tag:blogger.com,1999:blog-54502241044902337332024-02-20T18:53:17.173-08:00Inside InfosecInside InfosecBogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-5450224104490233733.post-17317536303867922062012-02-17T13:29:00.000-08:002012-02-18T02:16:58.213-08:00Intellectual property rightsCopyright and patents have taken a lot of headlines recently, there have been big battles between Apple, Samsung, Motorola and anyone else that wants to weigh in with their patent for a pound of flesh. ACTA has hit a hurdle in Europe with a lack of support and ratification and SOPA has been left largely unsupported in the US.<br />
<br />
This is a difficult subject for me. One one hand, my company makes money from its intellectual property, creates job (mine included) and manufactures in the UK - yes, UK manufacturers DO exist!<br />
On the other hand, I do not appreciate the additional cost of my electronic devices due to costly and otherwise unproductive patent battles. I do not appreciate being described as a criminal for making a backup copy of a CD or DVD or converting it to another format.<br />
<br />
There needs to be patent protection to reward innovation. There should be copyright to encourage creativity. I believe the time limits on patents and copyright need to be seriously readjusted. The fact that copyright extends to between 50 and 70 years after the death of the creator in the majority of the world, is ridiculous. Copyright is intended to permit the creator of the work to make a fair profit from their efforts. This may have been a realistic timeframe when transporation speeds were such that creative works would take many years to pervade all of humanity but, with today's electronic communication, it is possible for a work to circumnavigate the globe in seconds therefore it is practical that a creative artist can exploit their art in a very short timeframe. I believe that a creative artist should be able to exploit their art within a single year, possibly less. There may be scope for different mediums to enjoy protection for differing lengths of time, it is a broad subject that requires great discussion.<br />
The bottom line with regards to copyright and file copying on the Internet (I refuse to classify it as piracy) is this: The Internet industry generates a great deal more income than the creative industry, if the best argument from the copyright protection industry is job protection, let's look at the number of people employed in the Internet industry and make a fair comparison.<br />
<br />
With regard to patent protection as I stated before, there should be protection for innovation to allow inventors to profit from their creations. Again, the patent protection timescales need to be adjusted along with a rationalisation of patent applicability. They are not currently as long as copyright protection but some of the patents currently under dispute are frankly, ridiculous. There needs to be a test of fairness - if a patent covers an idea that could reasonably be reached by another person, that patent should be blocked. Again, the devil is in the detail and the dispute will come down to what is considered reasonable.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-17514092949292648572011-09-22T15:49:00.000-07:002011-09-22T15:49:39.366-07:00Why DLP is virtually uselessDLP is one of the greatest vendor TLAs at the moment. Pretty much every security vendor has a DLP 'solution' that they would have us buy.<br />
The bottom line is that DLP has very little to offer us.<br />
<br />
Don't get me wrong, there are a few instances where DLP can demonstrate a small value, preventing the accidental information leak from an ill-informed user but that is pretty much it.<br />
Let's face it, if full DLP is implemented, an information system becomes so bogged down with warnings, alerts and reminders that normal productivity cannot be achieved. If industry figures are to be believed, more than 80% of information leakage is carried out by malicious insiders. If those malicious insiders are intent on extricating your information, they'll find a way to bypass your security controls - or are you going to ban printouts, handwritten notes even?<br />
<br />
I have seen (and built) high security systems that had very little opportunity for information to leak. Logging of printers, hardcopy document registers, no export to optical or magnetic media, no onward connectivity, no removable media access permitted. How usable would these systems be beyond the single-use they had? Nil. Would the security controls prevent a malicious user from jotting down a few notes of what they saw on the screen or, heaven forbid, remembering a few salient points? Not a chance.<br />
<br />
Our businesses employ personnel they trust. If we don't trust them, why do we employ them? It is entirely possible that staff become disillusioned or corrupted in some way, that's why we verify. It's an old adage but worth repeating - Trust, but Verify.<br />
We should be enabling our users to be as productive as they can be, protect them from silly mistakes, allow information on a need-to-know basis but provide them with the tools that make them efficient. The deployment of DLP in the vast majority of cases will be a business disabler and users will find workarounds that are below the radar.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com2tag:blogger.com,1999:blog-5450224104490233733.post-12081272796414685272011-08-03T02:38:00.000-07:002011-08-03T02:38:16.944-07:00Staff vettingI mentioned vetting in my previous post and I'd like to expand on the vetting of staff, contractors and temporary workers.<br />
I have been through some pretty heavy vetting. I'm glad to say I passed but not without a warning or two - a sign of a mis-spent youth. The vetting process was quite in-depth and included background checks, reference interviews and a face-to-face interview.<br />
During my vetting, I was completely honest and advised my references to be just as honest. I have encountered some managers advising their staff to be less so, particularly in certain areas. This was especially apparent when working in the private sector, providing services to HMG. If consultants did not pass their vetting, they were unable to work on ANY projects for HMG therefore the pressure to pass the checks was quite high. Don't get me wrong, I don't think the people that were lying were any higher risk to security than those that didn't, if I did, I would have spoken up but the vetting scheme requires complete honesty in order that you don't leave yourself open for blackmail, those that lie have this vulnerability.<br />
Why do they lie? It is apparent that, depending on the area you are being vetted for, the tolerance levels for certain behaviours is higher, or lower, than others. Some areas would have no tolerance for alcohol abuse where others may take a softer approach. Some areas my be more tolerant of a past instance of employee theft where others may not.<br />
What does this mean? To put it succinctly, there are a number of people working for HMG either directly or via contract, that hold high levels of clearance, that are (slightly) vulnerable to blackmail.<br />
I am acutely aware that those that are likely to disclose information would also lie to protect themselves and to achieve clearance and it is obvious, at least in my experience, that the vetting staff are not trained to spot obvious body language tells that would indicate a less honest answer.<br />
The alternatives are unpaletable. I understand anecdotally that in the US, vetting is accompanied by a lie detector test. I do not believe that would be acceptable in the UK and would certainly be rejected by many. I am also aware that it is possible to be trained to defeat the lie detector just as easily as one can be trained not to provide body language tells. If we were to rely on further reference interviews, the costs would soon increase - vetting is not a cheap process and I'm sure the vetting agencies are under pressure to keep costs down and if one reference will lie for you, I'm sure many others would also.<br />
The bottom line is that many potentially good candidates are put off by the draconian requirements for vetting and some previous behaviour will preclude a candidate from attaining the highest level of clearance where other candidates who are prepared to lie are achieving clearance, leaving them open to blackmail. I elieve the system is broken and there is no easy fix.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-16775640596510590242011-07-10T16:23:00.000-07:002011-07-10T16:23:12.368-07:00A new approach...It's been a good while since my last post. I've started a new job, for the first time in a long time, I'm in the private sector and I've been dedicating my efforts into getting up to speed and changing my mindset to address the security issues for an entirely new way of thinking and working.<br />
<br />
I've still got plenty to comment on concerning the state of information security within the public sector and the controlling bodies, more of that to come....<br />
<br />
Back to my new role. The company I'm now working for are investigating the possibility of utilising cloud resources. Coming from the environment that I have, my immediate reaction was to balk at the prospect but, following the practices I have learnt over the years, applied a suitable risk calculation to the whole idea and it all boils down to whether you feel you can trust your cloud service provider. The benefits are immense - we are considering outsourcing our email to a cloud service which dramatically reduces the cost of the current clustered Microsoft Exchange environment and increases the availability over what is currently achieved via the in-house solution. The ability to scale up (or down) at very short notice delivers considerably more flexibility than is currently possible.<br />
<br />
<br />
Granted, there are additional requirements on the company to ensure confidentiality of information. For cloud services, it will be imperative to implement two factor authentication, along with all the headaches and potential pitfalls (Re: RSA) that they come with.<br />
<br />
The move to cloud services is now primarily seen as a change management project. User acceptance or more likely, the loss of Microsoft Outlook may not be as high as could be hoped and managing the perceived loss will be a primary consideration.<br />
