What do you think this is?

just thoughts of a restless mind...

Bsides Hannover 2017

Bsides Hannover 2017

In March 2017 I visited Hannover in Germany for the Security BSides conference. My first Bsides. I had the opportunity to present one of my favourite subjects, how security can help business grow. The venue was nice, and the presentations were very interesting and some of them eye-opening. Overall I really enjoyed the conference; the setup and organisation was very good and all the participants were friendly. That helped having interesting discussions; always useful if you are eager to learn more things and see other peoples’ perspectives.
I strongly suggest any locals attend the next BSides Hannover conferences. I don’t think I’ll be going there again though, as the drive proved to be too much for me.

My presentation is, as always, available and I believe all the presentations are recorded.

Although the trip was long, the organisers were very kind to help me forget about it, not only with their hospitality and friendliness, but also giving me a nice present, the Jim Beam bottle you can see in the picture.

Daniel if you’re reading this, I opened the bottle; great spirit! If you ever visit Prague, let me know, there may still be some left to share!

Tagged in : presentations, conference, security, risk management, business

Geneva Motor Show 2017

Geneva Motor Show 2017

This year I happened to be in Geneva for a business trip when the International Motor Show was on. I understand it’s a big thing in the car industry, and although I’m not too much into cars, and I was quite busy not only for work, but also preparing my presentation for Bsides Hannover 2017 I decided to go.

One of the reasons that I went, is that people I care about, like my brother and my son, would enjoy seeing pictures. The result is that not only I went, but I even managed to take some pictures that may not be totally worthless (my photography skills are literally non-existent, in case you didn’t know that already).

So there you go, enjoy the show :)

1/28
A yellow car
A yellow car
2/28
People
People
3/28
A black Abarth
A black Abarth
4/28
A white Ferrari
A white Ferrari
5/28
A red Ferrari
A red Ferrari
6/28
A yellow Ferrari
A yellow Ferrari
7/28
A white Maseratti (I think)
A white Maseratti (I think)
8/28
A black Ford (I think)
A black Ford (I think)
9/28
A racing Ford
A racing Ford
10/28
A red Maseratti
A red Maseratti
11/28
Is this an Aston Martin?
Is this an Aston Martin?
12/28
An orange McLaren
An orange McLaren
13/28
Some Rolls Royse
Some Rolls Royse
14/28
A white Rimac
A white Rimac
15/28
A black Mansory
A black Mansory
16/28
This is an e-bike
This is an e-bike
17/28
A (vintage?) Morgan
A (vintage?) Morgan
18/28
A grey convertible Jaguar
A grey convertible Jaguar
19/28
An Aston Martin
An Aston Martin
20/28
A view of the ground floor
A view of the ground floor
21/28
A white car
A white car
22/28
An orange Lamborghini (I think)
An orange Lamborghini (I think)
23/28
A grey Lamborghini
A grey Lamborghini
24/28
A yellow Lamborghini
A yellow Lamborghini
25/28
A white Quant
A white Quant
26/28
A burgundy VolksWagen
A burgundy VolksWagen
27/28
A Nissan
A Nissan
28/28
A racing Honda
A racing Honda

Do you know how frustrated I was to see that there were no Lancias on the show?

Tagged in : cars, photography

Goal: meet my brother

Goal: meet my brother

In general I am a very efficient and organized person. Slightly OCD most probably, I want things to be organized; my pictures in the same dimensions, the folders categorized evenly. My drawers have my stuff clearly seperated.
Most of the time…

Sometimes though, I’m not like that. My computer files are usually lying around. I do have the structure, because my OCD doesn’t let me not to. But I’m too in a hurry when I create something, that putting it in the right place is just not a priority. And then it stays in the wrong place until I do a cleanup and move everything where it belongs.

And some, few times, I’m not like that AT ALL! These few times I’m a total disaster.

I have been blessed to have as my brother one of the best photographers I know. Obviously, since he’s my brother I’m slightly biased; but if you have a look at his pictures you will realize that I’m telling the truth.
And then, once in a while I need a pretty picture for one of my presentations or pet projects. Like the one I have in my article about management which I like very much.

