
A strategy, after all, is an OVERALL aim, and a useful business strategy is one which differentiates your business. So whilst a departmental strategy might be to reduce risk, or improve processes, surely that is a) what every security department everywhere should be doing, and b) what the whole business should be doing? In the first instance, it's not a differentiator, in the second it's not a security strategy... <br />
<br />
So there you have it. No such thing, I was making it up all along. I'd love to be told (why) I'm wrong.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-69243084106897072602015-07-17T13:15:00.005-07:002015-07-17T13:16:48.924-07:0010 Bits of Logging and Monitoring for Architectural SuccessI've been involved in a logging and monitoring project recently, and realised how close to their chests most vendors and other companies doing this type of work tend to keep their methodologies. And although a lot of people have done L&M projects, I wonder how much of the knowledge is retained, improved upon or disseminated?<br />
<br />
With that in mind, I wanted to give a quick round-up of what I think makes a successful L&M architecture, completely generically, and without reference to tools:<br />
<br />
1. Know your assets<br />
<br />
If you don't have a CMDB, go and get one and postpone your project by a year. You will need AT LEAST your business critical assets listing, preferably with a quantifiable measure of their criticality assigned.<br />
<br />
2. Map Business Risks to Technology Use Cases<br />
<br />
You do not want to collect every log your infrastructure creates. If you know what risks your business faces, create use cases which reflect this - do they make sense? Can you collect logs that represent these use cases? This is not a quick process - I used specialists for many months to create this information. <br />
<br />
3. Implement the Use Cases as rules<br />
<br />
The Use Cases need to be implemented as rules, so you'd better be able to describe them in terms of collected and collated/correlated data...<br />
<br />
4. Log for compliance as close to the source as you can<br />
<br />
Don't waste bandwidth sending 100% of your logs over the network. Logs can be kept online in whizzy tech for a month, indexed and expensive, but when archived, you can keep them in your bog standard cheapo SAN storage.<br />
<br />
5. Reactive monitoring only tells you what's already happened...<br />
<br />
Obvious really, but for a really useful log monitoring solution, you should find something that can look for unknown signals in the noise, anomalies that might indicate attack, even if they are only minor.<br />
<br />
6. ...but you still need it.<br />
<br />
Once you've found a signal, create a rule for it, so you can see it happening!<br />
<br />
7. Incident repose and Forensics teams need the same data as Compliance<br />
<br />
Those log stores I mentioned, make sure you can get them back online, indexed and searchable pretty quickly when required. In an emergency, you don't want to wait a month whilst Johnny Forensics searches for an IP address or username....<br />
<br />
8. Threat Data<br />
<br />
Get some. There are a lot of technical feeds out there, but Threat Data and Threat Intel are not the same thing. Threat Intel needs people power and brains, not tools... as ever, the tools just help the processing of data sets.<br />
<br />
9. Workflow/Case Management/Incident Management/Ticket Handling<br />
<br />
Are all basically the same thing, just from different angles. SOC staff need to pass tickets, their management need a workflow to be followed. When an incident occurs, that ticket needs to have sensitive data added, which turns it into a case - this may involve reference to a different tool, the monitoring platform itself can often be used for this. <br />
<br />
10. Automation<br />
<br />
The nirvana... once everything runs, the tools and processes are a mass of moving parts. These inevitably suffer bottlenecks, usually waiting for humans to process data. Where this requires technological input/output, this can often be automated outside of the workflow technology itself. <br />
<br />
I won't be there for a while, and some of this will need updating before I get there, but from what I've learnt so far, I hope this is useful to someone else out there embarking on an L&M project. You're welcome.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-85621708050587849072015-07-02T09:21:00.001-07:002015-07-02T09:21:29.843-07:00Kids 1 - InfoSec 0My son broke one of his brother's toys this morning - they were growing crystals on paper (yeah, it's all science and engineering fun in this house) and Number 1 son knocked Number 2's crystals off. 2 is 4 years old and cried, hard. 1 is 5, and came running to me to explain what had happened, saying he was going to break his own crystals so 2 felt better. (Number 3 is 9 months and squealed with delight whilst vomiting on his chair.)<br />
<br />
I spent a couple of minutes explaining to 2 that we could fix it by collecting up the crystals and starting again (yay, go science!) whilst 1 wailed and took himself upstairs for a self-administered beating of some sort (science may be lost on this prima donna).<br />
<br />
When 1 came down, I explained carefully to him that breaking his own stuff wouldn't fix 2's. What does help is saying sorry and helping 2 to do something positive. My kids understood this. I fear that Information Security does not. <br />
<br />
I hear criticism of other people every single day, someone isn't very good at xyz, they don't have the expertise, they are too junior. This year's InfoSec was closed to students not working in InfoSec because they are just too damn stupid to understand it (not really, made that last bit up). Dur.<br />
<br />
I've resolved to be nice about someone, or to someone directly, every day. The more junior, or more misguided I've deemed them to be from initial judgement, the better. I hope I can make it last, against my cynical nature, perhaps my kids have taught me something after all...Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-66575571771046521352015-06-29T05:12:00.001-07:002015-06-29T05:12:51.759-07:00Keeping My Own Agenda6 years have passed since my last post appeared. I've been busy. I've stayed in touch with a few of you. I've had 3 children, many employers and a whole lot more experience in Security. Some of those employers haven't liked me to blog, some have specifically disallowed it. I work largely for myself now, so I'm dabbling again. I still have 3 children, so possibly less regularly than previously.<br />
<strong><blockquote class="tr_bq">
<div style="text-align: center;">
So what's happened in 6 years? Have I grown up? Well, maybe a little. </div>
