Back to main site

Tel: 01347 812150

Author Archives: SBL

About SBL

SBL are widely recognised as a market leader in the information security industry. We have a comprehensive range of information security products and a range of IT software and hardware to enable you to protect your online information. Our in-house professional services team ensure that any product we deliver is done so to your exact requirements to ensure a smooth delivery. We’re also able to offer full training on our range of security products as well as general IT training to ensure that your workforce are highly skilled when it comes to new technologies. We work with some of the biggest companies in the technology sector meaning that we are authorised resellers for some of the latest software and hardware devices. We work with Dell, Sourcefire, Adobe and Microsoft to name a few. Technology evolves and develops at such a fast pace which means that it’s essential that we are able to embrace the dynamics of this ever-changing market. We’re committed to innovation and this lies at the very core of our philosophy at SBL. For further information on any of our products please don’t hesitate to contact us today.

Hasta La Victoria, Siempre

Hasta La Victoria

Why Anonymous should unmask now or risk becoming car salesmen

 

On 31st January 1606, a battered and beaten Guy Fawkes walked to the gallows in front of a baying crowd of thousands. Amongst them was the very man he was charged with attempting to assassinate – King James I of England. Fawkes had been drawn from his prison in the Tower of London to what would be his final destination, Old Palace Yard, Westminster. Here he was due to be hanged then have his body quartered and sent to the furthest reaches of the realm. Choosing to throw himself from the scaffold and break his own neck rather than face any further torture, Fawkes’ lifeless body was nonetheless mutilated and dismembered as a warning to other would-be traitors.

 

Skip forward 350 years or so to 9th October 1967. In a Bolivian schoolhouse Ernesto “Che” Guevara was shot 9 times through the neck, arms and legs in a military execution designed to give the impression that the Cuban revolutionary had been killed in action. Guevara had been captured two days earlier by Bolivian troops and CIA operatives, interrogated and then killed before his supporters had chance to retaliate. In the years preceding his capture, Guevara had fought to forcibly remove large American corporations from his adopted Cuba and helped to spread Marxist ideology throughout Latin America and the rest of the globe.

 

These men’s deaths were not as simple as an eye for an eye. Fawkes died not purely because he tried to kill the King but because he fought to upset the status quo. By attempting to remove the Protestant monarch and begin a Catholic rebellion, he and his twelve fellow conspirators made challenge to the very foundations of 17th century Britain and for this it was deemed he could not be allowed to survive and must be made an example of. In the same way Guevara’s death was not ordered because companies such as the United Fruit Corporation were no longer allowed to trade in Cuba, but because of the ideas he embodied. His growing world standing as outward appearance as a genuine ambassador for Communist ideals offered too much of a threat to his predominantly capitalist neighbours.

 

The comparison between the two runs deeper. Both were relatively well educated, brought up in respectable middle class families, yet motivated to strive for immense social change. Neither was a stranger to war and conflict and both were, by all accounts, talented and passionate orators. Today the faces of both still resonate as a symbol of resistance to fascist regimes, overbearing government repression and corporate greed.

 

That’s the romantic version anyway. The problem is … they don’t. Regardless of whether you agree with their politics or methods, both men can be admired for taking a stand for their beliefs. Whilst many stay at home in silent disagreement, these men willingly gave their lives for what they believed to be the greater good. Today though, they are no longer seen as human beings who lived and breathed and walked upon the earth. Their legend has become such that they are now no more real than the likes of King Arthur or Robin Hood.

 

Che Guevara’s longevity as a cultural icon is entirely thanks to the very economic system he sought to destroy. Today his portrait “Guerrillero Heroica”, taken by Alberto Korda, is one of the most ubiquitous images of our time, appearing on a seemingly endless parade of merchandise from t-shirts to tee towels and everything in between. The Victoria & Albert Museum in London believe it to be the most reproduced in human history while Jonathan Green, director of the California Museum of Photography has speculated that it “has worked its way into languages around the world. It has become an alpha-numeric symbol, a hieroglyph, an instant symbol.”

