Wednesday, 11 Mar , 2015

Weekly Wee One #3 – Passwords and Biometrics are like….

Share this article

This week’s tweet-size InfoSec analogy with not so tweet-size extra stuff 🙂 [tweet https://twitter.com/S_Clarke22/status/575685304574738432 hide_thread=true width=’900′] [tweet https://twitter.com/S_Clarke22/status/575558596278288384 hide_thread=true width=’900′] In one resulting twitter conversation you’ll find very pertinent questions from Van Amenya (a non-security person who bravely weighed in) about whether consumers really care about security, my very personal opinion on how things are security-wise in the retail/IT vendor […]

This week’s tweet-size InfoSec analogy with not so tweet-size extra stuff 🙂

[tweet https://twitter.com/S_Clarke22/status/575685304574738432 hide_thread=true width=’900′]
[tweet https://twitter.com/S_Clarke22/status/575558596278288384 hide_thread=true width=’900′]
In one resulting twitter conversation you’ll find very pertinent questions from Van Amenya (a non-security person who bravely weighed in) about whether consumers really care about security, my very personal opinion on how things are security-wise in the retail/IT vendor space and good stuff from Dr Danniel Dresner (with his usual sense of humour attached).
In the second one, we’ve got Philippe Verstichel, Claus Cramon Houmann and Per Thorsheim indulging my inexpert questions about the inner workings of biometric authentication and sharing opinions on it’s future usage and security.
When this one came to me, I did a fairly long search for recent articles calling out how vital it is to secure around identification and authentication data stores. Almost nothing, nix, nada on that subject (feel free to flag any I missed). I therefore feel justified pointing to my post on passwords and their future.
Another symptom of the lack of joined-up-ness in the way we approach security, or (more realistically) another victim of the ‘wow’ driven media experience? Not so sexy to say:

‘Biometrics are amazing, BUT one lax privileged access policy, holey database or iffy connection and your ‘you data’ goes bye bye’.

Having said all that I can’t wait for biometrics to become mainstream. Even with a password safe, my InfoSec pro tendency to set evilly long passwords sometimes makes my life a misery (look for a tweet in that second thread proving that point). And that, right there, is the problem. Super convenience makes everyone less cautious…well…except paranoid security pros like myself. We’re paid to be that way, so you (as long as you pay heed to us), don’t have to be 🙂 .
To underline that point: Think about the explosion of mobile apps. How long was it before most folk considered whether they were secure, or why they wanted permission to access (among many other things) all your contacts?
Perhaps biting off my nose to spite my face, I’ll be a late adopter of biometrics. Watching carefully (and probably tweeting/posting about) who’s good at security and mistakes made by others.
Soooo, this turned out to be not so wee, but mainly due to the great input provided by the Twitter community. Thanks for that! And hopefully I’ll have more tweet-size inspiration by this time next week.

If you liked this, you can find more here, or try The Analogies Project for loads of bigger ones from just about every big name in the security game (plus plenty of folk from other trades). It’s a fab resource.

Data Protection, Security, and the GDPR: Myths and misconceptions #2

30 Aug

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

26 Apr

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

Facebook and Cambridge Analytica – It’s Pandora’s box, it’s open, but it’s been open for a while

23 Mar

Anyone with any knowledge of the goings on in digital advertising, political campaign management, or (for that matter) military information operations, will have been utterly unsurprised by the news over the last few days. It's Pandora's box, it's open, but it's been...

Data Protection, Security, and the GDPR: A fuzzy and fraught relationship

7 Jan

There can be no security without data protection There can be no data protection without security Of course neither is true. These kind of click-baity absolutist positions are a pervasive internet blight designed to divert attention from critical detail to exploit and...

GDPR – You’ve analysed the gaps, but can you close them?

13 Oct

There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

28 Jul

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

15 Jun

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

Cybersecurity to Privacy via the GDPR: A personal and professional journey

13 Oct

I’ve been lucky enough to have a pretty successful security career and gain a modest following for my writing. Mainly stuff about Information and Cybersecurity GRC (Governance, Risk, and Compliance). Gratifyingly, my Infospectives blog also received a fair few award...

Blockchains: Embedding Integrity (a.k.a Blockchain for beginners with an InfoSec twist)

5 Jan

Blockchains are tackling the 'I' in the holy InfoSec CIA trinity (Confidentiality, Integrity, and Availability, not the government agency), more simply and robustly than anything that's gone before. However they are also a source of banker panic,...

Women In InfoSec – GRCers more than hackers? If so, so what? Plus bigger cultural questions

9 Nov

Maria Korolov, writing for CIO Online, summarised key findings from (ISC)2's recent report on Women In Security. A report informed by the their 2015 Global Information Security Workforce Study. The standout figure? Only 10% of information security professionals are...

When Business Culture Eats Cybersecurity For Breakfast – Part One

30 Jul

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

2 Apr

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

10 Oct

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...

Harvesting Data From Social Media – A Can Of Data Protection & Privacy Worms?

20 Aug

NOTE: This is a previously unpublished draft. I had completely forgotten about it. I can only assume I felt jumpy for years about depth of some of my data protection knowledge, but it does rather make my subsequent specialisation in data protection less surprising....

The IT Asset Disposal Vicious Cycle

26 Sep

Most retired equipment is ground up for minimal financial and recycling return... ...that model is financially, environmentally, and socially unsustainable. The way we all do business is changing. Increasing numbers of staff work flexibly and use their own kit....

« Older Entries

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Home | About | Contact