</blockquote>
</strong><br />
Last year I got asked to stand in at an event for a colleague after he let down the organiser at the last minute. The topic was IAM, which is at the periphery of Security (to me, please don't fill the comments with your opinion on this), more Operational and certainly not central to most CISOs I talk to (not in this country anyway).<br />
<br />
I was late for the first talk as I had missed a flight. The talk was not loaded onto the PC at the front. I was nervous, the presenting PC was not set up with a remote, so I had to sit down. During a talk I moderated, one speaker overran and I didn't intervene as it would have been rude to do so in my opinion. I was nervous by this stage, and not enjoying myself. I was not doing Security, and I wanted out.<br />
<br />
I was subsequently criticised for not preparing, which for someone as anal as me is quite a blow. It is also not true, unless you count 15 years of IT Security not being preparation for talking about IT Operations. OK, tongue out of cheek... I HAD prepared, but I was not talking about something I knew well, by request of the criticiser.<br />
<br />
I recognise the criticism now for what it was, an idle comment by someone who had felt out of control, but it left me feeling out of control myself. Something which doesn't happen easily.<br />
<br />
I am now mainly engaged in Security strategy and consultancy work for a (very) large communications company as subject matter expert on a very large programme. I love it, every day. When the programme started, I have to admit I was not an expert in the particular topic, again. I was the one eyed-man in the kingdom of the blind however, and I have fantastic support from competent people around me. We are making fabulous progress, and I am made to feel like a genius daily or weekly.<br />
<br />
<div>
I guess I have grown up then, not just by being a Dad to 3 insanely energetic boys, but by learning what is important to concentrate on. The most important message I can bring back from my time away is:</div>
<blockquote class="tr_bq">
<div style="text-align: center;">
<strong>Don't listen to anyone except yourself, unless they are saying nice things about you, in which case, don't get big-headed.</strong></div>
</blockquote>
<blockquote class="tr_bq">
<div style="text-align: center;">
OR </div>
</blockquote>
<strong><blockquote class="tr_bq">
<div style="text-align: center;">
Other people have their agenda, keep your own.</div>
</blockquote>
</strong><br />
If someone is criticising you negatively, it is their problem, not yours. If someone is telling you how to improve, take it on board, but if you don't WANT to do it, don't. I have been told that I am not suitable for running a business, and yet I am running 3 to one extent or another (2 of which are profitable even!) <br />
<br />
I was told that I couldn't write at the age of 27, and yet I contribute to magazines, write exam questions for Security qualifications, this blog of course, and even have a few entries in books. One day I will write my own, but when <strong>I </strong>feel like it.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-60211459211826338202009-09-09T04:55:00.000-07:002009-09-09T05:03:14.835-07:00Dressed to the ninesI'm sure it hasn't escaped the notice of the more autistic amongst us that today is 09/09/09. I was praying last week that 09:09 this morning would mark the birth of my son, due last Saturday, and yet to make an appearance. Taking his sweet time, just like his mother.<br /><br />And so it was this morning when I awoke at 8:30 after another sleepless night waiting for labour to kick in that I decided I would not get out of bed immediately, but wait for 39 minutes to mark this special occasion in the only way that a truly obsessive IT nerd can. Because although to many of you 09:09 on 09/09/09 would be the time to get dressed (as per title), to me "five nines" is very obviously "<a href="http://en.wikipedia.org/wiki/Uptime">up time</a>".<br /><br />Thank you ladies and gentlemen, I'm here all week...Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-3606075513007465142009-07-13T17:18:00.000-07:002009-07-13T17:37:29.664-07:00Big holes in codeWhen I started this blog a couple of years ago, I was living and working in Barcelona, Spain. It was a glorious place and a glorious time. I genuinely loved living there, my wife and I have some very happy memories. We're about to have our first child, a boy, in just under 2 months - we haven't got a name yet, but it could have so easily been Pedro...<br /><br />Sadly, circumstances conspired against us. Sad family circumstances which still echo through our lives on a daily basis - nothing else could have dragged me away from such a beautiful place, such amazing weather and such interesting people, architecture and culture. However, that doesn't stop me from taking the piss.<br /><br />Catalan is just one dialect of Spanish, spoken widely in Barcelona. Catalans can be quite patriotic about Catalonia, if not dogmatic. Sometimes they are fiercely anti-Castillian, i.e. the rest of Spain. When my mother visited us one week in May, there was a big Catalan rally in town, the idea being that Catalonia was for the Catalans, and the rest of Spain could sod off, or that's the essence of it at least. I'm sure there were high politics involved along the way.<br /><br />Mrs. N Senior stood and watched the hordes of squat hairy men gruffly shiffling down the main strip, understanding nothing on the signs - Catalan is unpronouncable and untranslatable at the best of times - but wanted to convey support. "Viva L'Espana!" she shouted, something she'd read on a T-shirt or something I guess... the somewhat secular crowd were not impressed. I bundled her into a taxi and we made a swift exit.<br /><br />Later in the evening, we went to a tapas restaurant, "Tapes Gaudi" on the Avinguda de Gaudi, just near the incredible Sagrada Familia - if you don't know it, look it up, book a ticket to Barcelona and go, it's amazing, and worth the trip alone. Tapes Gaudi is not. The service was poor, the food expensive, and a general let down to the area and the people. A cynical attempt to rip off tourists who could get that at the KFC just down the street. (Yes, the most beautiful cathedral in the world has a KFC and a Burger King within 20 yards).<br /><br />What Tapes Gaudi IS worth going for is the menu. No, not the taste, but the translation. It is in Castillian, Catalan and English-ish. I stole a copy, I was so impressed, and it still reduces me to tears on occasion. My favourite has to be "Boquerones en Vinagre" - nothing wrong with that in Spanish, the English "Vinegar big holes" leaves a little more to be desired, or maybe less.