<br />
As I alluded to before, the issue of trust of a service provider is the stumbling block. As we meet the various service provides concerned, they become familiar and a trust relationship is built. We want to trust them and naturally, they want us to trust them. Alongside the new-found trust we have developed, is an implied trust of ALL the employees of those companies. Some of the companies we are engaged with have an employee vetting scheme. I have been the subject of vetting and I'm not impressed. Vetting is hugely effective at weeding out potential employees who have been caught misbehaving but fails dramatically when attempting to identify the luckier, or more efficient, dishonest employee. The issue of trust must be an informed decision and ultimately, it falls upon the business to make the final decision, my responsibility stops at providing full information to the board so that the decision may be an informed one.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-29836049228051842072011-02-15T10:16:00.000-08:002011-02-15T10:16:55.727-08:00£63 million for the police to fight CybercrimeSo, the police are going be allocated £63 million from the £650 million made available to 'beef up' Britains cyber defences.<br />
<br />
My question is: Is this an appropriate organisation to be tasked with this role? I suspect it is not. Now the money has fallen into the police budget, it will offset other spending cuts applied by the government austerity measures. In short, those police personnel that would have been made redundant may now find themselves assigned to cyber defence work, whether they are suitable or not.<br />
I believe the full £650 million should have been assigned to a new organisation tasked with cyber security, with the sole purpose of blocking cyber attacks and, wherever possible, identification and prosecution of offenders. With the police having the funding assigned to them, there is an imperative to retain and retrain staff for the role rather than employing suitably trained and experienced personnel who are ready to commence the tasks required.<br />
<br />
A full UK Cyber Defence Organisation could be provided with the authority and access to identify those organisations that are actively being exploited with a view to contacting them directly and perhaps even offering a commercial service to allow said organisations to employ them to secure their systems against such further attacks.<br />
Naturally, such an organisation would require an unprecedented level of access to Internet traffic and there would be immediate privacy concerns over what is viewed by them but surely, it would be better for this to be in the hands of an independent service rather than the police who will have other issues to deal with and might want to leverage the access afforded to facilitate additional investigations, drawing further resources away from the primary objective.<br />
<br />
It's not an easy task and the levels of funding being suggested are appropriate to tackle the task at hand but in no way adequate to completely irradicate the threat - no level of funding could be.<br />
<br />
I will watch closely how the remaining 90% of the £650 million will be distributed. I'm sure the MoD will be allocated a portion of the funding and the same issues will apply with regards to redeployment of staff, retraining and scope creep. I'm sure that CESG will receive a good dollop and, while I respect the ability of CESG and the issues of conflicting priorities will be lessened, there is the ever-present issue that CESG has an incredibly hard time retaining suitably cleared and experienced staff who, once they have attained the clearance and received the training that CESG provides, are tempted away to high-paying consultancy and contract positions, often returning to their previous job but costing CESG up to ten times as much. Many of the issues at CESG are down to their stringent vetting requirements but that is a post for another day!Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-40489567693633414102011-02-07T14:57:00.001-08:002011-02-07T14:57:51.440-08:00The tragic state of NHS information security.Recently, I have taken some time to examine the state of information security within the NHS. What I have found is a culture which would shock most information security professionals and should dismay those responsible for ensuring the safety of what is deemed to be sensitive personal information, according to the Data Protection Act.<br />
<br />
My sources of information vary from direct observation to anecdotal evidence albeit evidence from trustworthy sources.<br />
<br />
My interest in NHS information security stems from a chat I had with the chap who was (at the time, 4ish years ago) responsible for the secrity of the links between NHS trusts. My question to him was innocent enough - 'Who is responsible for the security of the endpoints?' I was suprised to discover the response 'They are.' Meaning, the local trusts, hospitals or even surgeries.<br />
<br />