 

In my youth, like almost every teenager experiencing the hormonal frustrations of adolescence, I too displayed the famous “Che” poster featuring the Cuban flag above my bed. I knew little of the man depicted or what he stood for, only that people thought he was pretty cool and that he had a nice beard. I bought it though as a metaphorical two fingers to the oppressive regime of my parents, with their cruel policies of enforced fruit and vegetable consumption and 11pm curfews. I wasn’t going to give in to “the man”, man, and this poster proved it.

 

It didn’t work. Mum thought it was Robert Lindsay.

robert lindsay

Futile as my protest was, it goes to show just how far Guevara’s likeness has been removed from his beliefs. So much so that both are now rendered utterly pointless. There is now even a dedicated “Che” online superstore (www.thechestore.com) where you can buy “officially licensed” merchandise. Just quite who has the authority to licence such goods is unclear, but what is known is that the website is based in the USA and priced in US Dollars…just as he no doubt would have wanted.

So what use is a communist revolutionary who promotes consumerism? And what good are the products encouraging anti-capitalism?

 

Hours before his death, Guevara asked to see the headmistress of the school which had become his makeshift prison, 22 year old Julia Cortez. During their brief conversation he pointed out the poor condition of the schoolhouse, stating that it was “anti-pedagogical” to expect students to be educated there, while “government officials drive Mercedes cars”, declaring “that’s what we are fighting against.” Forty years later, at the launch of a new car-sharing scheme in Las Vegas (not ordinarily known as an especially socialist town), Mercedes displayed an adapted version of “Guerrillero Heroica” as it’s backdrop, the revolutionary star on Guevara’s beret crudely replaced by the Mercedes logo. Truly the detachment was complete.

mercedes

 

 

For Fawkes it is no different. For centuries his effigy has been burnt in celebration of his riddance but today it is sold in fancy dress shops up and down the land, acting too as the defining icon for the Hacktivist’s darlings – Anonymous.

 

What began as a digital witch hunt has developed into a genuine world power. Time Magazine named the group amongst its 100 most influential people in the world in 2012, despite no-one knowing who the vast majority of its members actually are. Their faces are hidden behind a mask – the smiling face of Fawkes stylised by David Lloyd for the DC Comic “V for Vendetta”. The story focuses on one vigilante’s efforts to bring down an authoritarian British government in a dystopian fictional future. When developing the vision of the eponymous “V”, Lloyd wrote a handwritten note:

 

“Why don’t we portray him as a resurrected Guy Fawkes, complete with one of those papier-mâché masks, in a cape and a conical hat? He’d look really bizarre and it would give Guy Fawkes the image he’s deserved all these years. We shouldn’t burn the chap every Nov. 5th but celebrate his attempt to blow up Parliament!”

 

In the context of the comic the analogy with Fawkes is more than valid, both operated towards similar aims whilst using similar questionable, and often violent, methods. For Anonymous however the link becomes tenuous at best. Since their formation 9 years ago on the forum 4Chan, the self-appointed and self-regulated guardians of the internet have racked up a lengthy list of victims. Their iconography can be seen across the globe from Berlin to Bahrain, websites have been brought down, buildings occupied and viruses spread – all in the name of internet freedom.

 

On 5th November 2013, celebrated in the UK as Guy Fawkes Night, Anonymous rallied its “legion” to take to the streets, each one sporting the “V” mask, to protest against … well, anything they liked really. Like my teenage affinity to Che the icon, the differentiation between Fawkes the man and Fawkes the smiling mask seemed unclear for those protesting, as did the notion of a common focus for the protests. Various targets were singled out by the “Million Mask March” including the NSA, fracking, rising food costs, energy bills, the FIFA World Cup, bankers greed, corporate greed and the continued presence of Noel Edmonds on British Television (I might have made the last one up).

 

One of a number of Facebook pages for the event described it as a “Call for Anonymous, Wiki Leaks, the Pirate Party, Occupy and Oath Keepers to defend humanity”. In the UK, as protesters inevitably clashed with police forces in Parliament Square and hurled fireworks at Buckingham Palace it appeared they were doing anything but. Unsurprisingly, a movement based on anonymity and unlawful hacking appears to have been hijacked itself for the ulterior motives of less altruistic individuals.