<br /><br />So, wondering exactly what Boquerones en Vinagre actually were, we went back to the flat and used <a href="http://babelfish.yahoo.com/translate_txt">Babelfish</a> to look it up. Babelfish dutifully replied that they were in fact "Vinegar big holes". Hmmm... I wonder how they translated that menu. I genuinely hope they never sort the problem out, I rather like it.<br /><br />[Boquerones are anchovies by the way, and no, I never did try it, I'm pleased to say.]Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-66529549478013825522009-07-10T02:48:00.000-07:002009-07-10T03:17:55.986-07:00What risk isn'tWriting blogs and having an opinion are fairly easy things to do, creating and selling a product is not. I've done both, at the same time, in fact that's why this blog exists - a marketing tool for a product I am no longer involved with, but a past-time I enjoy so I carried it on.<br /><br />Sadly my opinions are still fairly strong on many subjects, and security is one of those. I believe security should be pragmatic, but that doesn't just mean trying 'as hard as you can', making 'best efforts', but getting the best result that can possibly be achieved. A subtle difference, semantic even, but one which I strongly believe in.<br /><br />The 'bad guys' don't wait around until everyone's on a level playing field, they deliberately make it work in their favour. They are constantly on the attack. So when someone tells me that a product isn't the most secure, but the easiest to use, I want to grab them like a bad puppy and rub their nose in the mess they are leaving behind. I have heard this more times than you may think, and even fairly recently in response to a critical post.<br /><br />So, I agree that risk is a vital part of security, making the best choice possible based on the cost of available tools, to mitigate the expense of possible attacks that exist without them. What I don't agree with is that when there is an equal cost involved, you should go for the product which is easier to install, understand or operate at the cost of security. This is often dressed up as TCO or some such rubbish. That's what security administrators are for, and actually, it's not that difficult. If you DO choose to do this, you are putting your network, your applications, your users and your data at risk. This is not acceptable for most organisations.<br /><br />I've worked with some of the most complex encryption technologies out there, and all they take is a little training. Key management is only difficult when people are involved in remembering things, technology was invented for this kind of problem. The best solutions are the ones which offer a trade off where the non-intuitive decisions are made by humans and the repetitive tasks done by the technology.<br /><br />What more is there to understand?Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-78186014758510090462009-07-04T14:56:00.000-07:002009-07-04T15:35:56.639-07:00IBE and PGPIdentity-based encryption (IBE) was first proposed by Adi Shamir over 25 years ago, developed by Dan Boneh and Matt Franklin in one scheme, and Clifford Cocks in another. If these names don't mean much to you, Adi Shamir is the S in RSA (Rivest and Adleman being the R and A). Dan Boneh founded Ingrian Networks and Voltage Security, as well as advising for many other important crypto companies on the West Coast. Clifford Cocks is a Brit who invented the RSA algorithm before Rivest, Shamir and Adleman at GCHQ in the UK, but wasn't allowed to divulge anything about it because it was owned by the government. In short, they are the biggest names you can get in cryptography.<br /><br />So, you'd think that IBE was a bloody good idea then. Well, yes, it's a cracking idea... and as an idea, it will remain cracking. As a practical implementation of encryption, it's nothing short of impossible however. Trust me, I've tried. There are 2 products you can do this with currently, Voltage and Trend Micro.<br /><br />I've been assured that Voltage's approach to database encryption is a good one (by Voltage), and from what I know about IBE, I can imagine that it might work, but they don't push much on email (or didn't when we last spoke - I see they are talking about ING Canada on their website now). Trend Micro of course bought Identum, the email encryption company out of Bristol University. Basically a student project which ended up being bought by a company which thought they were getting a cutting edge, fully developed product.<br /><br />I spent a long time trying to install this product, and never got it working how I wanted it to. There are just too many mandatory requirements for it to be practical. You may think I'm saying this because I'm more interested in PGP, but actually, this is the reason WHY I'm backing PGP.<br /><br />Until I came across Trend I had kind of ignored email encryption - email is an inherently insecure method of sending information, why encrypt it? Choose another method if you want to exchange or send information. However, I've always had faith in people's ability to learn new things, and apparently that is misplaced. People in finance and law are too busy or too helpless to use anything other than email apparently. The smartest and richest people in our country are simply too stupid to learn how an FTP server works, so secure mail we must.<br /><br />That was basically how Trend presented it, and it apparently started to get some traction, so much so that I got to work on a secure email project recently in one of these places. It didn't work, and I've heard of others where it didn't. I never heard of one which did. At this point I took matters into my own hands and found PGP through some friends of mine.<br /><br />Why isn't PGP bigger? Why isn't it everywhere already? Well, simply because they haven't pushed it onto everyone, but let people pick it up as they need it. I'd love to show it to everyone in the financial industry in the UK and let them see just how good it is for encrypting mail. Many of them have it already, for Whole Disk or File Encryption, some already have a Universal Server holding their keys, and a policy server holding policies. Adding mail encryption is barely any work, or cost, in these environments.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-82824558877109770632009-07-03T04:32:00.000-07:002009-07-03T04:48:44.517-07:00Cheap as chips, safe as... chips.I'm constantly amazed at how little strategy there is in most organisations. It doesn't matter how big or how small, I have rarely come across an organisation that has a fully joined up security strategy, which makes sense.<br /><br />If you think you are one of these people, please set me straight, invite me in. I might stay.