David Lacey's IT Security Blog

A recent Dell-sponsored survey carried out by the Ponemon Institute suggests that more than 10,000 laptops go missing each week at 36 of the largest US airports, many stolen at security check points.

Quite apart from the disturbing fact that security check points are clearly a magnet for thieves, it's interesting to note that around two thirds of lost laptops are not reclaimed, and that more than half of them contain confidential company data, two thirds of which have no security protection.   

I've mentioned before that my experience is that a typical organisation can expect to lose up to 5% of their laptops per year, though this figure can be reduced substantially by smart, educational initiatives. I don't know how many travellers with laptops went through these airports, but I'd hazard a guess that it must be a few million, suggesting a loss rate of the order of one in 200. If an executive makes 20 flights a year then that represents a loss rate of 5% loss rate per year.

These are consistent but disturbing figures, demonstrating that too many executives are careless, and why organisations need to do more to secure the data on their laptops.

Last week I met up with Microsoft to catch up with their progress in developing a better, user-centric identity infrastructure.

Microsoft's journey started with an ambitious but ill-fated venture called Hailstorm, which aimed to implement a secure, global identity system, but misjudged the marketplace. The post mortem prompted Kit Cameron, a Microsoft architect, to develop a set of principles called the Laws of Identity that attempted to set out key requirements of global identity systems. 

Now I'm not fully convinced that these laws are all necessary or sufficient to deliver effective identity management solutions. But they're a step in the right direction and a huge improvement of early concepts such as Microsoft Passport. 

Of course it's one thing to evangelise about principles, and another one to build products that meet them. How far is Microsoft from achieving this vision? 

Well they've certainly come a long way. Recent announcements about Windows CardSpace and their acquisition of Credentica, a product that enables user control over identity information demonstrate that the pieces of this jigsaw are coming together. Microsoft is clearly serious about making the concept of a privacy-enabling, interoperable, global identity system a reality.

The next question is whether it will catch on. Even the most perfect products can sometimes fail to catch the imagination of the marketplace. And technology alone cannot solve the identity problems of today's business. We need a lot more work on collaborative architectures and processes. But I wish them well because they've clearly gone to enormous lengths to establish, debate and promote the principles behind the technology. 

The recently published Poynter report on the loss of HMRC discs containing personal details of 25 million citizens confirms what most of us already suspected. Security is not taken seriously enough across many public sector organisations. It's a combination of a culture that has been allowed to grow up, as well as a failing in governance, i.e. a lack of strict targets and conformance audits to identify and correct failings.

Surprisingly there is no mention of the need for accredited certification, which is the only reliable fast-track means of enforcing security standards. The other much-needed solution is a sophisticated behaviour change programme. I say "sophisticated" to distinguish what's needed from the run-of-the-mill, half-hearted security awareness campaigns that we often see mounted in large organisations. This problem needs more serious attention, a campaign more akin to the efforts made in the nineties to eradicate crime in New York City. 

How should we go about this? Well I'm afraid you'll have to wait for my soon-to-be-published John Wiley book on managing the human factor in information security. I'm hoping it will be out early in the New Year. It will contain lots of theory, tips and practical methods for transforming security in organisations. Watch this space. 

Today's press reports that Councils in England have been urged to review the way they use surveillance powers to investigate suspected crime. The suggestion is that they should not be used for trivial offences, such as dog fouling.

The problem is that for every person that objects to surveillance powers being extended, there seems to at least one who wants to see it used to catch litter bugs and dog foulers.

Council actions tend to reflect the demands of citizens. Most people write to them about trivial offences that irritate them, rather than bigger problems such as terrorism and organised crime.

As Alun Michael MP correctly points out in his excellent presentations on Internet Governance, when it comes to solutions to crime, one size does not fit all. What we need to tackle serious crime is rarely effective for more trivial offences.

Interception laws were not designed with dog fouling in mind. We need solutions more in keeping with the problem.  

I've just been informed that a recent video interview with me on Sarb Sarb Sembhi's excellent Virtually Informed site has been voted "Answer of the Month for May". It's my response to the question "Where the next threat will come from?"

