Computer Weekly Security Think Tank

ComputerWeekly.com's Security Think Tank puts information security questions to a group of experts in the field. This page compiles all those questions with links to the experts' answers. Our security panel comprises experts from: (ISC)², British Computer Society (BCS), Gartner, Isaca, Information Security Forum (ISF), Information Systems Security Association (ISSA), National Computing Centre (NCC), Royal Holloway, University of London, ISACA and The Corporate IT Forum (Tif).

How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?

When we conduct a penetration test of a corporate network, we typically find dozens of printers offering management pages without passwords. This means that anyone on the network could not only print to the machine, but also control it, change the print settings and send faxes. read full article

BCS: Responsibility for security of end-point devices must be shared across the business

Network scanning technology needs to be capable of addressing the end points to ensure that anti-virus or software updates are run on printers and other connected devices to keep them virus-free and "healthy". read full article

Restrictions provide a back door into organisational networks through [the lack of] security in embedded devices. read full article

Tif: Risk assessment enables targeted security management

There is a broad spectrum of serious risks and vulnerabilities to be addressed, in which networked devices re-infecting networks is only one challenge. read full article

How can security play a central role in enabling business growth?

Information Security Forum: Meeting regulations is key security advantage

The business case for information security has finally been recognised. Rather than being viewed as an unwanted necessity and expense, information security is now seen as a valuable contributor for protecting and managing brand image. read full article

BCS: Good security and security governance can help win business

A very simple view of how security can enable business growth is to consider the question "why do cars have brakes?" The answer given by most people is that the brakes are there to stop the car, which is true of course, but not the reason. read full article

ISACA: Strong security builds trust; trust builds business

The first challenge in attempting to articulate the extent to which security can help business growth is for the enterprise to recognise that security is a business issue, not just a technical one. read full article

ISSA: Raise the profile of security’s risk management potential

The name Paul Moore, former head of risk at HBOS, is not synonymous with information security, but perhaps it should be. read full article

Gartner: Seven ways to align security with the business

There is no single tactic or strategy that guarantees success in improving business alignment of security. Rather, a number of varied but interrelated actions need to be identified and executed to improve alignment over time. read full article

ISC(2): Security bridges divide between IT and business

As information security grows in stature within the organisation, we in the profession must be careful not to develop any delusions of grandeur. No matter how crucial our efforts may be, we must recognise that we are very firmly cast in a supporting role. read full article

Tif: Protection of customer data makes a strong selling point

There is no doubt that security will play an increasingly important role in enabling business growth, but it requires those in the boardrooms of Great Britain to wake up to the real challenges that will threaten their business over the next decade. read full article

What should businesses be doing to assess and manage the security risks of instant messaging?

Corporate IT Forum: The triangle of trust
Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business. Read the full article

ISACA: Develop flexible IM guidelines

Any security technology that is developed for IM applications must be easy to use and, ideally, be as unobtrusive as possible. Read the full article

BCS:Mitigate risks with security awareness and access control

The first thing any company should do is to ensure they have a comprehensive set of acceptable use policies (AUPs) covering such things as IM, e-mail and internet access. They must also ensure that staff are aware of the various AUPs and sanctions for abuse of an AUP. Read the full article

ISSA: No silver bullet for instant messaging security

Introducing new communication channels for business also becomes a new delivery channel for malware and spam (or spim - spam over instant messaging). The popularity of IM is not lost on those that propagate such unwanted traffic. Read the full article

(ISC)2: educate, monitor and block

My advice to companies would be to allow it internally, but to block any IM activity with the outside world. That way, the chances of connecting inadvertently with a stranger and disclosing company information, or of clicking on a malicious link, would be reduced. Read the full article

Gartner: Comprehensive web security

IT organisations must recognise that instant messaging (IM) is no more or less secure than any internet-facing application. It is really just one of the issues to consider when developing a comprehensive solution that will protect organisations from all types of Web2.0/internet threats. Read the full article

What qualifications, technologies, sectors and networking events should IT security professionals be looking at to help increase job security and further their careers?