 

As much as they claim to the contrary Anonymous have not yet changed the world. Nor will they ever in their current, anarchical, state. Without concentrated effort and reasoned argument, their causes, whether noble or not, will remain unsolved. To date all that has been achieved is bringing an acceptable face to unacceptable bullying and fear. A fictional character fighting fictional enemies has become real life extremists fighting real life people, yet no one blinks an eye.

 

The inconvenient truth is that Anonymous’ rise in notoriety owes more to its PR machine than its ideology. Without the mask, the mantra and the glamorised publicity their protests would be seen in a similar vein to the London riots, merely the work of opportunist trouble makers. Their attacks rarely have an established point, focus or goal. They appear to take up causes on a whim and then approach with a brute force mentality, determined to destroy all in their path regardless of whether guilt has been established first. Make no mistake, much of the work carried out in Anonymous’ name is terrorism. It may not involve hijacking planes or blowing up Parliament but the threat and chaos is just as great. How many of their “legion” would be as willing to act in their name if they weren’t afforded the privacy of the mask – forced to reveal their identity and accept the consequences as the man whose face they bear did?

 

Anonymous has the opportunity to be a genuine force for good, to usher in a new generation of politics that focuses more on issues that matter to the populous in way which resonates with the next generation. But therein lies the problem. Guy Fawkes is to Anonymous what Che Guevara is to Mercedes Benz, simply a clever marketing device, a pretty picture that can be easily appropriated – and while that remains the case, change can never come.

 

Andrew Cook, SBL

 

Hasta La Victoria Siempre

The dawn of the GPMS – A Brave New World

Not a particularly snappy and exciting subject for a first blog.  Nor is it a subject free from danger of upsetting anyone, in fact I would say it’s a political hot potato!   That said, one of my favourite quotes is from Aristotle and is simply this “to avoid criticism, say nothing, do nothing, be nothing”, so in that spirit I’ll give it a go and offer some slightly opinionated commentary on the subject.

 

For the uninitiated, and in summary, GCHQ (the National Technical Authority) are in the process of a dramatic overhaul of the existing data classification programme.   The formulation of this programme (GPMS) is still progressing and subject to change before it is officially unleashed upon the public sector next year. However, indications are that PRIVATE (Impact Level 2), RESTRICTED (IL3), & CONFIDENTIAL (IL4) classifications will move across to a classification called “OFFICIAL”.   The higher levels of classification SECRET (IL5) and TOP SECRET (IL6), the apex of the security pyramid, will prevail.   Or so we believe.   I caveat that the situation still has a degree of fluidity, and I can only comment upon the detail that has so far been discussed within the various forums.

 

There is no doubt that despite the final detail; this will have profound and far reaching implications across all security decisions throughout the public sector.   There will a huge degree of complexity and with it, market confusion.     That said I have chosen the subject of encryption as it provides a good lens through which we can start to understand these implications because the choice of encryption technology is/was fixed and aligned to the old/current CESG Accreditation Scheme (CAPS) and the GPMS will act as the proverbial nuke to that system.

 

Common criticisms of the CAPS programme (with maybe one or two of my own thrown in) are:

 

  • It was too expensive, and the costs of accreditation and certification were invariably passed on to customers who had to pay more for certified technology.
  • It was far too slow.   It lagged behind the pace of technology innovation, which meant that customers buying CAPS products were often buying old technology.   This was not as new,   good or  capable as that of their potential adversaries for example.  And, the gap was widening at an exponential rate.
  • To attain certification some functionality may have been restricted or removed which compounds the above, because customers often knew they were paying more money for less functionality and less capability.
  • It created a culture whereby IT and security practitioners would use these products in anger, and then defend bad decisions or inappropriate use of technology by producing certificates that would in some way validate their choices.
  • Where there were gaps, areas that had no certified products, nothing was used!  Email encryption is a well know and used example.  This culture of defend the decision with a certificate, meant that it was deemed safer to ignore a problem, rather than use a commercially available product that would function perfectly well up to a certain level, albeit uncertified.   There are a collection of rather embarrassing anecdotes doing the rounds on this specific subject.   This subject is a whole blog in and of itself, however here is one to whet your appetite regarding email encryption: http://www.computing.co.uk/ctg/news/2120226/blunkett-france-tapped-uk-government-emails
  • The scheme was not commensurate with the reality of handling RESTRICTED data as a whole.  For example a Baseline CAPS product would need a strong HMG algorithm, long and complex passwords, and GCHQ generated key material, yet once data was out of the digital and into the analogue printed domain, to say the controls were somewhat weaker would be an understatement.     The effects of this would often manifest themselves in some bizarre decision making when it came to the classification of data and data types.  Decisions that would focus on making processes easier as opposed to classifying the data appropriately.

