Monday, 18 August 2014

Organisational Resilience - yet another buzz word?

Businesses are usually in operation to make money and deliver a service or provide a product.  To be successful there are many traits required and by ensuring your business is dynamic, adaptive, efficient and cost effective are all good starting points.  Who would want a business that is passive, rigid, ineffective and expensive?
The same is true when talking about good management disciplines and recognised international standards and best practice.

So why don’t we evolve these disciplines and channel our way of thinking to change the way in which we deploy them. Adapt the methods in which we operate to one of ‘Organisational Resiliency’ - an all-encompassing comprehensive management discipline that ‘ticks all the right boxes’, provides success, growth, strength, security and a return on our investment.

Within my industry, there has long been an ongoing discussion and debate with regards to the future of Business Continuity and whether or not ‘Organisational Resilience’ is the way forward.  The fact that we are still not getting a concrete answer could be the answer itself.  Yet again I’m hearing the phase being more commonly discussed and thought I would consider my own opinions on the topic and open this up for further discussion.

Is ‘Organisational Resilience’ just another buzz-word being branded around, a way to help ensure professionals in the field are seen as a valuable commodity and retained in employment or is this the direction we should be focusing on to ensure we can continually drive our business forward and improve the way in which we operate?

Reviewing many online discussions and papers on the subject I’ve not been able to obtain a conclusive shared understanding.  The topic seems to divide the population of industry experts into two clear camps.  Those that believe in change and think that Operational Resilience is the future of similarly aligned management systems and those that firmly disagree thinking each is unique in their own right and should continue to remain so.

Each management discipline has an important part to play and requires a range of skills, expertise and experience to implement and manage successfully.  Simply reading a book or taking an exam doesn’t mean you’re qualified.  When looking at many of my well respected peers in the industry, they’ve earned my respect and of others because they’ve taken the time to learn about the subject and continually improve their level of understanding.  They’ve applied their knowledge in the field and most importantly have practical experience of helping to ensure an organisation has continuity measures in place; can respond to and handle an incident successfully; can assess and take mitigating action against risks; can help to ensure information is secure and can continually adapt their approach to the changing needs of the business.

However, on the other hand, if we could learn the skills and experience for each management discipline, could we not mould ourselves into something of ‘Superman’ status that would allow us to look after the organisations we work for and within, in a new, interesting and more dynamic way?  Or, could this become too much of a risk where we could become more like a ‘cowboy builder’, reverting to ‘jack of all trades and a master of none’!

So what are my thoughts on the subject?  I think a review and assessment of the strengths and weaknesses of Organisational Resilience and whether or not we should be looking to change the way in which we operate, to allow change within these management disciplines should be considered.  After all, mainframe computers used to be the size of a house and now you can fit more processing power and storage within a system the size of a postage stamp!  Well not quite, but I’m sure you can picture the comparison.  Disaster Recovery used to be about the large backup tapes, old-fashioned media cartridges which were used to back up critical data and would take an age to restore - now we have instant failover capabilities and extremely efficient recovery times.  Therefore, why not consider change for our management disciplines?  After all change can be positive but only when it’s done correctly, in the right circumstances and with the right skill sets and knowledge.

I attended a presentation recently talking about Business Continuity and change, a term I heard and liked was that of ‘adaptive resiliency’.  I’m not one that likes to use lots of acronyms and confusing terminology, after all the old adage about ‘KISS’ is so true.  Focus should be about keeping it simple without losing the importance, quality and value that it brings to business activities.  Operational Resiliency is a strategic approach, a way of thinking, an objective to aim for which in turn would result in the combination of the ‘doing’ activities of management streams which are already easily ‘standardised’ and move Business Continuity from being seen as an overhead or cost to the business and something that can facilitate revenue streams and continue to protect our business.

Organisational Resilience can exist and should be encouraged but as with all the management disciplines mentioned earlier, we need to have a standardised approach for implementing something that is strategically focused.  I would like to be able to deliver something that can be truly seen as a value-add activity, not something that’s seen like insurance – something we don’t like paying for until we actually need it, then we’re grateful.  I would like to see improved collaboration of skills, utilising the expertise of others around you who have real practical experience of the disciplines, working together towards a single goal, not competing against each other, but thinking and understanding about each other’s area of expertise and combining efforts to allow us to build upon something truly special.  Moving to being more proactive than reactive will help us ensure monies are efficiently spent and our organisations become more resilient. So, is Organisational Resilience just another buzzword – I don’t think so, do you?

Claire Phipps, MBCI

Monday, 4 August 2014

Can you ever look at USB sticks the same?

For years now many of us have benefited from the convenience of moving data easily between many systems and networks with ease thanks to cheap and plentiful USB sticks, thumb drives and removable disks.  The array of USB devices has made floppy disks and CD/DVD’s almost redundant.  Many of us have until recently given little thought to sharing sticks with anyone, passing them around with little to no concern.  Not so long ago we would move data using floppy disks, 1.4Mb at a time (if you were lucky), we moved onto ZIP disks with a heady 100Mb available and when CDs and CD writers became cheaper we relished the delights of being able to move 600-700Mb at a time on a single disk. DVDs moved the bar up to 4.7Gb and even that paled into insignificance compared against USB thumb drives; 8Gb, 16Gb, 32Gb, 64Gb and beyond, they were given away in varying sizes, cheap 256Mb sticks still litter the backs of peoples drawers and I’ll bet many marketing departments still covet their stock of branded sticks.  The convenience of the USB format has made keyboard / mice PS/2 ports obsolete on most of not all recent computers.  USB is the port of choice for most peripherals and that convenience and usability has a dark fairly unexplored secret that may make you reconsider how you use and share USB sticks and devices going forward.
The threat from USB sticks used to be limited to autorun virus’s that would be triggered when you put the stick into a vulnerable machine; many security professionals have used this as an infection technique as it needed little to no interaction.  The autorun infection methods were quickly stopped and modern antivirus can protect against the malware but the new and emerging threat is potentially much worse and a bigger long term threat.
At Blackhat 2014 two security researchers will be presenting a talk on BadUSB “On Accessories that Turn Evil”, Jakob Lell & Karsten Nohl will present research that will define a new form of malware that can reside on a stick hidden from antivirus scanners and is capable of compromising systems as well as replicating the problem to other USB devices.
The new threat to be outlined lies in the USB device themselves; due to the way the memory works USB sticks have a controller chip that allows them to function even when the memory becomes corrupt or unusable, their stated capacity isn’t the full picture, your 4Gb USB stick may actually contain 8Gb or more actual storage managed by these controller chips.  The chips themselves can be compromised and subverted and this is where the new threat resides, the controller chips themselves have been compromised and in some cases can be rewritten to deliver malware and further spread infection.  They can become self-replicating and can deliver or harbour key loggers, can steal data or further infect USB devices.  The nature of the USB controllers don’t allow anti-virus software to be able to test or check for this emerging threat; a key logger or data stealer could remain dormant and kick into life stealing data and keystrokes without anyone being aware. 
We cannot continue using USB sticks and devices across multiple machines without first giving thought to the threat and the risk, has the stick been compromised?  Where has it been and who used it?  We will need to start protecting the sticks and USB peripherals with more reverence, no longer accepting them from strangers and more importantly will need to identify new ways of secure disposal of old USB devices.  The size and convenience of them has until now made them almost indispensable for storing and sharing information, disposing of them needs to be a consideration.  How many companies have already suffered data loss from removable media?  Even when using caution we cannot guarantee data is deleted from USB sticks and they need to be considered with much more concern as the data they once held may be retrievable using simple tools and techniques.
As end users we need to protect our own USB sticks and devices, give thought to the ‘what if’ scenario and not be so willing and keen to share them to all and sundry.  USB data-less cables are a thing and a good investment if you need to charge your phones as many smartphone owners do.  Do you want your smartphone and its stored data (photo’s, emails, contacts) stolen or damaged by the machines you plug into?
In the meantime you can buy data-disabled USB cables to charge your smartphone without sharing data (intentionally or otherwise) as well as “USB condoms” which create a similar data gap in cables. 
How long will it be before office shredders have a slot for USB sticks? How do you dispose of your USB sticks when they become too small, too slow or broken?  What data breaches are around the corner from BadUSB?
I would recommend old USB sticks are smashed with a hammer (outside whilst wearing safety glasses) to ensure data cannot be retrieved; Invest in a data only cable for charging your smartphone in less trustworthy environments and be aware of the risk when the smiling stranger offers you their USB stick next time.
Jamie Duxbury, Senior Security Specialist

Thursday, 3 July 2014

Anyone for a cup of tea?
I work in the field of Business Continuity and Information Security.  ‘What does that mean?,’ I hear you ask. Well, it means planning for the 'what ifs' in this world – being prepared, cautious and knowing what to do when things go wrong.  However, whilst as professionals we should look to ‘practice what we preach’, we are all still humans and inevitably make mistakes.  Nevertheless, as with a well-implemented Business Continuity Management System, we can sometimes learn from our experiences – identify what went well, not so well, and take corrective action.  Most importantly, we can share our experiences with others and raise awareness, which is why I’m writing this article.

During a recent visit to Shanghai, China, I was fortunate enough to take a day as personal leave to visit and enjoy the local surroundings – who wouldn’t when you’ve travelled for 13 hours?

So, there I was, walking towards the Bund (Shanghai’s tourist centre), when I’m approached by some friendly locals asking me to take their picture – I’m in no rush, and it would be rude not to so, I obligingly take the photo and enter into polite conversation.  I’m told that the group are on holiday and love my English accent, and we end up chatting about life in general.  They then tell me they are just about to set off to enjoy a local tradition and ask if I would like to join them.  I politely refuse, and say that I had already made plans to visit the Huangpu River.  They continue to try and persuade me, saying that, ‘It’s on my way,’ and that the event is, ‘Exciting and I can’t miss out.’  I pause to think and, come to the conclusion that it can’t hurt – can it?

We walk together, chatting and enjoying each other’s company.  We approach a small building and the group walk inside.  Yes, I can already hear you say, ‘Turn around, don’t go in, change your mind.’  Admittedly, those thoughts did enter my mind too but, being English, I naively thought that it would be rude not to follow.

So, we walk into a small room where I’m greeted by a elderly Chinese lady who introduces me to the history of tea and the art of traditional tea-tasting – not really my ‘cup of tea’, but I’ll try anything once!

We’re told about the Chinese tradition of pouring water onto a ceramic tea-god frog; how to hold a teacup correctly, and how the tea has natural health preventions.  We then sample five different flavours, and the ‘event’ comes to an end.  The people I’m with then ask me how I would like to, ‘split the bill’.  Innocently, I think there are five of us in total, so we’ll just split it five-ways!  I’m told that two of the group are students, and it’s ‘Chinese tradition that working people should pay for students’.  Again, not wanting to offend, I reluctantly agree.  It’s only then I’m shown the bill – 1500 Yuan (about £150!).  My mental conversion calculator has never been great, but I’m already thinking that sounds expensive and I’ve only got 300 Yuan on me.  I’m told there’s a cash machine downstairs, and I’m escorted by one of my ‘new friends’ to show me the way.  I pay my share of the bill, the others hand over their cash, and I’m even given a present from one of the students to thank me for paying – we then part and go our separate ways.

To be honest, the experience itself was quite enjoyable, and the tea was actually tasty.  But, as I continue to ponder about the event, I start to realise that I’ve most likely been scammed, and I start to kick myself, (not literally!).  Going off with strangers, in a place I didn’t know, anything could have happened – what had I been thinking?

When I get back to the hotel, I Google, ‘tea-tasting in Shanghai’, and disappointingly see page-after-page of warnings about tea-tasting scams – there’s even an article from an experienced travel journalist who succumbed to the same misfortunes.  So, what is the scam?  Well, I’m sure you’ve understood the core elements from my own experience, and I read that the money the others handed over was probably given to them by the teahouse in advance, to make everything seem fair and above board.  Why didn’t I just refuse to pay?  I felt obligated.  I had verbally agreed, and I had inadvertently trusted the people I was with.

So, how does this relate back to Business Continuity?

Preparation is key!  Scope out your requirements and understand the organisation before commencing work. Understand the risks and threats both on a global and local scale.  Review options available to reduce the impact, including insurance.

Conduct an impact/risk assessment; talk to those with the knowledge and expertise; obtain the facts; look at supporting evidence and produce your plans.

If something goes wrong, don't point the finger of blame, but take a step back and conduct a Post Incident Review. Identify what went well, not so well, and plan corrective actions for improvement.  Communicate; get everyone to understand; raise awareness and spread the word.

Maintain, review, test and exercise.  Plans need to be current and correct; things change.  New risks and threats will appear that may mean your strategy needs to be updated.  Exercise and validate the theory, which will help improve understanding, the expectations; identify gaps and areas of continuous improvement.

If only I had ‘practiced what I preach’, and found out about China before my visit; understood about risks; spoken with others; raised my own awareness; then I may never have been scammed, or put at risk.  It's easy to say, ‘That will never happen to me,’ but things do go wrong, and being prepared can save you when you really need it.

I've learned a valuable lesson in China, and the same could happen for you however, I will be better prepared and risk savvy in the future, and most importantly, next time, I will stick to a vodka and coke!

Claire Phipps, MBCI

Wednesday, 4 June 2014

The ‘pro and cons’ for Emergency Notification Systems

Emergency Notification Systems (ENS) Social Media and Text Messaging/SMS programmes are quickly becoming commonplace in an effort to provide alerts, news and information that is timely and accurate during an incident. The challenge now is to make them work in a way that fits.   
Essentially, ENS is a system that allows one person to create a message and then send it out to large groups of people all at once. Sending these by phone, SMS or email, it should be able to provide an automated solution to inform groups and individuals on emergencies.

However, there are both ‘Pros and Cons’ to using an ENS.

If I first look at the positives:
·         Most ENS are able to send a ‘one step’ voice or text message and email an entire organisation very quickly with pre-programmed messages. 
·         That speed offers real time accurate and consistent communications with the potential for follow up instructions, reports and assistance.  
·         It also supports notification to all critical members within an enterprise and allows a short notice capacity for discussion and immediate response
·         It can target specific groups, such as sending a special message to initial responders and this can only help in an emergency situation. 
·         Some, but not all of the systems, operate a feature called ‘inbound calling’, confirming that key initial responders have successfully received the message.

There are however some points to consider:
·         There is a chance that the ENS will have a glitch. Though it is unlikely, it is important to have back up information that is available for use if the ENS does not work.
·         It is also very important to have this system well tested and integrated within your organization. In many cases there can be mistakes and issues that are a user error and not just a system failure
·         The notification system is only as good as the information that is documented in the ENS. This can be tested in training and exercising, sending a message through the ENS to inform your employees and then check for currency.  For the employees that do not receive the message, there needs to be a system to have them update the information in the system
·         We need to be sure that mobile networks can cope with emergency-scale traffic volumes via SMS, targeting users by location is difficult, and there is no way to authenticate a message
·         When there is more than one party distributing information there is a strong possibility of different levels and quality of information all coming at the same time from a variety of sources, perhaps leading to saturation, misinformation and/or confusion all of which contribute to a functional fail.
·         Some employees may not have mobile service in the building or may have their mobile phone off while at work, which will limit the effectiveness of the ENS. By having the message sent out multiple ways and to different devises, i.e. mobile phone, email, desk phone, etc. will limit the likelihood that the message will not be received
·         It is difficult to determine cost to value.  When looking at an emergency notification system it is important to consider the features that are included, whether there are limits to the number of contacts or groups you can have, and what additional fees there may be, such as overage costs or setup fees

As with all types of notification systems there are both technical and human considerations. Perhaps most importantly it is the pro-active management of these two elements that will ultimately determine whether ENS becomes more established and a fundamental part of a complete automated emergency information process.
Michael Bourton, Senior Security Specialist

Tuesday, 20 May 2014

ISO 22301 Certification

CQR UK Obtains ISO 22301 Certification

Delivering BCMS for our customers across an international market is currently one of our main service offerings.  In delivering BCMS we advise and support our customers on what they need to ensure they have good Business Continuity practices in place, on how they can make their organisation more resilient and how they can mitigate and reduce impact should they be affected by an incident.

Not only is it common sense that we ‘practice what we preach’ but it provides reassurance to our customers and those looking to work with us, we know what we are doing.  If we are able to demonstrate that our own house is in order and that we are certified against recognised International Standards, we can ensure that the needs of our customers are exceeded and that we are continually focusing our efforts on delivering quality services.

We are proud of our core values – passion, knowledge, integrity and accountability and believe that obtaining certification clearly demonstrates our commitment to providing consistent, reliable and dependable expertise, along with a competitive advantage in being able to offer a differentiation of service.

Being already certified for ISO/IEC 27001 Information Security Management Systems, CQR UK had a head start when it came to expanding their credentials and obtaining certification to the ISO 22301 Business Continuity Management Systems.  

For CQR UK, this was not only seen as an opportunity to complete a refresh of our own BCMS but as an opportunity to provide training to members of our staff who are relatively new to the world of Business Continuity.  It’s important that we look to develop our staff and involve them with the continued success and growth of the company.  Involving our staff provided them with the opportunity to learn and gain experience, not only on how to deploy a strong BCMS aligned to the requirements of the standard but the opportunity to experience how an audit is performed. 
Preparing for the audit was given full commitment from our management team.  Time and effort was allocated to allow us to review our procedures and to improve them in line with the requirements of the International Standard.  We completed a pre-assessment and gap analysis which helped to identify areas of improvement and allowed us to apply lessons learned to help improve our own BCMS and our customers.  Aligning to the standard allowed us to focus our efforts on the framework, explicitly in terms of interested parties, legal and regulatory requirements, risk management and management reviews of the effectiveness of our BCMS.

The audit process itself was relatively straightforward; the legwork had been done so it came as no surprise that when we completed the Stage 1 assessment in March our auditor reported no non-conformities.  Stage 2 and subsequent certification was achieved in April.

There are many benefits in achieving certification, being able to demonstrate our commitment to Business Continuity Management Systems and provide assurance to our customers that we deliver quality and knowledgeable services goes without saying.  Certification will also help us expand and provide us with a competitive advantage.  We can easily demonstrate our commitment to fulfil new tender requirements and win new business.

Obtaining certification gave us the opportunity to improve the maturity of our own BCMS and helped to ensure we had a consistent documented approach that could also be used to benefit the implementation of BCMS within our customer organisations.

Completing the certification provided us with the opportunity to continuously improve our own BC processes and procedures, ensuring that we can maintain our operations with minimal disruption should we ourselves be impacted by an incident.

Certification enables us to demonstrate to both our internal and external interested parties that we have robust management systems in place to cope with a business interruption and this isn’t just us saying this, it has been validated by an independent external auditor.
What next?

We will look to continually improve our BCMS not only in-house for CQR UK operations but looking to expand our certification to include our operations within our sister organisation in Australia.  On-going assessment will be completed to ensure that our BCMS not only continues to meet the requirements of the standard but provides us with the on-going opportunity to continually improve.

We will also be looking after our customers, providing support and assistance to those that wish to obtain certification or continually improving their existing BCMS to align to the recognised practices of the standard.
Our thoughts

"CQR are thrilled to add ISO 22301 with our ISO 27001 certification enabling us to operate an integrated management system.  This demonstrates our Business Continuity and Information Security expertise and competence to our clients as a critical service provider.  It reinforces our commitment to clients that we take both Business Continuity and Information Security seriously and demonstrates that we understand what it takes to protect our most important assets our people and business”. Greg Inge, Managing Director
“Obtaining certification against ISO 22301 is a goal I’ve been looking to achieve since joining CQR and I’m extremely proud to have been involved in the process and refresh of our BCMS.  Obtaining certification not only shows that we are capable but also credible in our abilities to deliver great BC systems, for me something that I’m extremely passionate about.  Whilst I did feel apprehensive upon waiting for the arrival of the auditor, I was extremely confident that we had done everything that was required and more to ensure certification was achieved.  In fact, I was so proud of the work undertaken I felt at times I was showing off our achievements even when not asked.  Receiving confirmation that we had no non-conformities was the highlight, although I thought this would be the case, it’s nice to be told.”  Claire Phipps, MBCI

To find out more about services from CQR UK and how we can support your business, contact us on 01865 882225

Tuesday, 22 April 2014

Aliens on the roof!

So I've caught your attention... either you’re like me and a bit of a Trekkie and therefore maybe curious about the subject or also like me, you have a passion for Business Continuity and are wondering what on earth I'm talking about!

One vital element of delivering a successful Business Continuity programme and one in my opinion often overlooked is to validate your plans and strategy. This takes time and commitment. In turn this will provide reassurance and confidence, training and awareness, greater understanding of procedures and responsibilities. So how do we achieve this? Simply put we complete exercises, tests, rehearsals. There are many different styles that can be delivered...process driven, call cascades, partial or full invocation, desktop, scenario based and more. 

However, the temptation to simply use the same old format or content over and over again should be avoided. Just because you've changed the location, date or time of the details within the exercise doesn't make it different or acceptable. Where we can truly add value to our Business Continuity programme is to allow us to understand what our core risks and concerns are. Understand where the potential pain is, what the impacts of an incident really are on our core business activities, systems and people. 

Spending quality time on developing an exercise which is fit for purpose is where the true benefits can be gained. Taking the time to understand your local surroundings, potential incidents and challenges enables us to develop something that is realistic, believable and purposeful. 

Even if your only discussing why we do Business Continuity and raising peoples own knowledge and perception of the value, using realistic examples helps to strengthen the justification. 

During my recent travels I've been fortunate to not only raise awareness of Business Continuity but to deliver exercises. I have taken the time to understand the business requirements, the pains and been able to deliver something that is realistic, making a conscious decision to not copy one idea for all. However, as a result I'm now being known as a fortune teller or person of doom! The exercise has gone well, lessons have been learned, objectives achieved, attendees have had fun which is just as well as within a relatively short period of time the example given has happened for real. 

I'm superstitious and now spend time 'knocking on wood' to counter-jinx the topic of discussion. Whilst firmly believing on providing realistic examples I don't actually wish the incident to happen. So, to add to my repertoire I will now throw in the incident whereby 'aliens have landed on the roof', surely that can't happen, can it? 

Claire Phipps, MBCI

Wednesday, 16 April 2014

Heartache from Heartbleed goes on and on

Following on from our earlier post on the Heartbleed bug we wanted to remind you of some of the lessons learned and also to remind the reader of best practice regarding securing yourselves on the internet.
The Heartbleed bug again demonstrated that regardless of the precautions taken when using the internet you can still fall foul of information release or compromise from third party sites or systems. We no longer (alas) live in a world where trust is implicit and ok.
There was a time (not that long ago) that it was normal to leave your home unlocked and if a stranger asked a question or wanted information then it was ok to answer truthfully. We live now in a world where your information is valued and can be combined to infer more or to become more of a commodity. Your date of birth, place of birth, name of your pet or favourite colour can now aid an adversary to begin unpicking your digital and online identities. The simple passwords that proved to be convenient to remember and use across multiple domains and sites can now come back and result in widespread damage to reputations and credibility. Our online footprint can reveal the actual answers of most typical security questions to a skilled or determined attacker rendering the secrets anything but that.
With the notable exception of Government or Healthcare systems it now could be the time to begin lying on the internet; when I personally sign up for services I take a number of simple precautions that when combined offer more benefits than the truth has and these include (and are not limited to) -
Date of Birth – why does any non official site want or need this information, I’ve not been truthful about answering this question, varying the day, month and year frequently and without any real method apart from not using the actual date.
Place of Birth – my Bank knows this, my medical records and passport have this but why should a website want or need the real answer?
Pet’s name – I use random values when asked
Address – Unless I’m paying for goods / services or expecting something to be delivered to my home address I will use a fictitious one
The same goes for favourite colour, first car, school, mother’s maiden name - anything that isn’t actually needed is changed and rarely (if at all) the real information supplied. The sites I’m signing up with don’t need the real information; they just want something they can validate you against if you ever need to prove who you are. I make a note of the information given to each site in a note section of the password manager I use, if I ever need to answer the question of “Where did I go to school?” I can check the corresponding details and answer “Third moon of Pluto” (assuming that’s the answer I gave). The exceptions to this are things that I can control or have more authority over (ie: phone or mobile numbers) as these can sometimes be used for two factor authorisation or reset dialogue. If someone is able to clone my phone or steal my handset then I have more to worry about than a password at that point.

The most beneficial two tactics I employ on the internet are using unique email addresses and unique passwords. Not everyone can use the unique email addresses as it needs a suitable email setup to receive the mail, the benefit of having it ensures that if I start getting unwanted 3rd party email to a unique email address I know that either that email has been sold to spammers or the service I used it with has been compromised; it’s a good safeguard but needs extra effort to manage and check multiple addresses.
The most important single thing that anyone and everyone can do on the internet is to use complicated and unique passwords. There are downsides to this but the protection this one single action allows is worth it. As Heartbleed and high profile breaches have demonstrated, regardless of the steps we take to protect ourselves on the internet we can still fall foul if servers and services are compromised or our data released. If a service or server I subscribe to is breached and my data is released, it’s generally one (unique) email address and one random password lost. I employ a password manager to maintain the majority of my general passwords (this has the benefit of assisting in the memorising of them and the input of the same), I don’t use the password manager for my most important credentials, and these are deliberately not written down anywhere nor saved anywhere where they could be found; they are the exceptions. My password manager also has additional security that allows me to use two factor authentications. I chose and use two factor authentications wherever possible, anything that makes it harder for my credentials to be usurped is worth using.
A typical password I use is limited only by my imagination and the complexity rules of the site I’m signing up with, it’s not unusual for me to use 25+ char passwords that include special characters, upper, lower case and numbers and spaces. They are painful if I have to input them manually anywhere (such as tablets or games consoles) but that annoyance is worth it when I consider the value of the protection of complex passwords that aren’t used anywhere else. If my password needs updating or changing it’s a simple act; if that password or username/password combination is used on all sites the risks of data loss or compromise isn’t something I could or would want to deal with.
The Heartbleed bug will have a long lasting impact, the depth of the problem is still being fully analysed, it’s not just websites that were/are affected, the nature of the modern world means that there are embedded OpenSSL instances in all sorts of unexpected and difficult to patch places (home routers, firewalls, mobile phones and so on). I suspect there will be ongoing attacks for years to come and it should be accepted that some of the vulnerable systems and services will never be fixed or solutions made available. You may be able to trust the online service / bank or the like but that won’t be able to stop you being owned or affected by seemingly safe devices. We cannot be certain where the OpenSSL Heartbleed bug can be found but we can do everything else to minimise the problems caused if we unknowingly have our information disclosed or released.
Anyone that still has an easy or common password needs to rethink how they are potentially exposed if that information or password is released. We in 2014 are still facing an ongoing problem of common passwords breaking security and trust, if you can authenticate to anything using 123456 or password, qwerty or princess, trustno1 or admin or anything that isn’t “complicated” and using all the characters’ available then you’re taking a risk.  I would like to see services and sites ban people from using simple words or limit their choice to alpha numeric alone with fixed max length under 10.
Complexity is good, length is beneficial. Simplicity in passwords should be consigned to the yesteryear when it was ok to leave your car or house unlocked and have a hope that your possessions and property would still be there anytime afterwards. That age has gone, let’s make sure our weak passwords don’t undermine the security in this modern world we live in. The internet is a wonderful place to be but not one you should blindly trust with anything other than unique throwaway information.
Jamie Duxbury, Senior Security Specialist