Always, and I mean always, I remember or realize that I need the picture way too late, making things too complicated or even impossible…

Reminder to self:
This coming Easter, spend some time with my brother to locate some pictures for cases like this.

Tagged in : planning, photography

Physical problems in a virtual world

Physical problems in a virtual world

We live in a European Union that is highly connected. One of the benefits of being European is that you can travel and even relocate in any of the EU countries. Actually, people are migrating from one country to the other all the time; sometimes without even knowing the official language of the destination country. That happened to me when I moved from Greece to Czech Republic. I did not (and still do not) speak Czech, but I relied on my English and I was ready to deal with any physical person not speaking English. What I was not ready to deal with though, was finding physical world problems in a virtual world.

For many years now web browser have a setting that notifies the web server about the languages you prefer. If the site is available in more than one languages, you will get the first one found in your preference list. This was designed for Global companies obviously, and it’s working nicely.

Here is the problem though: Global companies have global operations and they do not offer the same services or products in all countries. As such, they use geolocation to identify where you connect from. I am not talking about browser-based HTML5 geolocation though, which the user can control, but IP based geolocation which the user has (normally) no control over.

After they find where you’re located, they direct you to their country’s website. Which, as you imagine, is available in the country’s official language. And while in a physical shop I can look for the next available salesperson who may speak English, when I’m visiting a website I have no real option. And if you have tried web translation from Czech, you will understand that we are talking about no real option.

I realise that it would not be cost effective to have every country’s website in two or three additional languages (English, German, French, Spanish come in mind :)) but can we please try with at least one?

Tagged in : expat life, language, europe, web development, globalisation

GDPR: Unintended consequences

GDPR: Unintended consequences

I attended recently a very interesting event called “Deconstructing GDPR for Business Value Creation” organized by HPE in Prague. The presentations from Duncan Brown (IDC) and David Kemp (HPE) were extremely interesting.

I had the opportunity to have a quick chat over lunch with Duncan. The discussion started from organization readiness and moved to what we, as a security industry, can do to raise visibility. As is usually the case when an open discussion develops, we found ourselves talking about things we did not initially intend to. One of which was the unintended consequences of GDPR.

It is a fact that probably nobody understands the side effects such a regulation may have, so these discussions are immensely important as they open our eyes to opportunities or threats we could not figure out earlier.

Here is one: Ransom requested for ransomware attacks will raise.

Why? Right now nobody has the obligation to report ransomware attacks; organizations have the option to say “I don’t want to pay the ransom because I don’t care about the data, I can re-generate it or re-collect it”.

Well, with GDPR in effect, this is not the case any more. According to the regulation

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Read that again. Did you notice “…accidental destruction, loss, alteration…”? It could not be plainer English, and it means that if you’re hit by a ransomware attack that affects personal data, since data is destructed or altered, it is considered a data breach.

Subsequently you have to report it within 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). Now, truth be told, if we are talking about the majority of the ranswomware variants currently available, it’s only loss or destruction of data. And it is very unlikely that the loss of data will result in a risk to the rights and freedoms of natural persons.

But there are cases when this can happen. If the altered data is used to provide access to facilities for example, or if it refers to someone’s academic achievements (e.g. a university or school). In these cases, losing the data affects the people’s rights. And I’m sure there are other cases I cannot think of, but that’s what we have the comments for.

If you recover the data though, you’re off the hook. And if you recover the data within 72 hours, you don’t have to report it. You save yourself from reputation damage, and potential sanctions such as penalties. Suddenly, paying that ransom looks a better option, and, as markets and economy work, that means that ransomware authors will raise the ransom requested.

Being known for my strange sense of humor, I will tag this article as “business development”.

If you can think of any other unintended consequences of GDPR, do post a comment!

Tagged in : privacy, security, business development

Invite me to an event

I have been speaking in events since 2009, and I was delivering undergraduate and postgraduate classes in Computer Science, Network Application programming and Security from 2001 to 2006.