 

There are more, but I think the point is made, a point to which the National Technical Authority actually pretty much agree, or at least their recent actions would seem to suggest:  It’s broken, no longer relevant, falling further behind and needs fixing with some urgency.

 

To compound this further GCHQ’s customer base expands exponentially as we all scramble to get UK PLC ready to defend itself in the brave new interconnected world of the Cyber Domain.

 

In light of the above then, do I think GPMS is a good thing?   On balance and from what I’ve heard the answer is an emphatic yes!     My main reasons for this view are:

 

  • It will move the public sector away from the unhealthy bureaucratic culture of defending decisions based solely upon certification.
  • It will require the public sector to make its own decisions regarding security.   Decisions that will be local, and with local context.    For example, decisions that will take into account the risks, the threats, the impacts, and crucially the business requirements of each organisation.
  • It will enable better data classification decisions to be made.   This will open up new choices for customers, e.g. can we use COTS technology?  Can we implement a Cloud Service?  Can we utilise technology we may already own e.g. Bit Locker?   There!  I’ve said it!  Tin hat goes on.
  • Crucially and above all, accountability moves to the business and data owners.   Where it should be, locally, and where context can be applied.   As with everything thing in life context is critical in order to provide rationale and reasoning.

 

Speaking from the industry perspective, another effect of the GPMS will be a rapid reconfiguration of the technology and service market in this space.   This is great!  It has been needed from a long time, and I am convinced will come as a breath of fresh air to the benefit of us all.    We will all need to up our game; we will all need to innovate; we all have a more consultative role to play because the National Technical Authority need to have a wider affect across a much wider customer base, and to do so they need to complete their evolution to the organisation that provides guidance and support rather than mandate and certification.

 

GPMS will make customers responsible and accountable for data classification and data protection decisions.    This will enable them to explore new technologies and techniques.   It will give them access to new ideas and new technology.   It will enable them to access capability in a much more cost effective way, which will be driven also from the direction of the economic and budgetary pressures that they are under.

 

To succeed in this new environment they will need our experience and advice.   They will need our help to implement it properly, appropriately and to their best advantage.     Within industry we all have a duty to make the changes necessary to support these initiatives.   UK PLC will have to change and adapt at some pace to support our electronic safety, security and our economy in the Cyber Domain.  The GPMS is merely a component in a wider program of change vital to this sector, and we all now have an instrumental role in making this the success it needs to be.

Author: Scott Cattaneo

Are Security Awareness Programmes a Waste of Time?

Security_Banner_01

 

 

One question we’ve heard recently is, ‘Are security awareness programmes a waste of time?’  The answer might seem obvious – but perhaps some of them are a waste of time because they’re trying to achieve something they were never designed to do.

 

It is clear that simply making people aware of what they should be doing is often insufficient to persuade them to do it – ‘otherwise none of us would be obese, none of us would smoke and none of us would drive like lunatics’![1]  That’s not to say that raising awareness isn’t valuable but just that on its own it isn’t usually enough.

 

Cyber Security Behavioural Dynamics builds on existing research and uses a framework and process called social marketing.  By combining with behavioural theory we can develop interventions that are more likely to move end users from awareness to behaviour change.