In my view it's attacks on integrity of data that will be the next big concern. We don't see many of these attacks, so we don't do as much as we should to defend the integrity of our intellectual property. But the impact of even a small change to a database can be hugely damaging to services, confidence and reputation.  

The focus of our e-Business security has only in recent years switched from availability to confidentiality. The next focus will be integrity. 

Last week I was fortunate to catch an excellent presentation at GC 2008 by Martin Sadler, Director of HP Labs' Systems Security Lab, on the future of security and identity management.  

If you haven't been tracking this topic then I suggest you check it out. For several years HP and others have doing some excellent research on how to develop a secure architecture to enable a client platform to run multiple applications of varying sensitivity and risk, whether business or personal.

The future solution, if it can be realised, is to maintain a single client platform with a secure firmware base that can switch between numerous operating system environments, each running a particular environment. This would enable you to separate your business, personal, banking and other operations, reducing the risks to business systems from personal devices and eliminating the phishing.     

This approach also transforms the nature of identity management. You can have as many individual persona as you wish. It sounds perfect. But there is one further challenge. The firmware has to be bullet-proof. A single flaw can undermine the whole concept. Let's hope HP can get this right. 

The recent confidential document breaches by UK Government officials have prompted observers such as Dame Pauline Neville-Jones to suggest that there is a "culture of carelessness". Is this true? And what can be done?

Certainly it would appear that standards of security behaviour have been slipping. It's unlikely that today's breaches would not have happened in the past. People handling highly classified material took security very seriously during the cold war.

Things have changed since then. The threat is different today. Civil servants are unlikely to feel they are being watched or tailed by hostile intelligence services. The perceived impact of disclosure is much less than it used to be. And information today is circulated in a much more open way.

Such changes in context act as subtle but powerful cues for the behaviour of staff. We need to introduce new rules, responses and motivators to alter their perception. Security culture can be changed. But only by visible acts, not by demands, policy or wishful thinking.

I'm watching with interest to see how long it takes for the security community to develop an antidote to the latest version of the Gpcode virus which encrypts files using strong encryption.

A week ago, researchers at Kapersky called on the community to help crack the 1024 bit encryption key. That's a tall order. But I never underestimate the power of the network to harness processing or thinking power to find a solution. During the Second World War, Bletchley Park always managed to bounce back from every major setback.

You can follow the progress on this forum.

I met up this morning with Marty Roesch, the CTO and founder of Sourcefire and SNORT, the open source intrusion detection engine. It's always a delight and a privilege to meet Marty. He's one of the nicest and most enthusiastic technologists on the security scene, and he's been incredibly successful in rapidly building a business worth a few hundred million dollars on the back of an open source product. And Marty's not in it just for the money. He's just rejected a $187 million dollar takeover bid.  

Gartner Group has rated the Sourcefire product range as the most visionary in the solution space. It's not surprising. It's built on a solid engine and it has a powerful user-centric set of features. Several years ago, Gartner Group said IDS was dead. They could not have been more wrong. But they were looking at early, clunky products, not the flexible products of today, with sophisticated risk-based, programmable rules and intelligent dashboard reporting. 

I generally get bored listening to technology vendors. They often lack insight of the problem space and innovation in the solution space. But Marty is different. He understands the importance of visibility, context and integrity, the three most important emerging issues in information security.

If you can't see what's happening across your infrastructure, then it's out of control. And if you don't appreciate the context of what you see, then you'll draw the wrong conclusions. And of course if you can't detect changes to data, systems and infrastructure, then you're not able to detect and recover from attacks.

Contextualisation is one of Marty's terms. Not as catchy as de-perimeterisation but equally important. We need to understand the context of risks and events. We need to appreciate the contextual limitations of systems and infrastructure. And, increasingly, we need to recognise the context of the information itself. Smart use of technology is essential to achieve this.

This time it's the credit card details of up to 38,000 customers of clothing retailer Cotton Traders that have been stolen according to the BBC News.

The firm claim to have upgraded their security. It's tough for those that might have been affected. But it makes you wonder if you're better of with a company that's been hit and sorted itself out, or one that has yet to be caught out.

Certainly I'd be more comfortable in future dealing with Cotton Traders. It will be interesting to see how the market responds.