Wednesday, 2 November 2016

BruCON 2016 (0x08) - Speaking about POS, POI & VT (the undisclosed talk)

It was a great honour for me to present this year at a hacking conference like BruCON (brucon.org)
As many of you already know, I started this because I wanted to know how the payment process works behind the scenes (Payment Card Industry - PCI) and how secure these systems are, which we take for granted on a daily basis. 

After researching Point-of-Sales (POS), Point-of-Interaction (POI) devices and Virtual Terminals (VT) for almost 4 years, it was about time to do a presentation that wouldn't be behind closed doors as I usually do. I talked with a number of acquires, issuers, payments processors and POI OS manufacturers and let them know about my findings way before this talk. 


Tuesday, 18 October 2016

Parrot AR.Drone 2.0 Power Edition (How to)

I recently got a Parrot AR.Drone 2.0 Power Edition and I had a few issues with setting things up and running. After researching on the Internet many others had similar issues and a number of opinions and solutions were being suggest but without definitive answers. 
Due to the fact I had to spend a lot of time trying to find out who is right and who is wrong on the forums, I decided to make this non-security related blog-post because I believe it will really help a lot of people when it comes to that particular drone.

Sunday, 16 October 2016

How to employ talents in the security industry

There are so many things to say on this subject, that it is really difficult for me to decide where I should start. I do not want to create a very long post, so, I will try to keep this brief and to the point. I will not try to explain each point in more detail because it wouldn't be much of a help at this stage, but I will try to give a few pointers on why it is currently considered a very challenging task for companies to employ talents.
Even thought this is not an article for talents in the music industry, I have included the following video for you all to see. Believe me when I say, everything will make sense by the time you read through the article.
(In case you cannot see the embedded video: https://youtu.be/_xj1ncF5hSY)

Again, before you read any further, keep in mind that everything I am writing here is about the process of: identifying and employing talents, and more specifically talents in information security and information technology, and especially those that have a 'growth mindset'. (I will talk about the 'growth mindset' at a different post).

When you find a job opening online, it is most likely to have been written/revised by the HR department based on what is currently being asked for this role, based on similar job opportunities on the Internet. You can actually spot such job openings by looking at the requirements and see that they ask for “a little bit of everything” that does not really make a lot of sense. If you are the person tasked with the responsibility to hire someone and you try to modify the HR’s “template/process” to suit the particular needs of this new job opening, good luck.

You are going to end up filling-in forms and forms, that do not ask the right questions on what you are trying to achieve, it is almost impossible to deviate from the HR’s template and at the end of the day after spending time on this, the HR will have the final say on what will be the final form of the job opening. On top, in most organisation the shortlisting phase is done by HR staff who in reality have no real understanding of what is your skillset for the particular job other than cross-checking the preset requirements in the job post. Hiring talents requires you as an organisation to rethink the whole process and ensure it actually invites talents to apply for the job openings your company has.

Talents do not fit in job descriptions. A talent does not live under a title saying I am a penetration tester, a security consultant, a security architect, etc. With talents, it works the other way around. They just know things (love to keep learning things) or they are really good on things that they do not know how good they are. They can combine information they already know to find solutions, they know how to solve problems, they have ideas, they think in a different way than other people do. Instead of trying to fit them in a job description, look behind the curtain and read between the lines during the selection process and the interview. Allow them to tell you what they can do for the company, and the role they are interested in.

Most of the time, the shortlisting process simply excludes talents from getting into an interview. Imagine you are the talent and you have to spend almost two-three hours of your time, trying to put your CV in an online web application, that asks you questions completely irrelevant, because it was meant to be generic. For example, when you are planning to hire a developer who is a talent, you want someone who really knows how to write code, who knows how to solve an algorithmic challenge because he/she takes pride on that, someone who is not going to reuse a solution from “stackoverflow” that has no idea how or why it seems to be working. These qualities cannot be put in a job description, cannot be highlighted in the automated shortlisting process. These qualities can only be identified during the interview when the person (talent) has a chance to answer the right questions.

The interview is the most important stage of the whole process. Let’s assume that the person being interviewed (who is a brilliant candidate and the talent the company is looking for) managed to overcome the aforementioned problems and got shortlisted for an interview (face-to-face or otherwise). The candidate, has now to face four major problems.
  • The person conducting the interview is not trained or suitable for conducting interviews in general. Some of the people tasked to do this, they either do not like it, or they are really bad at it (even after training). The interview ends up being a great opportunity for people who know how or willing to “charm” the interviewer, and tell him/her what exactly he/she expects to hear. A talent is not there to charm anyone and play sympathy games. A talent expects to be respected as a person, valued for what he/she knows, demonstrate how eager he/she is to learn, what he/she can offer in this role and to be asked the right questions.

  • It is true that talents might have awkward personalities but this is part of what makes them special and so good in what they do. Consequently, the interviewer not only needs to be really good at interviewing people but also needs to be able to read between the lines. Not all people are comfortable talking about themselves, or go into an interview with the right attitude, or reply to the questions like superstars, or say something catchy. Sorry to break it to you, but if this is what you want to see in an interview, then you are looking for a "used car salesman", not a talent. Allow people time to feel comfortable and open up slowly. If they cannot talk about themselves, ask things about them and they will tell you (their answers might be brief sometimes, and your role is to help them elaborate on them). There are occasions where the interviewee replies to a question with something brilliant or something the interviewer is not familiar with. Instead of having an empty expression on your face and try to change the subject, think about allowing the talent to elaborate on this. We all learn a new thing every day, and your pride won’t be hurt if you listen carefully for a change.