Most of my presentations are posted in this blog, although I may have forgotten / lost some.

If you want me to talk in your event about security and risk management, feel free to drop me a note in the “comments” section below.

The message won’t be visible but I will get back to you as soon as possible.

Please add location, dates and contact details.

Tagged in : personal, presentations

Me elsewhere

Sometimes I give interviews, or publish case studies or write articles elsewhere.

Here is what I can remember, in reverse chronological order

Tagged in : personal

About me

About me

It is common to have an about me page, so I should make one.

First things first

My Twitter, LinkedIn and blog posts and comments are my own opinions, do not represent any of my current or past employers and are not in any way related to my current or past job for these employers.

Where do you find me?

Except for this blog, you can also find me on LinkedIn and Twitter as well as peerlyst. I used to also be on Facebook but not any more.

If you want to reach out to me, you may do so through my social media presence, or by email at my name dot surname at gmail.

What is this?

In the distant past I had a page, or a blog, or something like this. I don’t even remember any more. Then I thought that my LinkedIn presence would be enough for me to express my thoughts and I got rid of that blog. More recent (2017) changes at LinkedIn though, as well as the need to write shorter thoughts and more personal, not professional stuff, led me to have my own blog again.

Unfortunately none of the old content - except for LinkedIn articles and some conference presentations - is here.

What do I do?

I have been a Linux / Unix sysadmin for years in the past, and my favorite language is perl. When I was a sysadmin, security was “part of the job”. Then it changed and I changed with it. I now consider myself to be an Information Security and Risk professional.

Or, as my LinkedIn profile says:

Experienced Information Security and Risk Strategist with in depth technical knowledge, broad managerial skills and business acumen. My experience spans across several regulated industries and organizations with global presence. Skilled in building and leading multi-functional and international teams and projects. Experienced in developing the security strategy and establishing the function from scratch. Comfortable interacting with senior stakeholders and C-level executives

I enjoy doing strategy, risk and governance. Team building and function structuring in multi national, multi-business organizations. Overall I like challenges.

But if you’re familiar with how CVs are structured, you expect to see numbers and the ones above are not numbers. So, although as a security professional I cannot openly disclose dates and names, I’m happy to provide some of my measurable (i.e not soft) achievements in some of the companies I have worked for (in random order, to maintain the anonymity of the company):

  • One company had terrible audit results. Inefficient and inadequate, both internal audit and external audit. I developed and implemented a remediation plan that bumped the audit results from Inefficient to Effective (external) and Excellent (internal) in just 2 audit cycles.
  • Once I had to lead a small existing team of engineers. Lacking leadership and guidance, the team was becoming the company’s black hole due to inefficient response in ticket handling. In just eight months after I took over the performance of the team was bumped by more than 65%. Same people, same tasks (not Helpdesk, we’re talking about engineers. R&D, systems and networks setup, troubleshooting, POCs). From ~40 tickets per month to more than 70.
  • At some point I had to replace an anti-malware solution in a company. Previous deployment was ~60.000 endpoints. During the replacement project I managed to deploy to more than 75.000 endpoints - covering more than 20% more endpoints and servers.
  • I do remember when in one company we had a significant problem with stale accounts in some IT systems; mainly due to frequent turnover. Processes I set up and close coordination with the company’s internal development department led to rolling out a custom built (but efficient and fully auditable) automated identity provisioning system that terminated accounts immediately upon HR’s activities.
  • At some point I had to take over a support department which was managing one (arithmetically: 1) application. When I left some years later, the department was roughly the same size and with 50% of the members being the same; it was managing seven (arithmetically: 7) applications, including the initial one.
  • I do remember when some employees of one company I worked for, found the opportunity to provide company services to customers, without registering them in internal accounting systems; so that they would keep the profits all by themselves. That was roughly 5% of the specific business unit’s revenue, which I identified and deployed controls to stop that leak.

Now that I think about it, I might as well mention names; all the companies are better off after my tenure there, at least in my area of responsibility!

That’s all for the time being…

Tagged in : personal