<br /><br />I have been speaking to some people recently who have a large say in standards throughout financial services. I'm not going to name them as it would be embarrassing for them. They have created products in the past which are poor to say the least. Now they are backing an even poorer choice. I wonder how much of this is based on a friendship between directors, or a financial reward already spent.<br /><br />Sadly there is still far too much of this going on in security. When will people learn that the cheapest solution WILL LET YOU DOWN. There are project processes like Prince, RUP, etc. for a reason. You NEED to know requirements before you install a product. Just because you get the licenses for a pound, doesn't mean it's the best solution to your problem.<br /><br />I'm shaking my head whilst I write this, because that looks even more ridiculous when I write it down, and yet that's exactly what Safeboot did to the NHS. The NHS was using PGP for Whole Disk, now they are using Safeboot because it was £1 a license. Of course the support budget next year will make up for the massive losses they made, when they jack the prices back up again + the extra for license costs.<br /><br />The sad thing - the NHS now needs secure email, which would have cost them just another £10 per seat with PGP, and they're stuck having to go back through the whole process again, back to tender, and will come out with another product, probably one which is the cheapest, and it won't do exactly what they want.<br /><br />OK, I know it's easy to point out mistakes after the event, but is there really any excuse for this sort of behaviour from so-called security companies? Is this really the way to encourage "strategy"? Wake up people... the government of this country is already a laughing stock, don't feed them ammunition.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-75978092295113038252009-06-15T12:03:00.000-07:002009-06-15T12:21:28.046-07:00Not on crackNo sooner do I start up on the old blog again than <a href="http://securityincite.com/blog/mike-rothman">Mike pitches in</a> and pushes me off my training wheels. Thanks Uncle Mike. No, I'm not really being a whining limey/pom bastard or whatever you call us these days. But Mike, you aren't in the UK, and, with respect, you are the one on crack.<br /><br />The only people doing any projects at all at the moment are government departments. They have all been handed down mandates to encrypt their data. Every financial institution in the country has suddenly realised that they are incredibly vulnerable. The world is a different place. The UK doesn't always follow the US, not when the drivers are different.<br /><br />[By the way, the reason I've been 'away' for 9 months is because I was on a top secret assignment inside one of these institutions. You think everyone's got data security sewn up already? Not by a long chalk.]<br /><br />Oh, and as to your "it's too damn hard and costs too much money" - maybe if you're still in 1995. I've been in the encryption game for coming up to 10 years now, and the market is more buoyant than ever, despite the fact that money is being cut elsewhere.<br /><br />Come forward to the 21st century, and we don't have to use PKI any more. We don't even have to know much about keys unless we're installing. PGP didn't become the standard for encrypting email by accident my old mate. Cheap, usable and really so simple that even a Senior Vice President could install it. :)Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-84759889469524851702009-06-12T02:54:00.000-07:002009-06-12T03:10:38.765-07:00Is encryption finally going to have its day?I think so, for a number of reasons:<br /><br /><strong>The Government is handing down mandates.</strong><br />After a number of high profile incidents, including an MoD laptop left on a train, the rules are being tightened across government departments. Despite the NHS being told that they have to strip budgets back to the bare minimum, they are still being told that encryption of sensitive information is a priority. This is nothing short of amazing for encryption.<br /><br /><strong>Networks are maturing to the point where encryption really makes a difference. </strong><br />5 years ago encryption didn't really make any difference. If you encrypted information, you felt safe, but anyone gaining access to your systems (normally an insider with a legitimate user account anyway) could take the information along with the keys. So all you were encrypting was the infiltrator's route to your valuable data. These days networks have intrusion detection, application firewalls, database protection, security policies that actually make sense (OK, not ALL networks!). In this situation, encryption really is valuable and not just a feel-good factor.<br /><br /><strong>Regulatory bodies are catching up with the meaning of encryption.</strong><br />Leading on from the previous point, where the networks are catching up, possibly due to the regulations they have to comply with in many cases, the regulatory bodies are also understanding the ramifications of what they have previously mandated. Where PCI made sure that people were securing their networks, many people have also noted that to encrypt huge databases of information is often impractical. OK for the big retailers, but for level 4 merchants to use the same kit is frankly preposterous. A more pragmatic approach has allowed people to follow compliance without meaningless application of rules, allowing the security to catch up first before the compliance drowned it out.<br /><br />So all things are converging towards encryption being a) required by law, b) required for compliance, and c) actually very useful. Maybe later I'll explain the choice of product I'm backing.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-49981327766074372482009-06-11T15:15:00.000-07:002009-06-11T15:28:07.691-07:00De factoAlways good to pad out a post with a bit of Wikipedia:<br /><blockquote><strong>De facto </strong>is a Latin expression that means 'concerning fact'. In<br />law, it is meant to mean 'in practice but not necessarily ordained by law' or 'in practice or actuality, but without being officially established'.</blockquote><br />Basically, it's stuff which happens because people want it to happen like that, and they vote by doing. It is often said that RSA SecurID is the 'de facto' standard for two-factor authentication, and I would concur that there is really very little competition. Cisco is the de facto standard for switches and routers, Microsoft for Operating Systems, Google for search engines and so on.<br /><br />I've worked with encryption for a loooong time now (yep, 4 'o's worth), and whereas RSA BSafe is de facto for browsers, there hasn't really been anything you would call widely accepted as 'the way forwards in encryption'. I should know, I've worked for most of them at one time or another, and none of them has been able to gain the market share or trust they want.