BCS: Balance corporate needs with personal career aspirations

In the current conditions, employers are, rightly, pretty focused on performance and efficiency savings, and so it is important to be able to be strategic about balancing corporate needs with personal and future career aspirations. Read the full article

Isaca: Information security professionals must broaden their horizons

In these challenging times, it is prudent to take stock of where you are and make sure you are doing everything in your power to contribute to the success of the organisation you are working for. Read the full article

Issa: Building a profile is key to career progression

Clearly certifications can demonstrate a measurable difference between candidates, but where particular qualifications are seen as merely a baseline, inevitably a greater differential is required. Read the full article

ISF: Bridge the gap between IT and business to dodge layoffs

The profession is changing: there seems to be a bigger drive for consultants with a greater understanding of business (and how it works) and a need for people who can 'bridge the gap' between technology and business. Technology specialisms are also likely to be in demand. Read the full article

Gartner’s tips for furthering your IT security career

Gartner has seen a dramatic increase in programme maturity over the past 10 years. Tools are still important pieces of the puzzle, but scalable, repeatable processes are now at the centre of security programmes. Read the full article

(ISC)²: Keep your finger on the pulse and stay relevant

Currently there is a huge interest in cloud computing and all that involves. It is certain that businesses will want to take up this business model and that security professionals who understand the threats and vulnerabilities and have looked at ways of using this technology securely will be in demand. Read the full article

Are information security risks really increasing with offshoring and outsourcing and how can the IT security professional assess and mitigate the risk?

(ISC)2: Legal input is vital to meet data privacy challenge of outsourcing

When offshoring and outsourcing, it is more likely that data is made accessible to third-party vendors or other combined legal entities. For this reason, the involvement of legal professionals is paramount to understand processing and disclosure principles and policy. Read the full article

ISSA: Balance cost and risk for outsourcer information assurance

In the film Meet the Parents, the character played by Robert De Niro unveiled his new invention dubbed the nanny camera. It had a motion-activated camera positioned within a teddy bear that would record the babysitter for later viewing. Read the full article

BCS: Remember you are outsourcing process, not legal responsibility

Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage. Read the full article

ISF: Get in early to mitigate outsourcing data risks

Consistently the biggest information security problem associated with outsourcing has been in being late to the party. Finding out about the outsourcing deal after it had been signed, not being invited to participate in the vendor assessment process and realising that security was not part of the deal. Read the full article

ISACA: Reality check your outsourcing risk

This is of course something of a trick question, or should be. All organisations need to begin any risk assessment for existing outsourcing contracts from an operational risk perspective. Read the full article

Gartner: Define a process to protect data when offshoring

Offshore outsourcing is an emotive topic, and the security and privacy risks specific to offshoring can often be perceived, rather than real. Indeed, many companies have significant challenges managing security requirements with third parties regardless of location. Read the full article

Application security is a growing area of concern, but what can UK businesses do to ensure the applications they buy today are not going to be security threats of tomorrow?

Application software is always going to contain flaws. The trick is to catch the mistakes as early as possible. read full article

ISSA UK: Defence in depth is key to application-level security

Having objective safety information is critical to the selection of a product that demands security for its users. For IT managers, such critical information for deciding which application is best for running the payroll is likely based on vendor assurances. read full article

Gartner: Technologies for application-level security

As attacks become more financially motivated and as organisations get better at securing their network, desktop and server infrastructures, there has been a shift in attacks to the application level. To address those new risks, several technology markets for application security have emerged. read full article

How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?

ISSA UK: Give users an alternative to breaking the rules

Unless you believe everything depicted in the TV show 24, employees are not recruited by foreign intelligence services, and data exfiltration is due to mistakes rather then malicious intent. read full article

ISF: Get processes right, and the security will follow
Many organisations still fall into the trap of selecting a security technology and then attempting to retro-fit a process around it. Often the resulting process is clumsy, encouraging users to make short cuts, or to simply perform tasks in a roundabout way. So, instead, reassess the problem in hand, design a new process and once that is right the appropriate security technologies should be easier to identify. read full article

BCS: Security must be compatible with working practices
Many security technologies do not appear to be effective because they do not fit in with the way people work. Users often ignore, avoid or circumvent anything that makes it difficult for them to do their jobs. And why would they not? read full article

Gartner: Raise awareness of security measures
Internet and IT risk have an impact on all employees, and controls required to mitigate these risks will inevitably constrain or hamper the activities of all users. A reality of human behaviour is that whenever controls are implemented that affect what people do, many of them will modify their behaviour in unexpected or undesirable ways. read full article

ISACA: Ensure employee buy-in to security measures
The two most significant factors that lead to employees circumventing security controls are lack of employee "buy in" to the controls and the absence of a good fit with "business as usual". read full article

Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?

