In this guest blog we speak to Ed Tucker (@teddybreath). There is more to this dark horse than CISO of the year and I reckon he has a few tips up his sleeve for organisations. Let’s give him a shake up with some warm up questions that might, if we are lucky, awaken these coveted pearls of wisdom.
Personal Questions
Best and worst jobs you have ever had?
Best job was Head of Cyber at HMRC, which probably sounds a bit odd being Government, but it was an awesome job. I think I joined at the right time as there was a willingness to change, external factors that practically did your ‘marketing’ for you and when provided with tangible information a board that were more than receptive of new ideas and approaches. I’m immensely proud of my time there and the people I worked with. We achieved a huge amount in a very short time and a pretty small budget. You don’t need millions and millions to make a serious difference.
Worst? I won’t mention who but I had an absolutely awful boss once who made work just the dullest most mundane and inefficient place going. I should have seen the writing on the wall when she couldn’t even be bothered to come and meet me on my first day.
Desert Island disks?
Wow, this could be anything, my tastes are very varied. I’ll just go for three songs off the top of my head. Soup by Blind Melon, my favourite band ever. Halcyon and On and On by Orbital and finally Be There by U.N.K.L.E.
If you could change one minor thing in the world, what would it be?
A minor thing…..I’d make politicians honest. OK that’s probably a massive change, but I’ll stick with it.
Professional Stuff
So Ed, we are all about stopping the social engineers. What’s the worst social engineering attempt you have had to deal with and what did you do to stop it, recover or adapt – if you did?
Worst, probably because of irony was a fake HMRC phone call when I was head of Cyber at the very same place. That kind of made it somewhat easier to spot, beyond what was a pretty ridiculous ‘script’. I actually played the game with them for quite a while just for giggles and I suppose to pick up a little of what their tactics were as the conversation evolved. Not much that could be done sadly, other than eventually let them know who I was and end the call. It was quite funny at the time, though also sobering when you think that these things work. It seems ludicrous, but that’s because I am viewing it from a position of major prejudice. I’m looking at it as a very experienced security professional and not as a, I’ll say, normal person would. It is all too easy to look at the world through our prejudiced eyes, which is kind of like viewing the world with severe cataracts. You miss so much because your prejudice prevents you seeing fully.
You have had some big roles, HMRC obviously being the massive one that I personally associate you with. What did you learn from that role?
To be honest what didn’t I learn? It was a massive learning experience. People, team, collaboration, conflict, scrutiny, austerity, contracts, prejudice, politics, relationships, getting the best out of what you have, fighting tooth and nail for everything, having your budget disappear at a moment’s notice, also winning several battles through the use of tangible evidence based metrics. Towards the end I first learnt what stress really felt like and how debilitating it can be.
It is really hard to put into words all the things I learned and experienced, good and bad. I made as many mistakes as I got things right and am happy to admit that. There’s no problem with failing. Learn, adapt and improve.
I think the thing I learned most was to back myself. I’m not naturally a confident person or one to shout my own praises, but my time at HMRC really helped me to shape who I have become. Yeah, not everyone’s cup of tea, but that’s me being me.
Oh and how utterly bonkers Govt can be at times, especially when you look at cross departmental programmes and projects. And to be fair how amazing Govt can also be at collaboration and cross functional delivery. It is such an od place that inspires and frustrates in equal measure. But I wouldn’t change my time there for the world. Well, maybe a decent salary at the time.
Phishing is the primary cause of a security breach in the UK, tell me why you think that is?
It’s easy, cost effective and almost the entire planet is your potential victim. In terms of surface area its awesome. And there are so many facets to it from down and dirty to really well crafted attacks that even the most hardened security professional would struggle with. It is a beautiful combination of human and technology at both ends of the attack.
Most of all the world and his mom has an email address, or rather several; the costs of creating an email and the infrastructure to issue it is frightfully low; and there’s way too few organisations doing anything to stop them. The take up of things like DMARC is still way to low; SPF is more common, though lots have errors, or their SPF is ridiculously wide. To be fair a lot of that is because of cloud providers, who have gradually made a bit of a mockery of SPF. And compound it all by us generally being awful at education and awareness and even worse when it comes to the public. Kind of feels like everything is weighted in favour of the adversary.
What is the most believable phishing email that you have come across?
This one leads with a particular adversary trying to get into a company, especially the CEO and just being knocked back at every turn. Try as they might they just couldn’t get over the line and get a foothold in this org. So they changed tack slightly. The must have put some decent effort into the CEO and his life and found, amongst other things, where his son went to school.
Being a devious little adversary they attacked the school, which was a much easier target, and managed to compromise it and gain access to their email. So, the devious little tinkers then sent an email from the headmaster of the school; not spoofed, but actually from his account. The email went to the CEO who had been evading their advances. It went along the lines of…..your son has been in an accident and hurt himself whilst at school. He’s OK in himself, and we are monitoring him closely, but we wanted to let you know and also share the accident report with you, which is attached.
Click, click, done!
Now tell me who isn’t opening that accident report?
Sometimes you just have to applaud the craft of the adversary.
You walk into a new office to consult for a customer. You have one hour to minimise the effects of a pending and unknown social engineering attack. What do you do?
Unplug everything and send everyone home indefinitely. Does that count?
One hour isn’t long, and assuming its a cold engagement up until this point, it’d probably be a mix of speaking directly with seniors and assistants. Checking response procedures and relevant docs and gearing up for a press release.
That’s probably way longer than an hour. So focus on press release, ensure CEO knows if data is encrypted, and make contact with key teams, like security, IT, finance, communications.
You give a pep talk to a new IT person, it’s about cybercrime defences. What does that cover?
People, process and technology. Specifically in that order to start and whenever talking about one constantly referencing the others. Making sure they can see the dependencies between the three core aspects. How they need to work in conjunction with each other and how one in isolation is rarely in any way effective, two more so and all three best of all. Too often we focus on one thing, usually technology, occasionally people, and almost never process and it leads us into suboptimal outcomes. You have to bring all three together to be effective. That all starts with recognising the roles each plays in each scenario and then how then need to move in unison to drive things forward.
It is something I bang on about all the time. I really think it is vital and just criminally overlooked almost universally, or certainly in my experience. I want people to look at things differently, because the way we’ve done it for year and continue to do isn’t that effective.
What’s your favourite security gadget?
The mark one eyeball and human brain v2.1.
If I’m going tech then probably a password manager, and I’ll even include a password book in some circumstances within that sphere. Either that or authenticator apps.
Though I almost always come back to that eye ball.
That’s it folks!!!
If you have enjoyed that, Ed is a sociable fellow and I am sure he will stand his own if readers would like to debate any of the above with him on Twitter.