<br /><br />But, without me noticing, and that's often the way, there was always someone there in the shadows, waiting quietly, lurking in my emails, and on bulletin boards, in forums and in applications. Using exactly the same principles of key exchange as SSL - the only other real 'standard' in encryption (ok, "key exchange", you pedant) techniques - PGP have actually been there for years.<br /><br />So much so that the UK government have just announced that they are using PGP for their whole disk encryption, and email. That's a pretty big deal when pretty much every government department has been told to encrypt everything from now on, or else. More on this later... for now I have more reading to do on PGP. As the bandwagon rolls into town, I'm jumping on to see if I can't ride it through.<br /><br />Surely THIS TIME encryption's going to be the next big thing??Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-29511465514409794542009-01-31T07:18:00.001-08:002009-01-31T07:29:06.654-08:00Epic Google fail<strong>[This post is in honour of Walt Conway, who prodded me last night to ask why I haven't blogged since October. Has it really been that long? Thanks for noticing! Well, I'm still here, but have been asked ever so politely by my current employer to refrain from posting whilst under contract as their security is paramount, and I'd only end up giving something away...]</strong><br /><br />Today, as I search for my usual Saturday afternoon information, I note every site has been marked as unsafe for human consumption:<br /><br /><blockquote><p>"This site may harm your computer."</p></blockquote><br />...appears for every page which comes up in your search results. Following the link takes you to an interstitial page. I know this because it's prefixed in my address bar with: <br /><br /><blockquote>http://www.google.com/interstitial?url=</blockquote><br /><br />I can't follow any link on this page to get to the page I want to (an IT distributor's website, run by friends of mine). Google are costing people business, although the people they usually cost business are possibly profiting from this major fubar.<br /><br />Yup - today, for one day only, I'm going to check out Yahoo!Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-75974983846261941112008-10-31T11:45:00.000-07:002008-10-31T12:02:35.834-07:00Pitchforks in shedsI once heard someone describe network tools as 'pitchforks in sheds' - the basic premise being that although the tools themselves were all incredibly useful, without someone to use them, they are essentially useless.<br /><br />I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point.<br /><br />There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-17522962599027682492008-10-29T11:48:00.000-07:002008-10-29T12:06:54.690-07:00Build your own networkI had an interesting security conversation today, about network architecture. Hmm... don't run away just yet.<br /><br />I think we'd all be agreed that it is safest to put your production networks away from your testing networks, and to make sure the data in your test areas is not live sensitive data - I'm not going to go over well trodden ground.<br /><br />I also think most would agree that splitting web servers from applications and both from data is the way forwards, and using firewalls to split them out is only sensible. We may also split out external and internal DMZs on the internal and external firewalls, and of course our internal LAN. This is all stuff that can be found in books and on websites, of course.<br /><br />But what of the relatively new worlds of web services and 'cloud computing'? I chuckled recently when these were referred to as Marketecture. In reality, these don't change anything about the way we build systems, in fact sometimes they are just making it unnecessarily complicated for the poor souls designing and building it.<br /><br />Back to my interesting conversation though. Picture if you will a 3 tier network, external firewall with external DMZ hanging off it, and an internal firewall with the LAN and data tiers hanging off it. Where do you put the application tier?<br /><br />My companion pointed to a case where it was also hanging off the internal firewall, and asked whether it shouldn't be attached to the external firewall as well. I argued the point that it didn't really matter as you could just punch a hole through the internal firewall anyway, but is that really such a good idea? No, not really, so I capitulated, and realised that that was in fact how I have always done it in practical terms, I'd just never really thought about it too hard until faced with the direct question.<br /><br />The fact of the matter is, the diagrams we draw of these things are really only ever representative. I don't think I've ever seen a network diagram which could be used to trace a real physical network - to make the important decisions, yes - to dismantle and rebuild, no.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-9560791414968447452008-10-15T11:26:00.000-07:002008-10-15T11:46:01.666-07:00In my opinion...It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.<br /><br />I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...<br /><br />HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.<br /><br />I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.<br /><br />Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?<br /><br />How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?<br /><br />I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?<br /><br />I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.<br /><br />I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-506517536731457932008-10-13T09:50:00.000-07:002008-10-13T10:09:17.130-07:00Dog eat dogI had lunch a couple of months back with David Lacey, one of the thought leaders of the Jericho Forum, (who I STILL think have the right idea, in case anyone was wondering). We talked about literally hundreds of different topics, but one which has stuck in my mind was about how good companies often lose out to not-as-good companies.<br /><br />Hands up who remembers Dr. Solomon? Arguably the best anti-virus of its day, 10 years ago, this neat little tool was as cool as digital watches had been 10 years previously, and on the way up. Today, type Dr. Solomon into Google, and you get McAfee. They used to fight like cats and dogs, but McAfee continues on - did they maybe acquire them?<br /><br />And who is the biggest of them all? Well, it's Symantec, the fourth largest software company in the world, who just spent a whopping $785m on MessageLabs in the middle of the biggest economic downturn in 80 years. Symantec, who previously bought Vontu, Veritas, Norton, etc... deep pockets, but I'm not 100% convinced it has bought all the best toys, just the shiniest.