Following on from that chat, I have taken particular interest in the security of information whenever I am in an NHS environment. I have visited several hospitals, primarily when visiting friends or family. I have visited many surgeries and other NHS trust buildings, when employed as a contractor fro the NHS and I have family working within the NHS who often ask me advice concerning the security of their systems.<br />
<br />
In every - not most - every hospital I have visited, the mail is delivered around the hospital by trolley, the trolley is left outside wards unattended while the post for each ward is delivered within. It would be trivially simple for an individual to take post from the trolley.<br />
<br />
In one particular NHS trust, all laptops were fitted with whole disk encryption. The whole disk encryption installed onto the laptops had the SAME password across the entire estate and the password was written on at least two of the laptops. I have no experience of other trusts laptops so I cannot state how widespread this problem is.<br />
<br />
I have witnessed on many sites, account sharing. This is particularly endemic within small user groups, medical centres and doctors surgeries although it is not limited to them. It should be noted that central medical records are protected via a secure session using two-factor authentication however many other sensitive client details and reports are recorded on the hosting computer, with little or no protection afforded to them.<br />
<br />
Physical security within the NHS is abysmal. In every - not most - every hospital I have visited, I have noticed network equipment cabinets that members of the public could easily access, either to install an additional device or to cause major disruption by disconnecting cables. <br />
The physical protection afforded to computer systems within treatment and consulting areas in medical centres, surgeries and hospitals is sadly lacking. Many areas are protected by five button simplex locks, which take up to five minutes to brute-force, usually considerably less. Other areas are protected by 13 button locks, the codes for which can be trivially captured with a dry marker pen.<br />
<br />
The NHS trust I was contracted to, when asked who was responsible for information security, replied 'I don't know - I think it's the IT director' This was said to me by an IT manager.<br />
<br />
I have received medical details by post, of an elderly woman who lives ten miles away from me when appointment details were sent through for my son.<br />
<br />
In addition, I have discovered unpatched systems, unsupported operating systems and out-of-date anti-virus software.<br />
<br />
These are only a few examples of the incredibly poor information security I have noticed whn within NHS environments. I have many more examples that I could cite but it would achieve little else. I suspect the results of audits (if any are carried out) would make for some pretty grim reading.<br />
<br />
The overall information security measures within the NHS, in my experience, are catastrophically poor. Why this is not more widely reported is a mystery to me. Almost everyone in the country has medical information stored and processed by the NHS so this should be a concern to pretty much everyone. I doubt my observations are restricted to the absolute worst NHS trusts - they are not limited to one trust but several trusts. I am sure information security breaches within the NHS are not being reported and if they are, they must be being covered up. The Department of Health has guidelines for Information Security within the NHS but there are no hard and fast rules concerning the protection of OUR information.<br />
I believe it would be in our interests for the NHS to be required to comply with a data security standard. I appreciate there will be a huge cost involved in this, at a time when the NHS cannot afford to spend additional resources. however it is only a matter of time before a huge data loss is reported within the NHS which will cause a knee-jerk reaction to providing adequate protection for NHS held information, along with the associated 'quick-fix' costs such as those that have been endured by the MoD following the loss of the Navystar laptop and the Revenue and Benefits CDs.<br />
It would be prudent for the NS to commence investing in Information Security now, rather than being forced into action at a later date.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-66774994332780823152011-01-05T13:49:00.000-08:002011-01-05T13:49:43.678-08:00GSM Phone securityhttp://arstechnica.com/gadgets/news/2010/12/15-phone-3-minutes-all-thats-needed-to-eavesdrop-on-gsm-call.ars<br />
<br />
As is the way with many theoretical attacks, this one has now been taken from the realm of theory and placed firmly at the feet of reality.<br />
<br />
Wether you are Government, Military or business, it is now abundantly clear that it is possible for mobile communications to be intercepted both trivially and cheaply. While it is accepted that three-letter-agencies have posessed this capability for some time, it is now highly likely that this capability will now be in the hands of criminals, inndustrial spies, private investigators, journalists - in fact anyone. Mobile communications now have less security than postcards so, if you wouldn't discuss your organisation's business on a postcard, it would probably be best to avoid mobile phone use.<br />
