Simon Biles, Thinking Security

Simon Biles, together with his wife, runs an Information Security Consultancy – Thinking Security – from near Oxford in the UK. He is currently consulting with HM Revenue and Customs on Security Architecture. He is also studying for an MSc from Cranfield in Forensic Computing and is an Associate Lecturer with the Open University on their Information Security Management postgraduate course. He posts as "Azrael" on the Forensic Focus forums (in case you were wondering).

Simon, can you tell us something about your background?

Underneath it all I’m a UNIX SysAdmin to the core! I started using Linux at University because I was too lazy to walk to the CS or AI labs to work on the real UNIX machines (Suns and SGIs), so I installed it on my own PC in halls, I then discovered that I could do dial up and connect to the University network and it all grew from there.I was very lucky to work part time in a local ISP running Linux and Windows web and database servers, from there I did more UNIX SysAdmining for a small software company that did high end Computational Fluid Dynamics – this meant that I got to play with multiprocessor Suns, HPs, IBMs, SGIs and Linux clusters as the only UNIX person in the company! Owing to a merger though I was made redundant, and decided it was a good time to strike out on my own – I invested some of my redundancy money in training, and since then have worked on security for The Institute of Cancer Research, JP Morgan Chase, Cable and Wireless, Vodafone, The Science and Technology Facilities Council and HM Revenue and Customs as well as a few other smaller companies.

Why did you decide to specialise in computer security?

Bad careers advice at school! I wanted to work in Forensics, but my careers advisor told me that the best route was through audit and accountancy, so I did some work experience in a local accountancy firm, and, with apologies to my accountant friends now, nothing in the world is so mind numbingly boring as accountancy! So I read Computer Science and Artificial Intelligence at Uni, and was just interested in security from then… It took a while until my redundancy before I really got to grips with it, although I got to work with many aspects before that – firewalls, users & group permissions, VPNs between offices and the occasional IDS.

Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

What exactly does your role as a security consultant involve?

I seem to occupy an interesting little niche market, I’ve done a fair bit of work with Single Sign On systems ( Kerberos & Shibboleth ) so sometimes I’m asked specifically about those – but mostly I’m a technical generalist and it is the overview of architecture and how it hangs together that people employ me for… Without wishing to make myself sound unprofessional, it’s a bit of a “Jack of all Trades” situation (although I’d strongly resist the “Master of none” completion to that sentence!) – how’s about “Holistic Security” – that sounds better! 🙂

What is a typical week in your working life?

This week, which is fairly typical, I’ve finalised and issued a Risk Management and Accreditation Document, which is a report to the business about the risks that I perceive that they have outstanding in their infrastructure the culmination of about two months worth of research and I’ve started a new one, I’ve consulted on the implementation of a new system management service, I’ve attended about 6 meetings (about 3 of which were worth going to… and which ranged from 1 hour to 3 hours) and, which has been the most entertaining, I’ve had a secure system that I’ve been trying to break …

Can you tell us something about where you work at the moment?

A little… I currently work for HM Revenue and Customs, owing to some well publicised security incidents with HMRC data (Google ’em if you don’t know…Won’t take long!) [all before my time I hasten to add!], HMRC is concentrating very hard on improving all aspects of security – that’s what I’m here doing…

You've co-authored a couple of books ("The Snort Cookbook" and "Hacking Exposed Linux") and written a number of papers for Microsoft and others – how do you find the process of writing for a technical audience and what do you make of the current crop of computer forensics books?

I enjoy writing – I wish I could write fiction, but I don’t have the imagination for it! Writing technical things is a good compromise, I don’t have to make anything up – just do some research – but I get to put my own words to the meaning – hopefully making it interesting, entertaining and educational along the way.

Funnily enough, I don’t think I’ve really read that many current forensic books – I had a look at the iPhone Forensics from O’Reilly the other day, but without an iPhone to play with, it was a bit lost on me! I’m big on the classics though – “File System Forensic Analysis” by Brian Carrier, “Forensic Discovery” by Dan Farmer & Wietse Venema, “Forensic Computing: A Practitioners Guide” by Tony Sammes and Brian Jenkinson – and there is one that I think has massive value to someone who came from a non-investigatory background – “Principles and Practice of Criminalistics” by Keith Inman and Norah Rudin – the trouble is that it is such a fast moving field, that books tend to become dated rather quickly – these ones focus more on attitude and fundamentals than the latest peer-to-peer, for that kind of thing I find forums, blogs, wikis and scientific papers more relevant in general.

Broadly speaking, how knowledgable are computer security professionals with regard to computer forensics?

That’s a really good question – I think that there is a fundamental understanding of the concept, but I think that generally that’s where it stops. At a risk of upsetting the reading audience, I suspect that generally the opposite is true the other way round!

As with all things, occasionally you meet people who are more clued up in both fields…

In your experience, are those who misuse computers becoming better informed about computer forensics procedures and becoming more skilled at covering their tracks?

In my experience, no, plus ca change, plus ca meme chose … The people who are good were always good, and they are professionals usually very similar to ourselves ( Organised Crime, Foreign Intelligence, etc. ), the bottom end of the spectrum are the script kiddies, who don’t know what they are doing _at all_ and are just running a programme that they got from somewhere else. What is interesting is that some of the tools are improving, but when it’s used by a monkey, it tends to make little difference!

What trends do you see in computer security and what implications might those trends have for computer forensics professionals?

There is a major move towards the use of whole disk encryption, encryption of removable devices and encryption of communication. Not only in Government, where it is long overdue, but also in the private sector. Unfortunately I think that this will, in the long run, make life more complicated for Forensic work.

On the bright side though, there is a good recognition that firewalls aren’t the be all and end all of security, there is more “defence in depth”, more logging, and more host and network based IDS. I think that over time, forensics is likely to move from host to network, in the same way, and that this will counteract the lack of information held directly on a host.

All of this is driven by the general IT trend towards cloud computing, networked data and 100% internet enabled devices.

You're currently studying for an MSc in forensic computing at Cranfield University, what are your impressions of the course and what advice would you give to prospective students?

I enjoy the course, and I think that I have learnt a huge amount – I question if I have learnt as much from what I am supposed to learn as opposed to the environment being very conducive to asking questions and exploring tangents with some very, very knowledgeable people. I am a firm believer that a solid founding in fundamentals is vital in anything, and this course provides that – there has, in the past been criticism of the teaching of “irrelevant” fundamentals – but it should be remembered that the people attending this course are from a wide range of backgrounds, and whilst I find the explanations of TCP/IP networking and filesystems easy, I assure you, they are much better at the laws of evidence than I am ! A good grounding makes for a good examiner in my opinion.

Do you think that the personal qualities required to be a computer security specialist are the same as those required by someone working in the field of computer forensics? If not, how do they differ?

I do think that there is a lot of common ground – attention to detail, technical knowledge & an ability to learn and experiment, an ability to develop and adhere to procedures and processes, a sense of humour… I think at the end of the day, the two professions are opposite sides of the same coin.

What is the most rewarding part of your job?

I like walking away from a system knowing that I have left it, and the data contained within it, in a better state than when I arrived. It is particularly satisfying when it improves protection for real people, as opposed to just corporate money making 🙂

What aspect of your job do you find most challenging?

“Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.” – Albert Einstein

Need I say more ?

What do you do to relax when you're not working?

Aside from spending time with my family which is a fantastic release, I enjoy getting out in the countryside around where I live – I find that living in an office block and a car for over 10 hours a day makes me go insane unless I get muddy feet at least once a week. ( That, and I’m trying to kill the Ogre Chieftain in a deserted mine in Oblivion on the PS3, trouble is he keeps kicking my arse. 😛 )

Simon can be contacted through the Thinking Security website at

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...