 

So what might these interventions look like?  Well, most security awareness programmes rely onwhat marketers call SPLAT (Some Posters, Leaflets, Ads ‘n’ Things).  Increasingly these are brilliantly executed but they don’t dig beneath the surface of human motivation and decision-making to persuade the end user to take up secure behaviours.  Our research has demonstrated the importance of understanding end users from their own perspective before attempting to change their behaviour.  This is important because those who believe that they have some personal control over cyber security are at a different point in the journey towards changing their behaviour than those who believe that security incidents happen by chance.

We can also ascertain whether end users are ready to change their behaviour.  Behavioural theory offers a way of categorising end users into those who are at the pre-contemplation stage (in cyber security this would be the equivalent of the end user asking ‘what does that mean?’) through contemplation and preparation (‘oh I’ve heard about malware, is there anything I can do to stop it?’) to action (‘I’m afraid I’m not going to email that information to you because it contains customer confidential details).  An organisation can keep its security awareness programme running knowing that it will help those end users at the pre-contemplation stage – while a behaviour change intervention will tackle those ready to take action.

 

A participative approach helps us to develop an exchange proposition with end users by understanding the trade-offs that they make.  For example, if you want end users to carry out a specific security behaviour you need to know what your competition looks like – what does the end user get from continuing an insecure behaviour or not adopting the secure behaviour that you require?  Perhaps it’s something obvious such as speed or convenience but it’s equally likely to be something obscure that would never have struck you if you hadn’t taken the time to understand your end users from their perspective.

 

Security_Image_01Once we understand the competition we can use a mixture of design techniques to develop an intervention that will increase the benefits of the desired behaviour and the costs of continuing to carry out the problem behaviour while at the same time decreasing the barriers to adopting the desired behaviour and the benefits provided by the problem behaviour.  Basically it will use any means possible and practical to make it worth the end user’s while to desist from carrying out an insecure behaviour and move to carrying out the secure behaviour that you’ve identified.

 

So security awareness programmes don’t have to be a waste of time – but they do need to be part of a wider behavioural change programme if they’re going to contribute to changing end user cyber security behaviours.

 

Debi Ashenden & Darren Lawrence

Cranfield University, Defence Academy of the UK

 



[1] Ian Potter, New Zealand Health Sponsorship Council, New Zealand Herald, 2007

The Private Cloud for the Public Sector

Dobus_Banner

Dobus™ has delivered over 21 million individual downloads to the UK MoD and its Defence Contractors since it was launched in 2003. Conceived and designed to be a private cloud specifically for the UK Public Sector, the service has been operating 24 hours a day, 7 days a week, 365 days a year for the last 10 years – this makes Dobus unlike any other cloud service available today.

 

Dobus™ is a service designed to enable the secure delivery of software updates and patches in a safe and secure manner. More simply, it enables users to update their systems instantly, securely, conveniently, and without risk, from a service they can trust.

 

TRUST IS AN INTEGRAL PART OF THE NEW DIGITAL ECONOMY AND DUE TO DOBUSTM’ 99.999% RELIABILITY IT HAS A FANTASTIC REPUTATION OF BEING THE MARKET LEADER FOR SECURE, INSTANT PATCHING WITHIN CLOSED NETWORKS. SINCE JUNE 2003, DOBUSTM HAS HAD OVER 500 MILLION HITS ORIGINATING FROM OVER 85,000 UNIQUE IP ADDRESSES.

 

Building on the manifest success of Dobus over the last decade; the next stage in the development of the platform is to expand into other areas of the public sector and so provide a growing range of services to many more users operating within secure environments and within closed networks. To complement this strategy, SBL have invested in a secure link to the Government Convergence Framework (GCF), which in time will become the Public Sector Network (PSN). This allows SBL to deliver Dobus™ based services to the entire Public Sector. Indeed, these services are now advertised through the G-Cloud Framework and are ready to go live imminently.

The Dobus™ V2 architecture enables the delivery of innovative services specifically designed to address the security concerns inherent in the adoption of public sector cloud strategies. These services will serve to empower the public sector in selecting services via the Cloud Store through the utilisation of a UK located, wholly UK owned, high security, and accredited infrastructure.