<br />
The bottom line is, if your adversary has a couple of hundred quid to spend and a small amount of time, it would be safer to assume that they ARE listening to your conversations and reading your texts.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-74167245412756219762010-12-10T06:20:00.000-08:002010-12-10T07:15:02.644-08:00Wikileaks, Assange, Insurance, US Cables, Anonymous, LOIC and all that jazz.There are so many aspects to this story, it's very difficult to know where to start.<br />
<br />
First, it was clear that once Julian Assange got his hands on the leaked cables, it was only a matter of time before some or all of them were released. The nature of many of the released cables is pretty tedious to be honest and I suspect that a number of them have been 'over-marked' that is to say, have been afforded a protective marking above the marking that they actually warrant but it's not my call. There are some leaked cables that are significant and whoever Assange has employed to vet/ redact them may be working to a different agenda.<br />
<br />
Second, the issue of the 'insurance' file and Assange. It is clear that the huge insurance file <i>could</i> be the complete collection of cables, perhaps we'll never know as, if Assange releases the password for it, there will be absolutely nothing left for him to bargain with therefore he is only likely to release the password if he has nothing left to lose.<br />
Regarding the accusations levelled against him in Sweden, we should always take the attitude of 'innocent until proven guilty', even if sexual crimes are seen as the most distasteful. It is possible he is guilty, it is possible that the accusations have been made in an attempt to discredit him. The timing would seem to suggest the latter or it could be a coincidence. Certainly the initial prosecutor in Sweden felt as though there was no case to answer.<br />
<br />
Regarding Anonymous and their attempts to avenge Assange. From what I've seen of Anonymous, it is rare for them to be so united behind one cause. They also seem to be garnering support from other sections of society. Historically, Anonymous has a pretty short attention span and I would not expect their assault to run and run but if the momentum thay have gathered can continue it is possible that a sustained campaign could be achieved.<br />
<br />
The LOIC. I'll admit, I've not submitted the code to any analysis, I do have some concerns though. A malware developer is a malware developer. It is entirely possible that anyone putting together the LOIC code could have included an update function that could change the nature of the tool entirely. While the LOIC will only be attacking anti-Wikileaks targets at the moment, it could trivially be modified for the operators to target sites for blackmail purposes or to install additional trojan software onto the host computer to assist in the collection of personal details, banking details, passwords, etc. The bottom line is, the LOIC has not come from a 'trusted' source and therefore there is no recourse to the developers if it starts acting in a manner that was not advertised. If you're tempted to download and run the software, please bear this in mind. You might also find that your actions would be considered illegal. IANAL.<br />
<br />
Finally, a quick word about the 'need to know' There has been some discussion concerning the need to know and if it would be considered illegal to view the wikileaks cables. I would suggest that if you are working in Government, it would be beneficial to discover what has been released. I'm sure the Intelligence community is reviewing the cables but I am less confident that they will pass on the relevant information to other Government departments.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-89745355495551894772010-11-27T14:10:00.000-08:002010-11-27T14:10:57.746-08:00Police to ask Nominet to close 'criminal' domainsThis is of concern to me.<br />
<br />
http://www.bbc.co.uk/news/technology-11845961<br />
<br />
While it is right, proper and for the common good for criminal sites to be removed, there is a danger that 'grey' area websites will fall foul of this law.<br />
<br />
For example, if a website is set up to provide hacking tutorials, discussions and tools to the community, it might be deemed by the police that the site is 'criminal' and it's registration removed without any recourse for the owner. It is conceivable that such a site, while possibly frequented by criminal hackers, it could also be a hugely useful resource for ethical hackers and security professionals.<br />
<br />
There are plenty of other sites that could be described as 'dual purpose' to one degree or another and having the police decide which remain and which go is suggesting the principal of 'Innocent until proven guilty' is all but dead.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-35209457762001464262010-11-24T14:14:00.000-08:002010-11-24T14:24:41.272-08:00New Windows 0day vulnerabilityAll Windows XP/Vista/7 32bit and 64bit are vulnerable to a new 0day attack.<br />