Assess your software- and hardware-based full disk encryption options

There are still plenty of people who believe that a strong Windows password will protect the contents of their laptop. However, the truth is that anyone with physical access to your laptop can also have full and unrestricted access to your data, unless you have encrypted the hard disk. Read the full article

Full disk encryption effective, but lost productivity needs to be addressed

Within large organisations, full disk encryption is already considered necessary to protect files and data - it is becoming an "as standard" technology and has been for some time. Indeed, in certain areas of the IT estate - such as laptops - encryption is now seen as 'unequivocal'. Read the full article

Benefits of full disk encryption lie in avoiding PR and compliance risks of breaching data

According to Forrester, full disk encryption will be the most piloted or adopted security technology in 2009. With national press now interchanging data loss stories with reports on an ailing housing market, this is hardly surprising. Read the full article

Increased mobility makes full disk encryption more important, but so is end-user policy management

The security officer is becoming increasingly aware of the importance of controls for end-user computing, writes Alessandro Moretti, co-chair of the (ISC)2 European Advisory Board, The Information. With end-users becoming more mobile thanks to the advances of technology, the numbers of laptops in an organisation is increasing. Read the full article

Business case must be well-managed to balance cost and benefits of full disk encryption

Full disk encryption (FDE) is expected to be the top security technology tested or adopted this year. There is little doubt encryption helps improve security. The issue that requires more thought on a case-by-case basis is that of desktops and the point at which the overhead becomes worth it. Read the full article

Realise the full benefits by encrypting hard drive and storage media

Full drive protection completely replaces the contents of a user's hard drive with an encrypted image. If this is combined with pre-boot authentication, a thief really has nowhere to start in breaking out the contents of the drive. Read the full article

Full disk encryption performance faster but easier interfaces still expensive

Full disk encryption (FDE) appears to offer an ideal solution to the increasingly publicised losses of data on laptops, CDs and thumb drives. By encrypting all the storage area on a device, FDE removes the need for an end-user to consider whether the information is protected. Read the full article

How secure is the current practice in virtualisation?

Information Security Forum: Leverage the benefits of virtualisation but in a secure way

The key driving force behind virtualisation is the promise of reduced costs resulting from server consolidation. read full article

Sapphire Technologies: Guard physical and hypervisor layers against unauthorised access

Virtualisation technology makes best use of available processor and memory resources. read full article

ISSA: Set up virtual machines with extra caution

The stampede to employ virtualisation shows no signs of waning in 2009. read full article

BCS: If you outsource your virtualisation, thoroughly check your provider's security

When you search for virtualisation, the results don't directly include security. read full article

Security as a service: how are the patterns of risk and reward changing?

(ISC)2: Higher rewards for the client mean higher risks for the security service provider

Overall, both the sum of risks and the sum of rewards stay constant, they are just distributed differently in the client-provider relationship. read full article

ISSA UK: Business rewards make risk worthwhile

The latest buzzwords are security as a service. The term refers to the delivery of traditional security applications as an internet-based service. It is not a new term, making its first appearance in 2001 when McAfee filed a patent for the delivery of security software as a service over the internet. read full article

ISACA: Careful implementation and management of security service is essential

Security as a service, if implemented and managed properly, can allow enterprises, and in particular the smaller business, to outsource essential security tasks for which they do not have the internal resources or the expertise. read full article

The Corporate IT Forum: Rewards outweigh security drawbacks

It is now over a year since we tested corporate attitudes towards outsourced security services and found that many Corporate IT Forum members were routinely outsourcing security functions such as spam management, e-mail virus and vulnerability scanning for external threats. We established that members felt comfortable and confident with the services provided, with many regarding them as cost-effective and sound business choices. read full article

BCS Security Forum: Managing the risk is essential when outsourcing security

In seeking to provide a detailed response for the above questions, views have been sought from the wide community of experts that make up the BCS Security Forum Strategic Panel (SFSP). read full article

Gartner: Poor implementation presents the greatest risk - failure

Security as a service can provide cost savings and accelerated implementation cycles, just as software as a service (SaaS). However, the “as a service” approach can fail if applied under the wrong circumstances using a poor implementation methodology. read full article

With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?

