OTPs as Second Factor
Let me start off with a small anecdote that has absolutely nothing to do with information security, just for a paragraph or two.
It is not a secret that I’m an avid reader of all sorts of books and also do some recreational work related to books. A while ago, I had the pleasure to talk to two acclaimed writers, Elizabeth Wein and Sally Gardner, who are most known for their contributions to a genre probably best classified as Historic Fiction. Just to give you a quick glimpse into their work: Sally recently wrote a book called Maggot Moon that got the Carnegie Medal for Young Adult fiction and deals with the effects of an oppressive government. Elizabeth on the other hand, wrote Code Name: Verity, also a young adult book, that tells the story of two young British women, a pilot and a spy, during World War II.
After talking about the books themselves for a while, we touched upon the topic of research. Especially when you write something that played during a very important phase of recent history, research plays an enormous role in getting your facts straight and telling a coherent story, be it factual or fictional. So Elizabeth told me, in great detail, how far she went researching her book and it was very fascinating to me that somebody would actually dig as deep as to the core mechanics of an early ballpoint pen used by one of the protagonists in Code Name Verity. So while we were discussing this, Sally brought up an interesting point: No matter how much research you do and how badly you want to tell people every single bit of, you can’t. If you do, you become the annoying family member that shows you three hours worth of vacation photos.
So, this point really stuck with me as an infosec professional. Because, you know, I think it’s a very spot-on analysis on how information should be conveyed, no matter if you’re trying to write a novel or a report for a CISO or another relevant representative of your/a company. And I realize that I have been this obnoxious photo guy myself in the past, trying to show off all the cool exploits we ran in a penetration test, all the sensitive documents that we gathered. To try to teach somebody who is busy running a company about information security within an hour. And it does not work. It just does not.
So here is my take after thinking about this, feel free to argue with me: All the research you do, everything you collect and gather, all these nifty little details about how security should work and why; they are for you. And in that moment, only for you. Nobody really cares about all these details, since they are merely the fundament of what you can create based on them. It’s your job to build something on that fundament that is appealing and interesting to someone who does want or even need to see the fundament.
And that is exactly what talking to business is and why it usually fails. Summarizing your own knowledge does not cut it, you need to re-package it. You need to make it your message and all the research you did is there to hold it in place, to make it stable and accountable. Your knowledge and your research is here to cover your back while you’re stating what you think is important.
In Elizabeth’s book, the aforementioned ballpoint pen is important because one of the protagonists is in captivity and needed some sort of device to be able to keep writing journals, otherwise the book would have been over after 20 pages, which is sort of boring. So the ballpoint pen was kind of an necessity. But what if somebody questioned if there actually were ballpoint pens back then? And if a British airforce pilot would be likely to own one? Elizabeth covered all of these points. And yes, it does make sense. And she can tell you why. Can you do the same for your latest reports?
At BSides Las Vegas a couple of years ago, I talked about bad penetration testing. Particularly about bad pentest reports. And talking in terms that business would understand was one of my core points there: Nobody cares about your shells, or how you get to a certain point in particular. What people do care is the result in their terms: What does it mean for their business? What’s the potential damage, preferably in local currency? These are the things that need to be communicated. And in order to get these informations, you need all your research, every single bit of it. But you don’t need to show it to everybody. All that counts is the final product you create from it.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here