Focusing on People vs Technology in INFOSEC : Additional thoughts

Posted on July 22, 2012

This evening I came across this rather post on titled “Focusing on People vs Technology in INFOSEC” and it struck home. Everything in there I agree with. I would suggest you go and read it (link here).

I don’t want to plagiarise huge sections of the article, but am quoting fair bits of it below to introduce my own thoughts on the matter. To summarise (and paraphrase):

  • Organisations seem happier to invest in technology, such as security products, rather than in people
  • Organisations tend to have higher capital expenditure budgets rather than operational (direct expenditure)
  • There is generally a lack of people and programmes to support security technology implementations
  • There needs to be a much greater focus on people, without the right people product implementations fail

The author then goes on suggest eight steps to consider when building a security programme. These are repeated verbatim below :

  1. Focus on culture and having a fun environment for your people to work.
  2. Sending the team to security conferences and additional training events.
  3. Have a clear and concise roadmap for your team and an understanding of career advancement.
  4. Focus on building security programs first before ever investing in technology — use technology for automation.
  5. Work on automating and streamlining processes versus adding additional work on broken ones.
  6. Staff appropriately and fight for additional headcount where it is needed. Be careful on over hiring.
  7. Take time out of your day to focus on people and seeing how they are doing and if there is anything you can do.
  8. Communication. Communication. Communication… Did we say Communication?

I agree with all of the above. There are organisations who want to hire experienced people who can come straight in and do the job, who have all the experience and qualifications, but then don’t want to send them on training or want them to learn new skills. I find this to be a very short-sighted view. One of the hardest parts of setting up and running an effective information security team is finding and retaining the high calibre staff which will make it successful.

What will attract the right kinds of people? A learning environment. One where they can come in, be part of a team, have fun, learn new skills, share existing skills and knowledge while making use of these skills and taking themselves to the next level. I have always found that by encouraging people in your team, across all levels, to study, to take on new challenges and to better themselves boosts the confidence and productivity of all. I see a lot of debate around whether CISSP or CISM is the better qualification, or sometimes whether they have any value at all. That is largely irrelevant in my view. I would (and have) encourage my staff to do either. Going through the process helps the inexperienced learn new skills, and gives recognition to those who already have the skills. This is good for self-confidence and career prospects, either in the organisation or outside.

I have also found that by focussing on people and teaming, people will develop loyalty, both to you as a manager and mentor, as well as to the organisation. You are more likely to retain these people longer, and reap the rewards from the investment that has been made, despite the fears that once qualified they will leave. When you have a great learning environment then people will also be attracted to come and work with and for you. Half the battle is then won.

All the grand plans in the world will come to nothing unless you have people who will work with you, support you and enable those plans to come to fruition. There are going to be times when a lot of hard work is required, but, hard work towards a known goal, where you are learning, having fun and being productive doesn’t always feel like hard work, and staff will give of their extraordinary efforts willingly. At the same time, don’t take them for granted. Small gestures can go a long way.

In all of this, technology is also important. Not so much the technology you end up implementing, but the technology you make available to the staff to experiment, play and learn with. While (mostly) any tool can get the job done, key is making sure that you know those tools intimately. When they are in production it is hard (and dangerous) to play with them, however, having a lab environment with the right hardware, software and connectivity gives the freedom for people to learn and become the best they can be. This also keeps the job fresh and rewarding. Don’t forget this when preparing the budget – even though it may appear to be an unnecessary luxury. Be prepared to debate around and defend this portion of the budget just as much as your capex, salaries and training.

@dave_rel1k (I am assuming you wrote the piece), thanks for sharing, and reinforcing for me the important aspects to focus on when building an information security team who can transform the organisation.

Cyber Defence and Network Security Africa : Cloud-based Scanning

Posted on July 16, 2012

I am speaking tomorrow (17 July 2012) at the Cyber-Defence and Network Security Africa conference ( at the Crowne Plaza in Rosebank.

Time : 12:15 Cloud-based scanning: A case study from Transnet

  • The need for a supplemental, cloud-based scanning solutions
  • Cloud based scanning: how it works, the benefits, and limitations
  • Implementation challenges and lessons learnt at Transnet

Download a copy of the presentation here : Cloud scanning

Then later in the day I will be participating in a panel discussion with the esteemed Barry Irwin and Kabuthia Riunge. Details of this listed below, should be an interesting 45m.