  • The almighty checklist of standardised questions and the tick in a box. Don’t do me wrong, having a checklist of questions that need/should be asked is fine, but make sure you are asking the right questions. Seriously, what is the purpose of the question “can you tell me the OWASP Top 10 by heart”. Such questions simply are asked to make the interviewer fill superior (establish his/her dominance in the room) and the interviewee to feel that he is not in charge (despite how "well" you respond to the question). Include questions that allow the interviewee to elaborate on his/her experiences and thought process (how do deal with problems, suggesting alternative solutions, investigating issues, proposing new project ideas, etc.), and not tricky/sneaky questions with a double meaning that he/she cannot think about at that particular moment mostly due to the stress of the interview. Also, make sure you took the time to read the CV (resume, for my US friends) of the person you are interviewing and allow him/her to tell you if they have done some amazing things (projects), and which are these (and how did they come up with the idea and why). Telling/Admitting to the interviewee that you haven’t read his/her CV before entering the room and conducting the interview, from where I stand, is simply unacceptable and you should not be conducting the interview (any interviews in general). If you haven't spend at least ten minutes to read through the submitted CV/Resume prior to the interview and highlight the thinks you would like the interviewee to elaborate upon, then clearly you are not interested in finding a talent for the company (and this lack of interest in finding a talent is currently being interpreted by many companies as a shortage of talents). You are simply wasting your time just to get away from work for an hour or so, wasting the interviewee's time and you just want another tick in a box saying that you conducted an interview.

  • The interviewee can do nothing about his/her future “team-mates” feeling threatened by the fact the company is about to hire the talent they were looking for, for so long. It is not uncommon for the first interview to be conducted by the person who is supposed to become your future boss. This is actually really good as you get a vibe of the person in charge and he/she gets an opportunity to get to know you (and explain what he/she is looking for to bring in the team, the real need, not simple a generic job description). Imagine now the case where the talent nails that interview and his/her future boss is really impressed. So impressed, the candidate is asked to stay and do the second interview on the same day and get things going as fast as possible. Sometimes, that second interview is given to someone the candidate will end up working with, which is usually considered to be the “number two” guy on the team. As we are only human, there have been cases where the interviewer felt like he/she is not going to be the “number two” for much longer, because the candidate is really a talent. In that case, the almost future boss ends up getting a disappointing report / feedback from his/her “number two”, saying that the candidate failed the technical part of the interview. In one occasion, believe it or not, the guys conducting the second interview said this to each other after the interview: "This person is brilliant, has everything the team needs and what the company is actually looking for at the moment. However, if we decide to recommend this person, he/she will be able to everything (every task) we assign him/her to do without any problems or training. I am afraid he/she will be able to demonstrate that he/she can do both of our jobs within two-three months time".
Last but not least, asking the right questions. It was mentioned a few times during the article on purpose. First of all, keep in mind that is a lot easier for talents to identify talents in their particular area of expertise (I am not referring only to people with technical skills here). There is no point asking questions that anyone can answer using a search engine by simply clicking on the “I’m feeling lucky” option. Talents are being identified
  a) by their achievements (up to that point in time),
  b) the reason(s) why they did things in a certain way to solve a problem,
  c) the way they challenge themselves on a daily basis and 
  d) what challenging projects they have completed successfully,
  e) their particular and unique thought process,
  f) their out-of-the-box thinking and novel ideas, etc.

Ensure the questions being asked reflect upon these qualities. Allow the questions to take twists and turns, be flexible based on the personality and background of the person being interviewed, allow the questions to be scalable and progress slowly towards the right direction, elaborate and engage with the candidate in order to reveal the hidden diamond behind the sometimes, rough surface.

Based on the alluded, and assuming that you took the time to watch the embedded video, consider a job opening in the music industry where a record company wants to put together a band. Imagine now this record company interviewing for bands the way the Information Security industry conducts interviews for talents (automated short-listing process, narrow and irrelevant questions, interviews that do not allow you to demonstrate your talent(s) but reply to standardise checklists, etc). Just image the questions:
Q: What instruments each member of the band knows to play? A: None
Q: Do you sing? A: Well, this guy does, there rest of us make noises.
Q: Can you dance? A: No, we just sit on stools most of the time.
and so on... 

I would like to assume that you are now getting where I am going with this and I really hope you enjoyed reading this post (and the metaphor). I am considering making a proper presentation on the subject with more details and examples.

Tuesday, 11 October 2016

IP EXPO EUROPE 2016 (..and winning a drone)

I had the opportunity to be at IP EXPO last week, in London. For those of you who are not familiar with the event, IP EXPO Europe took place at ExCel London (5-6 October 2016). 


The interesting fact about IP Expo is that you can find vendors and services across the whole spectrum related to IT. More specifically, under one roof you will find anything you need related to Cloud and Cloud services, Cyber Security, network and infrastructure solutions, data analytics, DevOps, and Open Source

Compared to InfoSecurity Europe, it is a smaller event but this ended up being good. The exhibitors had a standard booth size allocation and it was much easier to get around, talk to people and faster to find what you were looking for. Maybe it made more sense this particular layout to my OCD I guess

Monday, 3 October 2016

Towards a Cyber Resilience strategy (Cyber Security Awareness Month – Oct 2016)

As most of you already know, October is Cyber Security awareness month. The aim of the Cyber Security awareness month is to raise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector, on how to stay safe online.

Cyber Security is promoted extensively during this month and many events are being organized with the sole purpose to engage and educate public and private sector entities, while provide them with the necessary tools and resource to stay safe when connected online. Given the opportunity let’s talk about the UK’s Cyber Security Clusters and how you could get to engage, participate, network and most importantly ask any questions that you currently have regarding your organizations cyber security posture and staying safe online.