BCS: Secure employee access to prevent insider threat

Even an organisation with very good security can find it is effectively more vulnerable than an organisation with poor security if it is going through a period of change, such as redundancies, cost-savings, mergers or outsourcing. read full article

(ISC)2: Guard business assets against increased threat

The value of business assets, (for example, intellectual property, client data and service availability, managed in-house or via third parties) does not diminish during a downturn. During such time, there is an increased emphasis on the identification of key business assets and the mapping of a formal, consistent, and proportionate security strategy. read full article

NCC: Beware employees' "exit strategies" during downturn

Even the most process-oriented institution hinges on the human components that carry the information systems through their lifecycles from conception to disposal. read full article

ISSA: Be vigilant of saboteurs' revenge cybercrime

The threat of sabotage to organisations from disgruntled existing or former employees is very real, and can have a large impact on organisations. read full article

Gartner: Drop in staff morale increases security threat

Organisations can expect to experience internal security problems as staff reductions in turn reduce morale. Undoubtedly, there will be malcontent about reductions in stock or bonuses, outsourcing or redundancy. read full article

ISACA: Don't let turmoil distract attention from security

While most enterprises in financial services have generally understood the need for high levels of security and have applied themselves to implementing and managing effective and appropriate security measures, there is little doubt that risk will have increased throughout and following any major market upheaval. read full article

ISF: Security is not primarily a technical issue

The great myth associated with information security is that the risks are primarily technical. However, practitioners in the trenches know better the greatest vulnerabilities organisations face are down to human behaviour. read full article

How do you protect from malware your mobile employees and customers, who lie beyond the network frontier?

ISSA: Traditional controls inadequate

There is a common misconception that because an organisation has anti-virus, it must be safe. read full article

Tif: Boundaries are blurring

The notion of a boundary existing between "locked down" IT systems inside the corporate network and everything else operating outside it does not make as much sense as it once did. read full article

ISF: Extend the security perimeter

By and large, corporates have solved the problem of protecting the security of workstations against malware in their own internal environment. read full article

ISACA: Constantly mutating challenge

The idea that enterprises have made great progress in locking down their infrastructure to protect end-users from malware may not be totally accurate. read full article

Gartner: Control devices and encrypt data

As new and improved technologies appear in the mobile markets, and are adopted by businesses, so new threats and attacks appear. read full article

BCS: Audit and educate

Attend the likes of InfoSec to ensure you are up to date with the latest products and then seek the advice of an expert consultant to help in cutting through the snake oil. read full story

NCC: It's all about layers

Working outside an organisation's physical domain brings certain responsibilities with it and the road warrior must take caution along in the kit bag. read full story

Has the government got the business case for ID cards right?

Royal Holloway: Benefits to the citizen have yet to be proven

In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is. read full article

BCS: Now is the time for action

I don't need platitudinous diktat from government indicating that they are doing me a new favour. read full article

NCC: Be sure of making the complete case

ID cards are only part of the identity management solution - not the solution - nothing ever is. read full article

ISSA: ID cards - analyse the facts

Let's put emotion aside when asked about national identity cards and analyse the facts presented by the Identity and Passport Service. read full article

In view of the cyber-warfare dimension to the Russia-Georgia conflict, and the Chinese cyber-espionage ongoing against the west since c.2003 ("Titan Rain", and so on), how concerned should we in the UK be about state-sponsored hacking?

ISSA: The threat to the UK from cyber terrorism
What has the UK got to fear from hackers? read full article 

NCC: The national threats from hackers
What could hackers realistically do to disrupt our national infrastrucure, and how should government respond? read full article

(ISC)2: We know how to deal with the threat
The is much to fear from hackers, but using established security principles UK government can deal with the threats read full article

ISF: There is much to prepare for
Governments must be prepared for "blended threats" read full article

ISACA: The cyber-crime threat is difficult to measure
Cybercrime threat is very real, but dealing with it will be difficult read full article

What tools can be used to prevent or mitigate employee wrongdoing?