 

Infographic_ImageTHE PROMPT APPLICATION OF SOFTWARE PATCHES IS CRITICAL TO THE SECURITY OF MODERN IT SYSTEMS. ACCORDING TO THE GOVERNMENT WEBSITE (GOV.UK), 93% OF LARGE CORPORATIONS AND 76% OF SMALL BUSINESSES REPORTED A CYBER-SECURITY BREACH IN 2012. THE COST OF EACH SECURITY BREACH FOR A LARGE COMPANY IS ESTIMATED TO BE BETWEEN £110,000 AND £250,000.

 

The future strategy of the Dobus platform is to utilise it as a UK owned and located private cloud environment to deliver content and innovative cloud services within a public sector domain, or behind a public sector firewall. For example, enabling users to access secure email, online backup and recovery services, secure collaboration tools and a secure app centre. Authentication to a number of these services will be enhanced with the use of digital certificates that will be issued directly by SBL. This innovation of cloud services supports and enables the Government Cloud Strategy to transform the public sector ICT estate into one that is agile, cost effective and environmentally sustainable.

 

As the cyber domain, with its inherent security issues, continues to grow and develop, Dobus will too. Dobus is becoming increasingly important in the new Information Age and will expand in the future to cover more and more secure environments to ensure that more end users can reap the benefits associated with it. Dobus exists in order to help public sector organisations find solutions to the challenges of the cloud; it is a means of delivering services that will enable the benefits of the cyber domain and so allow organisations to operate in it safely and with confidence.

 

For more information about Dobus email cybertalk@softbox.co.uk or
visit www.softbox.co.uk

 

SBL’S APP CENTRE

 

SBL’s App Centre provides the Public Sector everything they need to securely deploy and manage applications and data on both corporate and employee- owned devices.

 

The App Centre is compatible with both AppleTM and AndroidTM devices, and provides simple but powerful control of security, policies and enterprise data, without interfering with the normal operation of the device or its user data. Distribution of both applications and data to users is easily and securely managed, and should an employee leave or a device be lost, corporate data can be wiped on demand without affecting anything else on the device. SBL’s App Centre is hosted in the UK. Every type of application can be hosted, whether they are normal commercial apps, volume purchased apps or an organisation’s own internally developed apps.

 

SBL’S MOBILE DEVICE MANAGEMENT (MDM)

 

SBL Mobile Device Management provides visibility and control over AppleTM, AndroidTM and Windows Phone® devices. The MDM Solution is deployed where complete device management is required, including cases such as mobile email, and mobile policy and configuration management. MDM allows people to enable and secure personal apps and content as well as managing the device. SBL’s MDM Solution is securely hosted in the UK via Dobus, which guarantees UK Safe Harbour for all applications and data. Every type of application can be enabled, secured and managed, whether they are normal commercial apps, volume purchased apps or an organisation’s own internally developed apps.

 

Subscribe to our emails

Twitter

For more information on our Charity Partner, The Turing Trust, Click here https://t.co/2dpLKEKaN3 https://t.co/UZtQde3QwR
For more information on our Charity Partner, The Turing Trust, Click here https://t.co/2dpLKEKaN3 https://t.co/UZtQde3QwR
Click here to secure your free delegate place: https://t.co/QDlKKnnWuY https://t.co/itGflr2c3s
Click here to secure your free delegate place: https://t.co/QDlKKnnWuY https://t.co/itGflr2c3s
Click here for more information https://t.co/DFqF004etU https://t.co/xYVtmTzsHC
Click here for more information https://t.co/DFqF004etU https://t.co/xYVtmTzsHC
For more information or to register, please click here https://t.co/G5xNmEUW27 https://t.co/lHSVGO6Vxh
For more information or to register, please click here https://t.co/G5xNmEUW27 https://t.co/lHSVGO6Vxh
For more information on attending CSP:2017, please click here https://t.co/UrDs9IiA6M https://t.co/VmrYmDf3Uk
For more information on attending CSP:2017, please click here https://t.co/UrDs9IiA6M https://t.co/VmrYmDf3Uk