<br /><br />And in this game, that seems to be what counts. I commented last week about the RSA and InfoSec shows not being what they used to be. I like nurses' uniforms as much as the next man, but it isn't security. The big stands go for 10s of thousands of pounds, and I can't help feeling we're losing out on some great ideas, more so as we hit recession head on.<br /><br />It's time to batten down the hatches for everyone, so I wonder how this will affect further acquisitions? Sadly I think we will see some good little companies being snapped up for less than they're worth. Happily I think we'll see more development taken in-house, and more of these developers looking for safer permanent jobs. Maybe Symantec will come up with some ideas of their own instead of buying up all the other good ones?Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-90775343168887410072008-10-08T08:56:00.000-07:002008-10-08T09:09:31.121-07:00All the showsI've been ignoring the usual slew of mails I get telling me that RSA Europe is just around the corner, not because I don't care about the shows any longer, but because I can't see myself going this year due to work commitments. Not that I don't want to go either, it's always interesting to see what's up and coming, and who has made enough money to get there this year as the prices escalate still further.<br /><br />I have a couple of issues with the RSA show, the most off-putting being that it is miles out in Docklands, and takes me 2 hours to get to by train, and longer by car. There is ample parking of course, but at a crazy cost which ensures I will only be able to afford to stay for an hour or so.<br /><br />And maybe that's enough for shows these days. To be clear, I'm not anti-RSA, I enjoy their shows, they flew me out to San Francisco earlier this year (with disastrous results sadly) and gave me a free conference pass, just for writing something about encryption, so in fact I probably owe them. Without SecurID I wouldn't have started in security in the first place, so maybe they owe me. :)<br /><br />The problem with the RSA show, and InfoSec is that they have become the victims of their own success, and IT Security companies are no longer the one or two-man band start-ups from a garage, but multi-national corporations with oodles of cash to spend on flashy marketing and shiny suits.<br /><br />The first RSA shows were a group of like-minded guys in sandals with long hair showing each other what cool stuff they could do. I wish it was more like that now. I fear however, that we have lost those days forever. In their place, I suppose the 21st century marches on, but that doesn't mean I don't miss the BBC model B, ZX81 and the Amstrad 464 either.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-81283229858550796772008-10-05T06:09:00.000-07:002008-10-08T08:49:19.181-07:00Rewriting the Code"Can you take a quick look at this please, Rob?"<br /><br />The 'Group' of which our company is the shining star (i.e. highest returns) has been trying to put together what they refer to as a 'Code of Connection' such that everyone who attaches to our Global WAN comes under the same set of rules. Sounds like a reasonably simple task you might think, unless of course you had ever had to write one yourself... I, however, did not have to write one, merely cast a critical eye over the work in progress before me, and comment on it.<br /><br />Half an hour later I emerged from my task, confused and rubbing my eyes. I had a thought which I am positive anyone practicing security today will have experienced - "there's a lot of words there, but I'm not certain that everything's been covered, I have no proof..."<br /><br />Basically, I had no idea what was required from the Code, because I didn't know what it was trying to be. So, a quick Google search revealed to me what I was looking for, the difference between <a href="http://consultina.com/mambo/index.php?option=com_content&task=view&id=17&Itemid=33">Policy, Standard and Procedures</a>.<br /><br />This is when the trouble started. I went back with a handful of notes which I'd put together in PowerPoint and printed off. Having explained the differences, I was asked to pull everything out of the Code of Connection that wasn't Policy, and send it back to the IT Security team.<br /><br />I then spent 3 days putting things into tables, deleting headlines and putting them back in, writing bits, deleting them again, and generally getting in a mess.<br /><br />Realising that I needed a better reference, I went back to basics, and pulled out the IT Policy. To my surprise, I noticed that the Policy was actually called "IT Standards", a collection of Standards from across the group, all in one place.<br /><br />I think I may have just created a monster. I'll let you know how it goes...Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-74170307898393592652008-09-16T10:56:00.000-07:002008-09-16T11:09:33.016-07:00Testing,testing,1,2,1,24 or 5 years ago a friend of mine approached me with the idea of going into the penetration testing business: "Let's go into the penetration testing business", he said, and we did some market research. We could buy the required tools, a server, a shed, and a reasonably large internet connection, install a free copy of Nessus and be up and running by the end of the week.<br /><br />Of course we looked a little further than that, and realised that everyone and his dog was already doing it, and like every other business, it was just a case of whoever was shouting the loudest would make the biggest bucks. Steve and I were total techheads and neither particularly interested in making noise at the time, so we went back to the day jobs...<br /><br />A couple of years later, a new friend at a new company asked me about my background. We got around to talking about my close call with pen testing and he said: "yep, I thought about that for a while, no money in it."<br /><br />All of us remain firmly under the employ of other entrepreneurs, some large, some small, but none of them us.<br /><br />Today I saw a quote from a pen testing company, not one for dropping names, let's just say they do secure tests. My jaw dropped when I saw the price for 4 days work. An amazing return for them, but just like Starbucks charge more for a coffee I could make at home because of their ability to make it in bulk and present it better than I can, so they can do a much better job than we can, make a pretty report, tailored to our needs, and there's probably negligible real cost difference to us anyway. Not that we could do our own tests, but it did strike me that the only reason we have to do them anyway is because our security team (now disbanded) had identified the need in the first place...