16:00 Panel discussion: Cyber threats over the horizon and the future of information security

  • The current threats, and how these are likely to evolve over the medium term
  • State and non-state actors and the threats each poses
  • Preparing for cyberwar—what can (and what should) the private sector do
  • The future of cybercrime


  • Barry Irwin, Senior Lecturer, Rhodes University
  • Justin Williams, Principal Specialist: Information Security, Transnet
  • Kabuthia Riunge, Senior Information Security Officer, Central Bank of Kenya

Last gripe against Vodacom (overbilling)

Posted on July 14, 2012

I have moaned enough about Vodacom on here, and my last post was around my happy and seamless migration from Vodacom to Cell C. I am delighted with Cell C.

To have more grief from Vodacom was somewhat unexpected.  I just received my last bill from Vodacom. For a little bit of background. I had a 24 month contract from my son on Vodacom (amongst three others), had many issues with Vodacom so cancelled and removed various contracts. This was the last of them, it was a discounted monthly fee contract and the cancellation fee was too high to warrant early termination.

Read the rest of this entry »

Your twitter account has been hacked? How to fix this (and avoid it happening again)

Posted on July 01, 2012

My Twitter account was “hacked” a number of months back, and the accounts of a number of people I follow have been hacked on a fairly regular basis since. This is unfortunately a regular occurrence and spammers are increasing their efforts to get access to people’s accounts to spam their followers.

How do you know if someone you are following has been “hacked”? 

You will in all likelihood get a direct message from someone you follow which will be a generic message (but interesting or tempting one) which will have an embedded link to a site. Links these days are mostly shortened so you won’t immediately be able to see the final destination site. Clicking on it could be compromising your account and / or delivering up malware to your PC which your Antivirus software may or may not detect. So avoid clicking these.

Common messages that are coming up recently as direct messages include :

  • Twitter might start to charge in July, sign this petition to keep the service free! (link removed)
  • Hi, this user is saying really bad rumors about you … (link removed)
  • Hi some person is saying really bad things about you … (link removed)
  • Hi somebody is posting horrible rumors about you … (link removed)
  • Hey someone is saying nasty things about you… (link removed)
  • Various messages about weight loss or other obvious spam

How do you know if you have been “hacked”?

Your followers will send you messages pretty quickly to tell you, or they will be asking you why you are sending them strange messages (like the ones above). Don’t ignore these or react negatively, thank them for the warning and get on with fixing the problem before more of you followers are spammed and / or compromised.

What to do when you have been “hacked” ?

  1. Change your password.
    • Choose something decent, not a real language word, chuck in some numbers or special characters, and don’t think you are smart by using l33t sp3@k (leet speak).
    • Ra35!!me would be good, whereas P@ssw0rd would be bad.
  2.   Check to see what applications are “authorised” against your account. This can be used to keep sending SPAM even after you have changed your password.
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Apps tab in the left-hand menu.
    • Read down through the list of applications to see that you know about them and trust them
    • If unsure of an application, revoke its access. You can always approve it again later.
  3. Check that if you associated your mobile number with your twitter account you have set up a PIN
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Mobile tab in the left-hand menu.
    • Choose a PIN if you don’t have one (mix of 4 numbers and letters)
    • Go to the bottom of the page and click Save changes.
    • If your PIN is OK you will see a confirmation message.
  4. Apologise to your followers. Send them here if they have been “hacked”. Shortlink :
  5. Be vigilant

 How did you get hacked?

You may have clicked on one of the direct message links as per the examples above, or you may have received an interesting tweet or link to :

  • Sign a petition to stop twitter becoming a pay service
  • Save the Rhino, the Dolphins or the World
  • Anything else that looked interesting

If you do inadvertently click on a link, in some cases the URL shortening service (eg. will pop up a warning where they have determined the link to be dangerous. Consider this your guardian angel, say thanks and close the window.

If unlucky, you will end up on the page the attackers want you to. The most recent two I investigated put me on a page on which was a copy of the twitter login page with a timeout message asking me to log in again. If you are unfortunate enough to do so, that’s you toast, proceed to the fix section below :) The sites hosting these fake login pages vary from post to post and are more often than not themselves hacked, with the unlucky owners unaware of what is happening.

Chances are therefore that some website or app somewhere conned you into giving your credentials to Twitter or the app/site so that it could post something on your behalf. It may well be something that you wanted posted, however, it then piggybacks off that to send a whole lot of unwanted stuff. Just be aware, and vigilant, and followup quickly when something happens.

With information security, knowing how to react and clean up is just as important as prevention. It is not a matter of if, but of when your account will be compromised.

Thanks to :

  • Mandy Wilson (@Mandywilson_SA)
  • Samantha (@MetroGalZN)

If you have further comments and insight please leave it in the comments here or tweet me (@jjza). Please share this information (

P.S. To those infosec folks reading this, apologies for my very liberal use of the word “hack”

%d bloggers like this: