Big Data

The amount being generated these days is more than ever before, and it’s growing exponentially. It won’t be long before we see yottabytes of data, and making sense of what we have is going to be a growing problem for us. I’ve made a start on reading about how this will be done and how we’ll have to sort structured from unstructured data (eg databases from email content).

I’ve also started reading about the sort of tools which can be used to help identify the patterns and to find the specific needle you sent in a super-haystack sized pile of needles.

These books are as far as I’ve got, from the left on the shelf. Once you get to the Misha Glenny books were on to a different topic, which I’m sure I’ll write about soon…

Y is for …


You may not be too familiar with this term, but you will be within the next year or so I think.

Disk space is measured in bytes, and each term used is a multiple of 1000 of the previous one. So we have:

  • Bytes
  • Kilobytes (1000 bytes)
  • Megabytes (1000 kB)
  • Gigabytes (1000 Mb)
  • Terabytes (1000 Gb)
  • Petabytes (1000 Tb)
  • Exabytes (1000 Pb)
  • Zettabytes (1000 Eb)
  • Yottabytes (1000 Zb)

This is a huge amount of storage. When I started in IT (in the late 80s) a 40 Mb hard drive was huge. Less than 30 years later and we’re talking about something 6 with 18 zeros (Ie 6 000 000 000 000 000 000) bigger!

Interestingly, the name comes from the Star Wars character, Yoda.

X is for …


It’s well known that the internet hosts a wide variety of pornography sites, from the legal on the surface web to the illegal on the dark web.

But what of other adult only material, which is also x-rated and may be illegal. Sites showing gore, mutilation, torture and worse? Again, they’re split between the legal and illegal, and hosted on the surface and dark webs.

Many companies use a technology called content filtering to prevent access to this sort of material. Automated tools trawl the surface web and categorise the websites they come across. Companies block access to certain categories, to help protect their employees.

You can usually do something similar at home. Service providers often allow you to add parental controls, which prevent access to sites showing adult material. Some antimalware providers also have add-ons for web browsers which can alert on or block access to potentially adult rated material.

W is for …


When people launching spear phishing attacks against senior members of staff, this is known as whaling (because they’re after the big fish). That’s the only real difference in the terms, though the types of attack may differ slightly.

Whales are more likely to be the target for mandate fraud, where an email purporting to be from eg the Chief Executive of an organisation goes to the Finance Director, or Finance team, asking them to make an urgent payment to a particular bank account.

White Hat

Ethical hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re the good guys: hackers who attack without permission are black hats. The name comes from 50s and 60s films set in the Wild West, where the colour of the cowboy’s hat told you whether they were good or bad.


Wireless connections to computers often use WiFi (rather than Bluetooth). Good practice dictates that the WiFi connections should be encrypted, using WPA2 encryption. WEP and WPA are both weak encryption prpotocols and should not be used.


A worm is a form of malware which replicates iteself in order to infect the computer it is on and any others it can find.

Unhelpful media headlines

Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.

First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.

Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.

Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.

There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.


V is for …


A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.


A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.


Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.


Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

T is for …


Tailgating is very easy to spot. It’s when you follow someone through a barrier without swiping your entry card, adding your pin number etc. You might have seen someone do this in a car park or elsewhere, following another vehicle in without paying: it’s the same principle.


Taking its name from the Trojan Horse of ancient Greek tales, a Trojan is a form of malware in which the malicious code is hidden inside what looks like an innocuous application or other piece of code.

Two Factor Authentication / 2FA

2FA is becoming increasingly common, and is a really good idea for any accounts you may have where you have to enter bank or credit card details. Single (one) factor authentication is usually something your username and password.

With two factor, you’re normally asked either for your fingerprint (on iPhones for example), or you may be sent a code to your registered phone, which you need to enter after your password (PayPal operates like this). It’s really just an extra layer of security, based on something you know (eg your password) and something you have (a fingerprint or code from a mobile devices.

