Guest lecture to UKZN 2014 MBA Class : Security & Ethics

Posted on August 24, 2014

In this past week I once again had the pleasure of speaking with the UKZN MBA Class. It is always a pleasure to speak to a large group of some of the brightest minds in KZN. Unlike other presentations, these sessions are normally quite interactive and the class willing to share their ideas, experiences and questions.

What stands out for me in this set of discussions were three key diversions.

1. Bank fraud, and the divergence in opinions between the bank representatives and victims (customers)

There is always a lot of interest in, and debate over on-line frauds as they affect individuals. We all know someone, if not ourselves, who has been hit through some kind of bank fraud. In the class were a number of (un-named) employees of various (nameless) banks. They were adamant that the banks do their utmost to refund their customers in the event of frauds. The victims, however, had a polar opposite view and experience. They contended that the banks make it difficult to get your money back, denying, obstructing and delaying in the process while the victim suffers through no having access to the affected funds. For a bank dealing with hundreds of thousands of affected customers and millions in losses, a month may be a short period to resolve such an incident. For a victim needing access to their funds, a month is a payday away and that money could mean the difference between being able to pay your bills or defaulting.

2. Online identities (and password management)

Online identities are increasingly becoming integrated with your professional life. When being hired more and more organisations scan these to see whether they wish to employ you. Whether this is done as part of the background checks (for which prospective employees normally sign permission) or through other means varies. However, needing to take control of and responsibility for your on-line identity is important. Also don’t forget about your children. They may not yet comprehend the gravity of the situation, and could be creating a fun-filled but wholly undesirable persona that they come to regret later in life when they join the job market and are unable to control or erase their past sharings.

Related to this discussion was the age old one of passwords and password re-use. The dangers of password re-use were discussed in detail with some schemes for password protection. The example of people using the same password across all on-line services, and then having the local camera club hacked, with usernames and passwords being revealed and then those same passwords being used to log into gmail, a facebook “I lost my password” event resulting in the password being mailed to gmail, and very quickly the entire on-line identity can be stolen.

Some tips :  Use different passwords on-line, and at very least don’t use your primary mail account password anywhere else. It is better to use a password manager on your mobile (LastPass, Blackberry password keeper etc) then to re-use passwords. Also don’t use your phone address book to store passwords or bank pins and account numbers. If you use an iPhone or Android phone then this information is generally synchronised to the cloud, so when that Gmail account is hacked they also have all of your phone book without you ever knowing.

3. Return to old school

There was a comment / view put forward that with all of the information security breaches and discoveries of organisations and nation states lying to citizens about what is happening in this space that it would be better to return to the (golden) “olden days” . While that may appear to be the case, memory can be a strange thing. We often remember the good and forget the bad. Not so many years ago when cheques were still in common use cheque fraud was rife. The banks didnt like to disclose information on fraud (and still don’t) but some of the stats I remember seeing flashed up at fraud conferences indicate that the fraud we are seeing now is just a fraction of what was experienced at the peak of cheque fraud. Social media and the online information era just increase the level and speed of information sharing. The fewer incidents that happen now are just more widely reported and shared then ever before. Instances of misrepresentation and abuse by companies(and countries) are now more widely shared and reported, what is not clear is whether the actual occurrences are on the rise or just more visible.

We cannot go back in time, we need to move with the times. That said a dose of healthy skepticism in all we are doing can only be a good thing. Ask questions until your are satisfied with the answers. You may choose to trust, but trust and verify, don’t trust blindly.

Finally

Embedded below is a link to download the slides. Thanks for attending the sessions and for participating.  Feel free to drop me any questions you may have (or leave them here).

Information Security and Ethics 2014 August 2014

 

Thanks Andrew for the invitation and facilitating the discussion.

 

The Heartbleed bug : a short presentation given at the Kzn ISACA Chapter Meeting

Posted on June 03, 2014

I was honoured to be asked to make a (short) presentation at the May 2014 KZN ISACA Chapter meeting. The meeting went down well with probably around 25 people attending.

Attached is the PDF of the presentation.

I hope that some of the members present found it useful and that you, my readers, do too.

Feedback as always most welcome.

The Heartbleed Bug ISACA presentation v3

 

Security and Ethics presentation UKZN MBA Class 2012

Posted on August 19, 2012

Friday night (17 August 2012) I had the privilege presenting to the University of KwaZulu Natal 2012 MBA Class on information security. Given it was a Friday night the attendance was relatively small but it was good to see that the majority of the class stayed for the 2 hours we had together. Some interesting and insightful questions was raised and discussed. It is good to see people “get it”.

The presentation is attached for those who are interested. Get it here: security and ethics 2012 UKZN MBA Aug 2012 (updated)

Update 2012/09/12 : Apologies, the previous PDF was corrupted somehow. It has been re-uploaded and checked.  

Feedback on ISACA KZN chapter meeting control frameworks presentation

Posted on August 07, 2010

On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb,  David Volschenk, as he had other work commitments  which prevented him traveling to Durban for the day.

It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.

There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.

Off the top of my head (I was presenting rather than taking notes :) the main areas of discussion were around :

  • Getting executive buy in for the project
  • Getting adequate funding
  • Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
  • What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
  • The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
  • The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
  • The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task

In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”.  It seems there are a lot of failed control framework and security framework implementations out there.

I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me.  j-j (at) worldonline (dot) co (dot) za or on Twitter.

Thanks to Ernst & Young for hosting the chapter meeting.

See you next time at PKF.

Justin

You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.

%d bloggers like this: