manifesto for cybersecurity

2017-05-22 Tech

The recent ransomware attacks have focused lots of minds onto cyber security, however many of the solutions being proposed are little more than sticking plasters to the larger underlying issue - namely systems are not secure by default. The ’trend’ in software has been to launch it, then fix it. This is a very attractive proposition for business, as it lets them discover the ideas that work and don’t work, and then iteratively improve them. Most of the gadgets we use in our lives today would not exist without this mentality. However the dark side of this approach is almost all software is not secure, the evidence is pretty much every system deployed has security flaws, the only question is who finds them first - bad people or good people.

WannaCrypt was it good for the security industry?

2017-05-15 Tech

This weekend we saw ’the biggest cyber attack ever’ and a few people (who don’t work in IT) have asked me - will it be good for you (as I work for Irdeto - a Digital Platform Security company). It’s an interesting question to consider - these big attacks make a lot of noise, so you’d expect on Monday morning the business of cyber security will get easier! However I think the reality is a bit more nuanced.

wanntcryptor 2.0 ransomware and negligence

2017-05-13 Tech

Yesterday the news rapidly filled up with reports on a ‘massive cyberattack’, as I’m in the UK the press coverage was focused on the NHS and initially was full of comments about ‘smart’ hackers. This reporting is, in my opinion, giving these organizations an excuse for their negligence. The reporting often implies the attack is some kind of ‘act of god’ that they could not avoid, in this case it was trivial to avoid it, simply don’t connect out of date systems to the internet.

Are you feeling lucky?

2017-04-08 Tech

How lucky do you feel today? It’s an important question as your IT security is probably mostly down to luck.

If we examine most ‘hacks’ we usually see the organisation hit issuing statements about ‘sophisticated hackers’ and the public image of hackers, as lone genius’s wearing hoodies in darkend rooms is re-enforced. In fact most attacks are perpetrated by far less skilled people and succeed by luck. That’s not to say there aren’t some super skilled experts out there, but they are few and far between.

CV

2017-03-09

Ben Gidley – Product & Technology Leader

Dynamic and highly skilled Product & Technology Leader with over 15 years of experience in driving product innovation and business growth in the Internet and Broadcast TV industry. Adept at navigating complex technical landscapes to deliver cutting-edge solutions that meet customer needs and fuel market expansion. Proven track record in transforming traditional business models into scalable SaaS platforms, achieving revenue growth, and building high-performing teams. Looking to leverage deep technical expertise and leadership skills in a challenging new role.

Computers are complex, so is protecting them

2017-01-28 Tech

Computer systems are complex, and the complexity has been at the point for quite a few years now it’s impossible for any one person to understand ’everything’ about any given system. There will often be people with a good understanding the ‘building blocks’ but it’s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on.

Complexity has massive implications for the security of computer systems. If no-one understands a system how can you have any surity that it’s secure? The developers of the system will have tried to design for ‘known’ security issues, and tried to assemble the ‘building blocks’ in such a way they are secure but as they aren’t full understood it’s highly likely there will be some issues. This is not just an academic claim - if we simply look at the ‘security patchs’ for major building block components like Java, .NET, Windows, Linux - all of which have regular security issues that could compromize any systems built on them. On top of the building blocks, even in a mid size dev team, you will have a mixture of skills and abilities in the team and even with ‘2 person reviews’ security bugs do get through. Add in that many systems depend on services supplied by other companies - things like SaaS, hosting, ISP’s, Certificate Authorities and DNS - any or all of which are critical for security.

Certs again

2017-01-21 Tech

Once again a major CA (Symantec) has been ‘caught’ issuing certificates improperly. There is a great write up on Ars Technica. This is really significant as falsly issued CA certificates are one (of many) way to MITM SSL.

This underlies the extreme difficulty in securing anything in IT. There are simply too many ‘moving parts’ and people in involved in securing anything. Your computers security depends on thousands of people and companies all doing everything correctly all of the time, and simple law of averages suggests this is unlikely to ever happen!

Older posts Newer posts