Cyber viewing

Just as my recent post focussed on a selection of books related social engineering and the psychology behind cyber crime, this post will look at a range of films, documentaries and TV shows which offer insight into the industry. They’re not intended to be a definitive list, and there are many great examples which aren’t included here, but you’ll get the idea…

So, what do we have in this little collection? All 3 series of Lie to Me basically dramatise the work of Paul Ekman, deailing with microexpressions and what they tell us. Ekman was actually a consultant on the series, so you’d have to hope that a lot of what it tells us about the science is true.

Catch Me if You Can is the film of the book by Frank Abagnale, starring Tom Hanks and Leonardo DiCaprio. It’s quite a good adaptation, but I have to say I think the book is much better. They both document Abagnale’s exploits as a teenage con artist who spent time variously as a pilot, doctor, teacher and lawyer. He was eventually caught by the FBI and became a valuable resource to them and financial institutions, explaining how fraudsters operate and helping to develop ways of making counterfeit banknotes more difficult.

CSI: Cyber follows the same format as all the other CSI series, but focusses on a crack cyber team which includes some former black hat hackers. There are some really interesting (and realistic) scenarios brought to life in both series.

Sneakers and Hackers are both well known in cyber security circles, though quite dated now. Mr Robot is the current favourite for some of my colleagues, who tell me it’s pretty realistic in many respects.

Citizenfour is the real documentary telling the tale of Edward Snowden’s breach: at the time it was filmed the only people who knew it was happening were in the room. Snowden is a dramatisation of the events leading to Snowden making the decision to leak the documents.

We Steal Secrets is the story of Julian Assange and Wikileaks. After watching this and Citizenfour you’ll have a much clearer idea of the scale of data theft and the personalities behind two of the key people who have been maor players over recent years.

Honourable mentions have to go to a couple of films missing from my shelf. Spectre and Skyfall are the two most recent 007 James Bond films, and they both give a good idea of the art of the possible these days. Spectre in particular should ring alarm bells when you see that many governments want to share data with each other.

Die Hard 4.0 is a bit tongue in cheek, but if you think of the story with nation states involved rather than terrorists then it is also (allegedly) possible in parts. Just think of the instances where Ukraine has lost its entire power supply from time to time, or when every Estonian government department was offline for several days and you’ll see that it’s already happening (probably).

What other films or shows have you come across? Are there any you’d recommend?

Social Engineering and Human Nature

I’m often asked, particularly by new entrants into cyber, what books they should read, and what podcasts they should listen to. The list of both is endless, but I thought I’d share some titles with you. Before we start though, a word about my relationship with books…

I’m a passionate reader, and a compulsive purchaser of books. So I have a lot on my shelves that I’ve not yet read, but loads that I have.  I had cause to sit and ponder today and reckon I’ve over 25m of bookshelves at home, which are mostly full – and a pile of books by my bed, and another on my desk.

For some reason, I group my books by subject matter and height order, and have recently moved away from keeping all by the same author together to having them grouped by colour. (My LPs are stored in alphabetical order, by artist then by album title: this is something I’ve done since I was a teenager!)

The picture with this post shows my “social engineering” shelf, which includes titles on microexpressions (Paul Ekman) and the psychology of persuasion (Robert Cialdini). Interestingly, the author of the Cyber Effect, Mary Aiken, was a producer and consultant for the show CSI: Cyber, and was in fact the inspiration for Patricia Arquette’s character in the programme.  (Beware though, once you start watching, you’ll watch the entire series in one sitting!)

It’s not possible to be a good social engineer, to gain people’s trust and ask them to do things to help you, without understanding human psychology. Ditto if you’re carrying out phishing attacks, you need to know what will make people click on links etc.

Microexpressions give away how someone is really feeling, so it’s really important that social engineers understand and recognise these. If you want to know how they can be used, you might want to watch the show Lie To Me. Paul Ekman was a consultant on the show, and his work is explained particularly well in season 1.   (Another binge watch alert here!)

It’s impossible to talk about social engineering without mentioning Kevin Mitnick. Once one of the FBI’s top 10 Most Wanted fugitives, Mitnick is one of the foremost authorities in the world on social engineering. I have already written a post about his book, Ghost in the Wires.

I’ll share information on some of the other books on my shelf another time. These should be a good starter for you if you’re interested in the meantime!