NCC: Put your faith in standards
Implementing the right security standards is the best way to stop insider fraud. read full article

ISSA: Control is the key
You need to get the security fundamentals right, and then ensure your controls can be (and are) effectively enforced. read full article

ISF: Take a holistic approach
People, motive, opportunity and means: you need to cover all the angles if you're serious about protecting the organisation. read full article

Tif: Access management comes first
Sure, tools are useful, but only after you have identified which staff need which information, and you have processes in place that can deliver and control that access. read full article

(ISC)²: Protect controls as well as systems
Vigorous and independent audits are key in underpinning the controls that safeguard your systems against fraud. read full article

BCS: Management buy-in essential
Until the management of large organisations understands the need for the ongoing maintenance of IT security systems, and fully supports it, employees will continue to evade controls and commit fraud. read full article

Royal Holloway: Control the controllers
So what really happened at Société Générale? read full article

Social networking sites: what are the associated risks at a corporate and at an individual level?

Gartner: at-a-glance guide to social networking risks
Multiple worms and viruses have been introduced to various social network environments. Content distribution within a social network parallels peer-to-peer environments and can support rapid distribution of malware embedded in applications and graphics read full article

BCS: Individual risks become corporate risks
As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority. The key cause for concern is the late realisation of the open nature of the web and thus how much personal information has been left exposed to any passing stranger read full article

Tif: Limit your liability from social networking
The main risk of social networking comes from the blurring of a participant's professional and personal profile. Very often, social networkers align themselves with professional networking groups that indicate clearly who employs them and what their job function is. Potentially, this can make it very easy for criminals to harvest information that can be used against them or their companies - so called "social engineering" read full article

NCC: Social networking security is a people issue
It is an enticing technology but few of the associated risks are really technology problems. It is no different from that old managerial adage of "less gob, more job". And heavy handed bans are unlikely to mitigate the risks. You may curtail the workplace access, but you cannot control the cybercafe or home PC without instilling staff with a risk-literate attitude read full article

ISSA: Would you shout your details in the street?
The danger of giving too much information away on social networking sites is of significant concern. Even information that seems innocuous, such as date of birth and postcode can be used for nefarious motives. How many times is this sort of information used as a challenge when speaking to a call centre operative to prove your identity? read full article

ISF: A greater social networking threat on the horizon
Last year, Facebook purchased Parakey, a start-up from two of the creators of Firefox that promises a web-based operating system designed to bridge the gap between desktop and web and make it easier to move content between the two. How long will it be before one of these sites gives simple remote access from PC to PC? read full article

(ISC)2: Policies hold key to social networking security threat
The rapid take up of social networking sites offer cyber criminals and mischief makers a new large target. Remind colleagues not to use any workplace e-mail addresses or passwords on these websites. Many of these websites do not encrypt user log-on details. Passwords and user IDs transmitted in clear text across the public internet are subject to possible interception or compromise read full article

ISACA: Low-cost and secure remote working is achievable for SMEs
Remote working is commonplace in the corporate world, but many small business have still to take advantage of a secure method to permit their staff to connect back to the office when they are working at home or travelling. Whilst there are low-cost, adequately secure alternatives, small businesses are generally unaware of the technology or the risks of a poor implementation. read full article

ISSA: Remote working is not all or nothing
Remember looking out of the window and being greeted with a blanket of snow? The very hint of no school and a day in the snow is every kid's dream. This attitude changed one day, and the only thought was the impending journey into work because a day out of the office is surely unthinkable. For many organisations, the feeling of an enforced day out of the office is translated into a day of inactivity. Without the technology to pick up e-mail, access information, or even change face to face meetings into conference calls, the merest hint of snow could have CEOs clambering for the keys to the snow plough. read full article

(ISC)2: Remote working need not be feared
Remote working should be encouraged and embraced, not feared, in companies where the actual work can be done remotely. read full article

ISF: Remote working is a challenge for companies of all sizes
Even large organisations struggle to secure remote working - and that is with multi-million pound budgets, 24x7 support and dedicated technical teams. Small businesses are exposed to the same risks, may not have any of these controls, yet would still like the flexibility and convenience that remote working offers them. read full article

Gartner: SMEs at risk from casual remote working practices
Most organisations have remote workers, whether teleworkers working from a home office, or mobile workers who work from a variety of locations. However, some organisations do not know who is working remotely, how much of the time, or which tools and services they need. This creates not only business risks, but potential IT security risks, as no defined and agreed mechanism is in place for ensuring that the right people gain access to the right corporate resources securely. read full article