<br /><br />The MD of this testing company often writes for a magazine that I have written for in the past. He shouts louder than I do, and makes his presence known. He's also very good, knows the market and knows what makes a good product. I'm not sure I could have built a business out of it in such a cutthroat market.<br /><br />Still, it would have been nice, wouldn't it?Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-66174931898811339672008-09-14T15:40:00.000-07:002008-09-14T15:51:56.121-07:00Bad security awardsI wrote recently of how it could be excused for me to complain a little whilst I'm writing here. Of course I'd like to be constructive in everything I write, but the job of security is so often finding holes that it is a rut that we get stuck in, and maybe not a bad one at that.<br /><br />I recently received an e-book from a provider of security solutions. Their name shall remain private to me at this stage, as shall their niche. What I am going to reveal to the world however, is their utter crapness. The e-book was sent to me, I presume, for approval. I sat and read it for 10 minutes, tutting as I went, and then went to reply. The first draft took half an hour. Then I realised it was slightly offensive and saved it in my Outlook Drafts folder for later adjustment.<br /><br />I picked up where I'd left off 2 days later, re-reading my draft, adjusting the text to be less rude, and then cutting out whole paragraphs. Eventually I deleted the whole thing and started again. The problem was manifold, and the amount of time I had already spent trying to pick the bones out of it was worthy of being paid. So thus I replied: "I did write up a full retort to everything in this article, but I realised that I would normally charge for the amount of work I've done on it. My main issue with the article is that it seems to have had headings written by someone who knows about security, but the paragraphs underneath were filled in by a marketing department with access only to Google."<br /><br />"We've passed it back to our client" was the rather mute reply. I never did hear back, I guess my services aren't required on that one. The thing that really got to me was the laziness, no backing up of wild assumptions, repetition of useless statistics (did you know that 70% of attacks are internal! No way!), etc... the kind of crass indescribable blah that we read on a daily basis, and yet means entirely nothing.<br /><br />Still, that isn't the worst piece of security I've seen this week. No, that goes to an internal project that wants to use digital certificates to REPLACE passwords. No way is that one getting through. If there is anyone out there who doesn't understand why this is a bad thing, please ask, I will gladly explain, again...Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-10468872142126092332008-09-10T13:25:00.000-07:002008-09-10T13:40:07.415-07:00Projects march onFollowing on from my last post, I've had a lot of comments suggesting various technologies for firewall monitoring and application scanning, but absolutely nothing on endpoint security.<br /><br />Funny that, but I'm wondering exactly why. Is it maybe because you all assume I know enough about endpoint security to make my own decision? I think not. Is it because endpoint security is totally irrelevant to our current situation? Again, not very likely.<br /><br />What I think is more likely is that it's still just too early for anyone to really have the requisite experience of these technologies to have a real opinion yet. Certainly my conclusion on the project is that we should wait. Although the action to get something to protect our endpoints came from an audit, I believe we can mitigate the risk sufficiently to pass the next audit until the endpoint/DLP market has settled down, and therefore 'sweat the assets' a bit more. I hope the business would appreciate that thought.<br /><br />Therefore it follows that the project I got most feedback on - web app scanning - should be the one I concluded was the most important. Incredibly, it was. My suggestion is to make it into a real project, but try to get our outsourcer to swallow some of the cost as they do our solution design. I like the idea of getting something that checks sourcecode too, so that will form the next part of my project.<br /><br />Which leaves us with the firewall monitoring. One comment, which predicted the technology which has already been suggested to solve the issues we are facing. The problem and the solution were suggested by the operational security guys, so I've suggested we pass ownership of the whole project back to them... seems simple enough.<br /><br />What's really pleasing is to get my ideas out and validated by the great and the good. Glad to be back and blogging...Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-31698937253176678452008-09-06T04:12:00.000-07:002008-09-06T04:25:23.294-07:00More e-projectsI'll come back to secure email at a later date, I'm interested to see if our business processes will come up with the same conclusions as I have. I'm prepared to admit that this is a two-sided argument, there may be a requirement for secure email, or it may be that email was never meant to be secure, so no-one will ever use it as such. Comparing it to terrestrial mail services doesn't really help, because to a large extent, email has replaced snail mail, and even phone calls. The 'more secure' version of land mail was email, so the more secure version of email is...?<br />Personally I think it will be as the banks are finding - directing people to portals to download (NOT giving links in the mail, but asking them to log into their account - beware of phishing attacks).<br /><br />So I now have 3 new Security Projects (note the capital letters) to get on with:<br /><br />1. Endpoint Security - not DLP, we don't have any data classification on our network, and it was identified specifically to stop CD burners being used on our network, so DLP is deemed too much.<br /><br />2. Firewall Monitoring - thrilling stuff, we need to know if our firewall rules are sensible.<br /><br />3. Web Application Scanning - Third party web app provider, variable quality of code, our problem.<br /><br />I keep going backwards and forwards, depending on who I talk to about these. The higher up the chain I go, the less I want 1 and the more I want 3. When I come back to the security team, I want 2 to help them, and 1 to protect them.<br /><br />I'm not sure there is a good way to justify endpoint security, not until the market has settled down a bit anyway. Maybe then we'll be ready for DLP?