Amrit Williams, BigFix CTO, discusses with Andrew Hay the challenges women in security face and also the many security issues surrounding offshore banking.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Andrew Hay, who again, for anyone who missed it, is a Devastatingly Handsome Author, sporadic blogger, BBQ Junkie, and security strongman. Andrew, thanks for joining me again.

Andrew Hay: No problem.

Amrit Williams: So we were talking a little bit about, before, in the prior podcast, about one of the submissions you have for SecurityBSides. You actually have another one, which I find fascinating. It’s actually a panel on women in security, and I think the title is ‘Ruffled Feathers’. Is that the correct title?

Andrew Hay: The full title is ‘Unicorns, Clubhouses, and Ruffled Feathers: Women in Security’.

Amrit Williams: Right. And it’s a panel, as I understand it, about women in security. So of course it begs the question, and we were talking earlier about personal and private lives. What exactly are you doing on the panel?

Andrew Hay: You make it sound like we had some sort of secret conversation that kind of prepped me for this; in my past life, I like to dance in the evenings.

So really Erin Jacobs and Jennifer Jabbusch are the two prime people on this panel. And Erin put out a tweet saying, or she made a post saying, we are looking for other people to sit on the panel, let us know if you would be interested. And I thought, you know what, why not? So I contacted Erin and said, yeah, sure, why not, I will be on the panel.

Apparently, I am giving the male view so far. I don’t know if anyone else is going to be on the panel giving the male perspective, but I definitely will be.

I think I have a lot to add. My mother has been very successful, not necessarily in IT, but in business, working for the government. She has moved up the ranks quite quickly over the years.

I have worked with a lot of women in IT and in security, and I know the kind of things that they have had to go through to get ahead and to prove themselves.

I actually worked for an amazing woman, Daniella DeGrace, when I was at Q1 Labs, who, you could tell that everything she did was for the business and for her career. She was so driven. She just made you want to work harder, because you wanted to emulate her work ethics. So I hope that I can bring those kind of insights to the panel.

Amrit Williams: Oh, that would be fantastic, and it’s interesting because there actually are quite a lot of really intelligent, highly motivated women in the security industry that I think we all have a lot of respect for. Do you think that the security industry is easier for women to get into and respected than other industries inside of IT? And it’s probably an interesting discussion, because neither of us happen to be women, so we don’t have the experience.

Andrew Hay: So far as you know.

Amrit Williams: So far as I know, right.

Andrew Hay: I don’t know if it would be more difficult than any other aspect of IT. I think though with social media and communications channels, I don’t know that there is a perception of difference between women and men in IT security, to the extent that there would be in, let’s say, accounting or business. Because there is that stigma that’s been around for 50, 60 years of like, well — that show, ‘Mad Men’, is a great example for that, where the men are always right and the women are little playthings in the office.

I don’t see that same sort of thing happening in this day and age in IT security, because security is really a new field, and we are kind of blazing new trails with that clear path. But I could just be wrong.

Amrit Williams: Well, I think for us, because we have a respect for what they bring to the table versus who they are, physically, probably helps. But it’s going to be an interesting panel. I know you had given some information on how to vote for that panel. It’s going to have yourself, Jennifer Jabbusch, and Erin Jacobs. The panel is Unicorns, something and Ruffled Feathers. Can you just say that again?

Andrew Hay: ‘Unicorns, Clubhouses, and Ruffled Feathers: Women in Security’.

Amrit Williams: It sounds fantastic. And people can vote for that by sending, I vote for Unicorn’s –

Andrew Hay: It’s Ruffled Feathers, just Ruffled Feathers, we have shortened it; there are only so many characters you can use in Twitter.

Amrit Williams: And they can tweet that to, at SecurityBSides?

Andrew Hay: Yes.

Amrit Williams: Okay. I want to switch gears a little bit Andrew, you spent some time in Bermuda, and you actually have a talk coming up at SOURCE Boston, that’s in March, right?

Andrew Hay: That is in April.

Amrit Williams: April, at SOURCE Boston. I should get my facts straight before I get on the phone, don’t you think? You will probably let me know that. I am clearly not a journalist.

(00:04:58)

So yeah, you spent some time in Bermuda and you have got a talk for SOURCE Boston in April called Failagain’s Island. And I was actually quite intrigued by the concept that you put together about your time in Bermuda and what you are going to talk about. So if we could touch a little bit on the subject there and what your talk is going to be about, a little bit about your experience when you were in Bermuda.

Andrew Hay: Sure. So when I went to Bermuda, I really needed a change from my everyday life and I thought, what better way than to go to an Island Paradise and work there.

The unfortunate thing is that, in Bermuda, technology is about 10 years behind, especially security. It’s not something that companies really want to invest in, and I think that’s probably true for a lot of island nations, because it’s — I guess the water gives people a false sense of security that nothing is going to happen, or we are this tiny little island in the middle of nowhere, no one is going to attack us.

And I can’t remember the article or the study that I saw, but apparently small island nations are kind of breeding grounds for first trial attacks, because no one is going to detect them, no one is going to report them. If I can exploit something there, then I can probably exploit it someplace that is more secure and more aware.

So the idea of Failagain’s Island is really — it’s not specifically about Bermuda, it’s just about all island banking nations in general. Because half of the world’s capital flows through offshore centers and tax havens have 1.2% of the world’s population, but they hold 26% of the world’s wealth, which is a little scary.

What if your bank was in Haiti, and you went to the ATM machine, or you decide, okay, well, my bank is destroyed, I want to get all my money off of that island right now. Could you? And right now I don’t know the answer to that. I don’t know if you would be able to access your money and transfer it out. Even though it is all electronic right now, I don’t know that you would be able to get your money back as quickly as you would want, as going to the local bank, for instance, and taking your money with your ATM card.

Amrit Williams: I know that — I would imagine, and correct me if I am wrong, that these banks do take physical security and other aspects of security quite seriously, especially since they are probably dealing with a clientèle that — at least some aspect of their clientèle has probably some very strict demands around privacy, and not wanting federal agents of certain Western governments to see what they are doing.

But it sounds like what you are saying is, they are pretty cavalier about security when it comes to their digital assets. And first, is it true that they take the other aspects of security seriously, or is that not true at all?

Andrew Hay: I think it really depends. There is a lot of risk acceptance and risk avoidance. A lot of these small island nations have their own rights or have their own laws for dealing with breaches, if they exist at all.

The times I see where these sort of breach laws and compliance regulations come into play is if they have to deal with a European Union country or with United States or some other world power, because that’s where — when the money is passing in those electronic lines, they have to be compliant at the end.

I am by no means a compliance expert or a regulatory expert, but those are — if things are just kept locally, predominantly, you are going to be subject to the laws of that country.

Bermuda is a good example. They don’t really have a lot of privacy legislation in place. They are working towards it, but it hasn’t been seen as a priority until like the last five years. But they are working towards it very slowly.

Amrit Williams: And the island nation laws are interesting. I do know that many months ago when I was looking at how Internet gambling was progressing, there was actually a company that was publicly traded on the NASDAQ, I forget the name, I think their symbol was star. They were based in Toronto, Canada, and they were publicly traded, they had operations out of Antigua, and they were creating turnkey Internet gambling sites.

And the Royal Mounted Canadian police working with the FBI raided their offices and shut them down. They had funneled so much money through Antigua and they had such a large operation in Antigua that the government in Antigua basically gave them amnesty and sent a letter to the U.S. government stating that they were now citizens of the sovereign country of Antigua, and there was nothing that the U.S. could do. They became delisted, but the company didn’t go under, they just simply moved operations to one of these island nations, and there was very little that the U.S. government could do. I mean, I am sure they could have exerted pressure if they wanted to, but I don’t think the case warranted that.

(00:09:51)

So it becomes interesting when you talk about, then how do those island nations deal with the demands for sharing compromised and breach information that makes all of us better able to response to threats, which is a big demand that lot of folks are asking for the new cyber coordinator to implement. We need more transparency. We need more ability to share information. We need to allow mechanisms for that to be anonymous. And then you have these island banking nations, that are very much driven by privacy of the folks who use their services, how do you incorporate them into that process, and can you?

Andrew Hay: I honestly don’t know. A lot of islands are still, I will say, parented by European Union member countries, and I am really not sure if those disclosure and regulations trickle down to the island nations, I really don’t know. I would hope they would, so that there would be some sort of sharing and — I don’t even know what to call it, some sort of sharing in place for breach notification and disclosure, and some sort of standards and regulations that they can abide by. I think it is very ad hoc and it’s up to that country to decide if that’s the road they want to go.

I can tell you that no country ever wants to be labeled or to be known as a tax haven, they take it very seriously, because they don’t want to be known as some place that you can dump your money and not have to pay taxes and elude taxes of your home country. They hate that.

Amrit Williams: Especially given what the U.S. government is doing right now, they are in that. They are pretty aggressively going after this, what’s considered to be tax havens.

Andrew Hay: Yeah. And like really these nations want to be known as offshore banking options, where if you want to put your money in another country’s bank, then by all means come to us, but provide us with the proper paperwork and show us that you are acting within the laws of your country and what our country says is legal.

I will give you a good example. In Bermuda, you can’t get off a plane with a suitcase, go to the bank and say, hi, I am so and so, I would like to open up an account. They will say no. Because there are laws in place to prevent that from happening, and a lot of the island nations subscribe to that. And for the life of me, I can’t recall what it’s called. Oh, it’s the money laundering. I am not sure if it’s an Act, but it has to do with money laundering regulations that all these banks abide by.

Amrit Williams: Well, it’s interesting, it strikes me that we still for the most part have a mentality that is very centered and focused on boundaries of borders. The whole concept of offshore banking means it’s not on your shores. That doesn’t translate well into the Internet and information security, because there really is no concept of offshore and information security. There is no boundary. Everyone uses the same thing. The ports and communications and protocols that we use for email transfer, FTP, SNMP, on and on and on, they don’t change country by country.

So if I am attacking Port 80 in Bermuda or I am attacking Port 80 in Canada, or I am attacking Port 80 in Russia, I am attacking the same thing. There is no concept of the boundaries for me. The only thing I have is multiple hubs I might have to transfer to, which is really no barrier to anybody.

So until there starts to be an understanding that we really are looking at a borderless boundary, there are none that exist in cyberspace, it’s going to be very difficult to convince the island nations or anybody who seems to think that they are protected by some type of physical boundary that does not extend at all into the Internet or cyberspace.

Andrew Hay: Yeah, I completely agree.

Amrit Williams: So what are some of the, just to touch back on the talk,  Failagain’s Island, are there some proposals or suggestions that you have that folks who don’t happen to — I personally don’t own a bank in Bermuda, granted, I wish I did. But I live here in the West Coast of the United States. Are there things that I can learn, or things that people can learn who don’t happen to own a bank in Bermuda or Antigua?

Andrew Hay: I think so, or I hope so. Really, what I want to do is I want to expose some of the misconceptions that people have with offshore banking. A lot of people think that, it’s some guy in a back room that you send a briefcase full of money to and they will hang on to it until you need it. Where, as these banks are just as wise and complex, and yeah, just as up-to-date and wired as your local bank branch, it’s just a question of, are they implementing the same level of security that you are used to.

If you are a large corporation and you want to take some of your money, put it in an offshore bank, and then keep some of it here, you need to be sure that the level of security is going to be on par or greater in that nation that you are sending your money to, because the odds of you getting that money back are a lot less than getting the money from your local branch. Because you really — your lawyers are going to know the ins and outs of getting your money back from your local bank branch. Whereas in that foreign country you will have to hire someone who is allowed to practice law in that country, presumably, or hire a local lawyer to chase down, and it could be years before you see your money again, potentially.

(00:15:15)

Amrit Williams: And we already know that even some of the largest banks here in America, for example, or around the world, that have a tremendous amount of resources, influence, and money that they could potentially put at solving the problem, or at least improving the security of their customers, still fall prey to some very basic attacks. So it’s certainly conceivable, and probably as you mentioned earlier, understandable why it’s sort of some tip of the spear attacks. If you really wanted to make them more sophisticated and go after large targets, you would start with island nation banks.

Andrew Hay: Definitely. Because their investment in security may be less than your local bank branch or your national bank branch, just because there is going to be fewer people doing the work. There is going to be lesser — there will be lesser thought put into security than there would be a major publicly traded bank. Because a lot of the banks in the island nations, if they are not bought by like an HSBC or a big multinational bank branch, are going to be locally owned or family owned even.

Amrit Williams: It sounds like a fascinating talk, and I understand that you are going to dress up like Gilligan or the skipper?

Andrew Hay: I will dress up like probably the skipper; I don’t think I am fit enough to be Gilligan.

Amrit Williams: Well, it’s interesting, because if you actually do a really good job on the Panel, the ‘Women in Security’ Panel, it will probably be good if you dressed up as Mary Ann or Ginger.

Andrew Hay: Well, someone suggested that I dress up like Mary Ann, but I want people to come to the talk, so I don’t think I am going to do that.

Amrit Williams: Well, I am looking forward to it. You folks out in the audience, you can hear more from Andrew Hay, you can reach him at andrewhay.ca, is his blog.

You can also see him at SecurityBSides. He has a talk called My Life on the Infosec D-List, as well as he will be sitting in on a panel and helping with the panel on women in information security. And those folks going to SOURCE Boston in April can see his Failagain’s Island talk, which I personally am looking forward to.

Andrew, thanks for joining me today.

Andrew Hay: Thanks Amrit.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.