<br />
http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-chinese.html<br />
<br />
The vulnerability does not have any known exploits but it will only be a matter of time before they are seen in the wild.<br />
<br />
The vulnerability centres on the win32k.sys NtGdiEnableEUDC API which is not validating some inputs correctly, allowing it to be exploited via a stack overflow. <i></i>The result is that an attacker can cause their malicious code to be executed with kernel mode privileges, meaning, even if the malicious code is executed by an account with restricted privileges, the resultant code would be executed with the highest privileges, bypassing the need for confirmation via UAC in Vista and Windows 7.<br />
<br />
The vulnerability is not remotely explotable but it would be susceptible to standard delivery methods such as email, drive by and,more recently, USB infection.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-38307567098204810452010-11-21T04:35:00.000-08:002010-11-21T04:35:28.257-08:00Security Awareness TrainingAn interesting article here:<br />
<br />
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1523943,00.html?track=sy160<br />
<br />
I was very pleased to see that Tony Neate was highlighting the virtues of providing security awareness training to help organisational users improve their own, personal online security. I have been using this strategy for several years now and I have found attendence is improved and audiences are more attentive and retain more information.<br />
The only section of the organisation I have found to be resistant to security awareness training tends to be the IT support section but since I work closely with them, I am given the opportunity to point out where they are breaching security and why it is a Bad Idea. I think they hate me.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-64653931707073715742010-11-20T08:12:00.000-08:002010-11-20T08:17:59.144-08:0052 percent of firms have no IT security guidelines for staffOK, the headline is misleading, the UK survey, carried out by AVG, suggests that 52% of 'Small Firms' have no security policy for their staff.<br />
That's still disappointing although not suprising.<br />
It's disappointing as it takes very little effort to produce a basic policy document, without which the employees of the organisation are pretty much given free reign to take whatever actions they see fit. This may engender a culture of achiving the organisational goals but it exposes the organisation to risks of software piracy, copyright infringements and malware. When users of a system are given such freedom, it is often the organisation that is held accountable (and liable) when the proverbial hits the fan.<br />
There is a very high chance that some of these organisations are processing personal information which makes this even more worrysome. Data protection Act, anyone?<br />
<br />
http://www.networkworld.com/news/2010/111910-52-percent-of-firms-have.html?source=nww_rssBogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-27712512723989637892010-11-20T03:08:00.000-08:002010-11-20T08:18:27.688-08:00Adobe Reader XFianlly, and after some long wait, Adobe hae announced Adobe Reader X.<br />
Only available for Windows at the time of writing, the new version of this heavily exploited software has sandbox functionality, thus greatly reducing the possibility of malware being delivered via PDF documents.<br />
<br />
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html<br />
<br />
I have noticed a worrying trend among many organisations to ensure all their Microsoft estate is fully patched and up to date via WSUS or a similar mechanism where other software, and Adobe Reader is probably the most widespread, is largely ignored.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0tag:blogger.com,1999:blog-5450224104490233733.post-30168516493790595592010-09-17T07:06:00.000-07:002011-06-09T14:53:56.395-07:00About BogwitchIn my real life, I am an Information Security Consultant. I have worked primarily in the Central Government sector but I have worked for commercial organisations and charities alike.<br />
<br />
As Bogwitch, I have been commenting on InfoSec issues on many forums and boards so I thought it was about time for me to start blogging about what interests me.<br />
<br />
My particular areas of interest include cryptography, user security awareness and UK specific InfoSec related law. Primarily, these areas interest me as I see them as being the aspects of Information Security that are most liable to mature significantly over the next few years.<br />
<br />
[edit]<br />
<br />
No longer working as a consultant, bored rigid of producing paperwork, performing audits and dull stuff like that. Now I'm an IT Security Architect in the commercial sector. My focus has shifted to stuff like cloud security but I remain interested and I keep a watchful eye and useful contact in the HMG arena, particularly MoD.Bogwitchhttp://www.blogger.com/profile/16231601488035817746noreply@blogger.com0