<br /><br />Firewall monitoring seems to be something that's been put in to make someone's job easier, so again, hard to justify.<br /><br />Web Application Scanning on the other hand seems to be vitally important. As I've been brought in to secure the e-commerce rollout, I think this is the one I will be most behind.<br /><br />WebInspect seems to be the best (only) option at present. I'll talk more about how I get on with it once I've found the best way to justify it.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-69803789141719627392008-09-03T10:30:00.000-07:002008-09-03T10:59:00.033-07:00My first issue.I read a post somewhere last week (it may have been one of Rich Mogull's?) where a simple question was asked about what people liked about IT Security blogs. The (rather ironic) answer from one commenter was that they didn't like all the complaining that went on - and preferred it when people explained answers to security problems.<br /><br />Having written a post just beforehand having a good old moan about things that people do stupidly, I thought I'd try and redress the balance in the force by starting to discuss a few issues, and how I would solve them. I hope to get some input as to why I'm wrong, and as many complaints about my stupidity as my comments can hold.<br /><br />Issue of the day for me is secure email. Without discussing any more politics, let us assume that we have a business requirement for secure email. I can't tell you what we are sending out, because then I'd have to kill you, just rest assured that we need to. We need to send out to lots of different domains, and we want to initiate that exchange every time. Users of the system must be registered with us.<br /><br />The solution that was proferred to me was one of the IBEs (Identity Based Encryption). There are 2 that I know of, Trend and Voltage. I'm not going to say which one has been picked, because they are much of a muchness as far as I can see, and neither is right for me.<br /><blockquote>Requirement - must be standards based.<br /></blockquote>IBE isn't a standard as yet. It's a great technology, lots of fun, and has some great applications, but it isn't something that's tried and tested. I'm worried by it.<br /><blockquote>Requirement - must not add complexity of management.<br />plus Requirement - zero download option.<br /></blockquote>IBE isn't as simple as you might think. Key management is still the major issue, especially when you are dealing with external clients coming into your network to pick up decryption keys.<br /><blockquote>Requirement - Blackberry compatible.</blockquote>Those people who have a requirement for Blackberries probably have a requirement for secure email. It's bad planning not to be addressing this immediately.<br /><blockquote>Requirement - must integrate with current architecture.</blockquote>As with the 'standards based' requirement, this is going to be hard work. Anything so new is going to be crowbarred in. The only thing it integrates with is Exchange and Outlook, but then all email solutions do... how about working with certificates, protecting attachments end to end, and being able to vary the levels of security via policy.<br /><br />Which reminds me - who's writing the policies on this thing. I don't really understand who needs to be encrypted to, or in fact... why?<br /><blockquote>Requirement - fully audit when this data is sent out of the network.<br /></blockquote>You just can't do that with the system which created it. If it's being emailed, an internal user can email it out, but there is no reliable automated process to log this. It's either a manual process by the user - so more policy writing, more holes for errors to slip into - or it's nothing. That's scary, especially when the next step is emailing data out of the network.<br /><br />Which brings me back to the politics I'm afraid. Why does anyone need secure email? Email is NOT secure. The only reason you need secure email is because another process is broken, it is a sticking plaster option to my mind.<br /><br />Better to create a secure extranet, register your users there, use a third party PKI if you need to use keys at all, and use the certificates to authenticate your users too whilst you're at it. Use a CMS type too to publish pages to individual users as and when they require to download data from your network. That way you have a full audit trail too...<br /><br />In short, no matter how hard a security person tries to be helpful, they will always end up moaning. It's kind of <strike>my</strike> their job.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0tag:blogger.com,1999:blog-3711025027840462761.post-21504530009701762732008-08-26T14:42:00.001-07:002008-08-26T15:15:52.624-07:00Electing to receiveI've been off the air again for a short while, changing positions again as a contract came up locally without quite so much travel. I'm not going to reveal my new whereabouts, largely because I'm not sure they'd be too happy about me talking about them, but also because it wouldn't add much to the mix.<br /><br />I've been there a week now, and things are changing fast. The security department is being split up and pushed into every area of the company so that 'security is part of everything we do', which is admirable, if not lofty. I've ended up in the architecture team, which suits me fine, if not what I'd expected. What it does do is allow me to get on the receiving end of some vendors for a change, instead of delivering.<br /><br />Last week I had a Webex about WebInspect from HP. Now I'm sure this is a great piece of kit, but it's really tough to sell over Webex. Fortunately for them, we've already bought it. I'm sure another sale would warrant a site visit, at which point the SE could shine, but over the phone it didn't really work for me.<br /><br />I don't miss being an SE, it did serve as a great way to increase my salary quickly over a short period of time, and latterly to help me move from permanent roles into contracting because I found myself moving around so much and didn't want to appear like a job hopper. It also half killed me with travel and working from home is more stressful than you might imagine.<br /><br />I was lucky to find a contract with work which suits me well and is practically on my doorstep. I don't think I'd ever go back to being an SE now, maybe I'm over critical because I've been one, but it's a thankless task, and I don't think you could pay me enough to do it again now.<br /><br />I look forward to writing a bit more about the various technologies that I look at in the next few months. In the meantime I obviously can't talk about projects or politics in the workplace, but maybe I'll thrill you all with policies and general security blather.Robhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.com0