Everything you need to know about security but were afraid to ask
can be found at this year's Compsec conference in London next week.
Karl Cushing reports
Despite the millions of pounds spent on security technology and
consultancy every year, the IT security world remains divorced from
business users, according to Martin Smith, chairman and programme
consultant at IT security conference Compsec, which takes place
next week. In the resultant confusion, skewed priorities,
inappropriate measures and mis-selling are the norm. "At the
moment, the [experts] are selling brain surgery while the patient
dies of the common cold," he says. "Senior management are worried,
concerned and know they are vulnerable but they don't know what to
do."
In Smith's opinion, the IT security establishment has matured
technically but it has not matured intellectually and continues to
fail business by not addressing underlying issues and security
concerns in business terms.
Compsec, which is sponsored by the Computer Weekly Infosecurity
User Group, will look at the key security risks and how to cope
with them. As well as taking in ongoing management challenges such
as data protection, disaster recovery and business continuity, the
conference will look at technologies like Extensible Markup
Language and public key infrastructure and address legal and
ethical issues that surround the gathering of computer forensic
evidence.
The event, according to Smith, provides IT professionals with a
generally informative discussion amongst peers on security threats
and issues, free from supplier hype and sales pitches. However, for
Smith, it is also an opportunity to try to shake the IT and
business communities out of their complacency and to start getting
to grips with the real security issues instead of the perceived
ones.
While he identifies a lack of awareness as the greatest cause of
all security breaches, Smith also points to missed opportunities
arising from companies implementing inappropriate and overly
complex or misunderstood security solutions. "The ways to improved
security are rarely technical," he says. More effort should be
spent on practical, non-technical solutions such as user education,
improved internal communication and establishing proper processes
within the organisation. A key barrier here is that there is no
money to be made by security firms in increasing users' awareness
of security issues and good practice, Smith says.
Keynote speaker Marcus Ranum, chief technology officer at US firm
NFR Security, will be looking at the future of network security.
"Surprisingly, the un-sexy stuff works the best," says Ranum. By
this he means regularly updated anti-virus software, using personal
firewalls and designing systems conservatively. "That means, not
turning on all the features, not leaving everything open,
researching features before you use them, and not just believing
suppliers when they say 'trust us, it's secure'," he says.
Like Smith, Ranum believes that companies are misdirecting their
efforts and focus. He sees a curious paradox. "On the one hand many
people are scared of the potential threat of cyberterrorism, which
has not happened so far, and yet they don't do basic things like
install firewalls, audit traffic, or perform back-ups," Ranum says.
"It's amazing the number of people who don't even take the basic
precautions."
Users should be taken out of the loop as much as possible, argues
Ranum. "Expecting people to show common sense is ridiculous when
it's so easy to just make many of these things automatic," he says.
As well as automation, Ranum favours "mandating" security measures
and says that suppliers like Microsoft, with its Windows operating
system, should start shipping their products with anti-virus
software pre-installed. His main piece of advice for IT directors
is to plan before you implement. While security is not hard to
build in to what you are doing, he says it is nearly impossible to
retrofit. "Factor security in as part of your reliability and
availability plans: it's like doing your back-ups - boring but
essential," he says.
Lessons from terror
At the conference, Alan Brill,
managing director and technologist at US risk consulting firm
Kroll, will draw on the lessons from last year's 11 September
attacks in the US. He will guide delegates through what to do and
what not to do in such a situation. In common with other speakers,
Brill argues that it is often the simple and practical things that
are overlooked and says key lessons relating to information
security can be learned from the tragic events of 11
September:
- Action plans are too complex or confidential to the point of
being impractical
- Companies - Brill points to law firms as an example -
experience problems owing to their over-reliance on paper
- Too often there is an over-concentration of authority in a few
staff so that no one can make decisions in their absence.
The current threat from international terrorism will be examined in
the keynote speech by Brian Jenkins, senior adviser to the
president of the RAND Corporation and adviser to the US-based
International Chamber of Commerce. Jenkins believes that a
combined, simultaneous attack using multi-dimensional tactics
involving physical strikes, biological weapons and cyberattacks is
a grave concern.
Sally Leivesley, business continuity manager at Risk Analysis (UK),
is also in apocalyptic mood as she aims to discover how companies'
systems would cope during a chemical, biological, radiological or
nuclear attack. In her interactive workshop, Exercise Survive,
Leivesley aims to simulate such an attack to help the participants
gauge their ability to react and provide useful pointers for
survival.
The opposite end of such events will be explored in another
conference stream discussing current developments in policing and
investigation. Securing a prosecution following a security breach
or theft of intellectual property, while not always the main
objective, is tough. However, a couple of recent hacking cases in
the UK have shown that it can be done and point to the growing
importance of computer forensic evidence and increasing
cross-boundary co-operation between law enforcement agencies,
mirroring the global nature of network attacks and fraud.
Crime and the law
Willy Bruggeman, deputy director of
Europol, the European law enforcement organisation aimed at
boosting co-operation and collaboration between European Union
countries, will be at Compsec to examine the police network that
roams cyberspace in his keynote speech. A specialist adviser to the
Hi-Tech Crime Unit, Phil Swinburne, will also be taking part, along
with Frank Butler, a training manager at Guidance Software, which
develops computer forensic software tools.
Legal issues relating to key areas such as fraud are also a central
part of this year's event, with a stream dedicated to legal issues
on the second day of the conference, running in parallel with the
technical and management elements.
The legal briefings will show companies how to minimise risk
through the use of active e-mail policies, including the use of
e-mail audit trails and encryption to make sure no one sees data
who should not and ensuring records are kept of who does access
this data and when. The organiser of the legal stream, barrister
and IT security expert Stephen Mason, hopes the event will act as a
wake-up call. He aims to alert IT directors to the increasing
threat of money laundering and the need to comply with anti-fraud
legislation and e-mail storage, which he says will become "a big
headache". Mason is keen to highlight the potential risks IT
directors face if they don't address such areas which can affect a
company's reputation, finances and even attract legal action.
Mason points to legislation, such as the Data Protection Act and
the Stock Exchange's Turnbull Report, which makes directors liable
for employee's indiscretions with e-mails and poor business
continuity procedures. He also points to recent guidelines issued
by the information commissioner for treating personal data relating
to employees. The guidelines effectively make the company the data
controller for its employees and the e-mails they send and that has
some very serious implications, says Mason.
Tougher anti-fraud and money laundering legislation introduced in
the wake of 11 September to increase state powers, such as the UK's
Anti Terrorism Act, also needs more consideration, he says. Mason
cites the case of the UK lawyer who was recently jailed for six
months - not for money laundering himself but for failing to ask
sufficient questions of one of his clients who was. IT directors
could find themselves in a similar boat before long, he warns.
Complacency and hiding your head, it seems, in the sand are no
longer options.
What the experts think are the top five security threats and
issues for the near future
Barrister and IT security expert Stephen Mason lists the
following as his top five security threats and issues:- Loss of company secrets and theft of intellect property
- Risk to reputation - as well as financial and even criminal
damage - through not controlling how e-mail system is used
- Money laundering - companies need to pay more attention to this
and do some due diligence to help them identify suspicious
behaviour such as unusually large orders
- E-mail storage - companies need to separate business e-mails,
which may need to be stored for six years, from personal ones.
Storing personal e-mails for this length of time could lead to
breaches of the Data Protection Act - they should be wiped after a
few days
- Hackers and trojan horses - smaller companies in particular
need to do more to protect themselves against this ongoing risk,
says Mason.
According to Marcus Ranum, chief technology officer at
NFR Security, the top five security risks are:- Bad software
- End-user apathy
- Executable content - blurring the lines between an e-mail
message and a program and the fact that someone can e-mail you
something that your computer will run without your doing
anything
- Denial of service attacks
- Lack of leadership from the governments of the world. "Most
governments are too far behind the technology power curve," says
Ranum.
What is Compsec?
Compsec is an annual IT security
event, run by Elsevier Advanced Technology and sponsored by the
Computer Weekly Infosecurity User Group. It looks at the key
threats to IT security now and in the coming year, featuring
keynote presentations from industry experts and insiders. This
year's events will be held at the Queen Elizabeth II Conference
Centre, London, from 30 October to 1 November. For further
information contact Nina Woods 01865-843297, e-mail
n.woods@elsevier.com.
Join the Infosecurity User Group
The Computer Weekly
Infosecurity User Group is a free networking, benchmarking and
information resource for IT professionals with IT security-related
responsibilities. The group, established earlier this year, offers
its members a number of benefits and services, including:
- Monthly e-mail bulletin
- Regular security threat alerts - and advice on how to tackle
them
- IT security benchmarking service - how do you compare to other
organisations?
- Latest IT security research
- Discounts on IT security products and services
- Regular meetings with high-profile speakers on hot IT security
issues
- Networking events
- Useful guides to IT security best practice
Membership of the Infosecurity User Group is open to anyone with
responsibility for IT security in a UK user organisation. For
information on the group contact CWinfosecurity@rbi.co.uk.