Finding The Hidden InfoSec Story

The Green Surf Code (TM)

Photo Credit: GoldScotland71 via Compfight cc

I still have my Tufty Club badge and I don’t think I’ve suffered an emotional trauma from the evening I missed childrens’ TV because my mother had me write out 100 times about the danger of running across a road to see my brother.

Those were the days of public information films. Now of course we don’t need them because we have websites that can carry so much more information.

Over the years I was taught road safety by my mother, a squirrel, The Doctor, and a body builder who had been the Minotaur in Doctor Who. But I was never overloaded. I was safely within my Miller limit – that number of things that we can comfortably deal with at any time (7±2 items) that is apparently hardwired into our brains. And what’s more, I wasn’t just scared of missing everything but the last chirps of the Hector’s House nightingale (which heralded the end of that night’s childrens’ television programmes); I knew what to do. I was made aware of more than just the dangers. I was educated in the actions I needed to take to be safe. Alice  (in Wonderland) would have compared most security awareness training to “a book without pictures or conversation” – in other words, a bit of a bore.

So. I’ve long since thought that it’s about time that we helped, with a Green Surf CodeTM. And here it is… the route to acceptable (safe) use of the Internet and the World Wide Web:

  1. First find a safe place to go on-line.
  2. Be sure you know whom you’re talking to.
  3. Don’t post stuff on websites unless you’d be happy shouting it in the street.
  4. Don’t do stuff you care about on shared kit.
  5. Keep copies of anything you don’t want to lose.
  6. Know who you’re going to call when there’s a problem.

Of course there’s a little more to each point, just as Jon Pertwee explained SPLINK to us in that old road safety message on TV. And it also helps to know why you are doing things. Back in 2007 when I learnt that the Wall Street Journal had published ‘Ten Things Your IT Department Won’t Tell You’ I had a wobbly moment until I read the article. It’s full of explanations of the risks so that you can take responsibility. Of course this Green Surf Code is simplified but do you expect me to tell my granddaughter to explain encryption and port scanning to me before she’s allowed on-line? Do first; ask questions later…as long as the advice is reputable. So… what do you need to ask and why do you need to ask it?

Green Surf CodeTM What you need to ask? Why you need to ask it…
First find a safe place to go on-line. What – or whose equipment are you usingWhat are you connecting to?Who’s looking? Wireless means that your passwords and personal messages are broadcast for anyone to hear. Make sure you’re not leaking.
Be sure you know whom you’re talking to. Is it really your friend?Is it really your school?Is it really your bank? You can’t undisclose a disclosure…[1]
Don’t post stuff on websites unless you’d be happy shouting it in the street. Would I be happy if my message was seen by:

  • My parents or others in my family?
  • My teachers?
  • My friends?
  • My worst enemy?
A post is forever. You can never be sure that a copy is not saved somewhere else.
Don’t do stuff you care about on shared kit. Who else uses this stuff?Can I delete everything when I’ve finished with it? You can’t be sure that you haven’t left something behind that someone else might find and use.You may have been careful not to pick up a Trojan but have others?
Keep copies of anything you don’t want to lose. Will I ever want what I’ve done again?How much effort will it be to recreate it? Data doesn’t exist unless it’s in three places.[2]
Know who you’re going to call when there’s a problem. Who can I turn to

  • Action Fraud –
  • Child Exploitation and Online Protection Centre
  • Childline –
  • Consistent parenting advice
  • Cyber Street –
  • Family Online Safety Institute –
  • Getsafeonline –
  • Missing Kids –
  • Think u know –
Make time for fun and school and being with the people you want to be with. Don’t let a problem on-line take over your life off-line.


Now I don’t want to be accused of creating another standard but, OK…mea culpa. But wait just a moment and hear me out. Do you know that every time that you fail to comply with a standard, a fairy dies? Alright. Perhaps nothing so tragic but standards are often a matter of belief…the devil might be in the detail but the first step for getting the best from the distilled knowledge of others (that’s standards) is remembering the objectives of the knowledge in the first place.

And in an analogy-rich environment perhaps we ought to think what a standard meant to a Roman soldier. It was a focal point. SPQR ‑ Senatus Populusque Romanus – (the senate, the people, and Rome). It was what they were all about. All the Houseteads and Vindolandas were just detail. So never mind the inconvenience, feel the security…or at least that little bit better security by taking the advice of the standard. Standards are toolbox. Start with Junior Meccano; don’t give a 5 year-old a soldering iron.

Just as you start with the Green Cross Code, progress to the Highway Code, and then the Driving Standards Agency’s manual…then perhaps you pull out a Haynes if you need to look under the bonnet…information and cyber security also has a library where not everyone needs to read everything:

Standard Who is it for? Accessibility  
Green Surf CodeTM …for everyone with a computer Everyone The Three Laws of Information and Cyber Security
Desert Island Security Controls …for everyone who uses a computer for work Anyone who wants to know
Cyber Security Essentials …nitty gritty technical controls for everyone with a computer For someone who knows about computers. If you don’t, find a local hero who can help.
IASME …by small businesses for small businesses Guess what? For small businesses…but also an excellent approach for the corpuscular departments that form the corporate.
ISO/IEC 27001 …everyone who can focus the time and effort…but realistically… …enough components for the complex corporate entity to approach requisite variety to enable its operations.
PAS 754 …for those who create the software For those who want experience and knowledge to increase the risk of the next generation of software being trustworthy.

And of course there are three laws that no system can escape from. However, from all this, If those 6 points in the Green Surf CodeTM make one more person just a little more careful out there, it’s been a good day. Just say after me, ’I do believe in standards’.

Safe surfing, children everywhere!


[1] Gerry O’Neill

[2] Dave Gorman

Author: Daniel Dresner

Share This Post On