David Lacey's IT Security Blog

Yesterday I attended a FASTtalk CEO round table on the "The Threat from Within". It's interesting how important this subject has become following the spate of high profile data breaches over the last year. The threat has always been there, in fact, but the level of risk has increased substantially.

Potential spies, fraudsters and information brokers are always lurking in our organisations. They just don't show themselves. But decades of progressive centralization, mergers and outsourcing have now made huge amounts of valuable data available to ordinary staff and contractors. It's like putting large amounts of cash in the hands of ordinary people. The potential for error and the temptation to steal is so enormous that visible breaches are inevitable.

But incidents and risks have been building for many years. We just haven't noticed them because incidents haven't been properly uncovered, recorded or publicised. Organisations lose hundreds of laptops a year. Large procurements attract fraud. And valuable trade secrets attract espionage. It's a healthy sign that at last we're beginning to recognise these unpalatable facts.

You can tell it's still the silly season for news, when items about the science of fly swatting hit the front pages of broadsheet newspapers.

At first glance, it seems a trivial story. On second thoughts, it occurred to me that this might give an insight into strategies for dealing with irritating fraudsters or hackers. So I took a closer look.

This is serious research by a top Caltech Professor, funded by the National Institutes of Health and the National Science Foundation. The paper "Visually Mediated Motor Planning in the Escape Response of Drosophila" will be published August 28 in the journal Current Biology.

Professor Michael Dickinson used high-resolution, high-speed digital imaging of fruit flies faced with a looming swatter to study how flies avoid swatters. He seems to have concluded that flies see you coming and move out of the way. And he concludes that the best method for swatting a fly is to wait for it to land, approach it from behind and aim a bit forward of where you anticipate the fly is going to jump.

As Basil Fawlty put it: "Can't we get you on Mastermind...specialist subject: stating the bleeding obvious..."

Security technology has a habit of replacing the problem that it solves with an entirely new one. Encryption, for example, hides your data from others, but that also includes the user if he forgets the key. So we put in a PKI to manage all the keys, and that introduces a raft of other new problems. And so it goes on.

The latest idea for solving man-in-the-middle attacks is an ingenious solution from Carnegie Mellon University, called Perspectives. This looks very interesting, as it's claimed to be simple and cheap. Essentially it uses a network of "notaries" that check the web sites you visit to ensure that authentications returned to them are consistent with ones sent to you. 

This of course raises a privacy issue. The notaries, which might be universities, will have a lot of information on IP addresses and web activity. I hope they have an answer that's more than simply asking the notaries nicely to avoid recording client IP addresses.

It's essential to keep abreast of surveys of security incidents. They provide a small glimmer of visibility on what's essentially a dark hidden area. There are a few reasons why we're kept in the dark. A lot of enterprises don't report incidents. Most don't keep track of them. And many simply don't know about them.

Last week, the Identity Theft Resource Center (ITRC) reported that the total number of incidents that could lead to identity theft on their 2008 breach list had already surpassed the final total of 446 reported in 2007. That's clearly an under-estimate for all of the above reasons. And each reported breach might have actually affected dozens of different businesses.

This trend will continue upward as we get better at detecting, tracking and reporting incidents. Espionage and fraud has been going on inside companies for decades, but it's largely undetected. I've always operated on the assumption that any call centre with valuable information will be riddle with people selling information, that any large procurement contracts will attract information brokers, and that any unencrypted transmissions of sensitive information can be read by governments. And I'm not paranoid, just streetwise.   

The latest reported loss of 84,000 unencrypted confidential Home Office records by PA Consulting illustrates the massive challenge of eradicating bad security practices across Whitehall. Massive publicity and waves of security reviews have clearly not made sufficient impact on day to day operations.

We need to take a whole new approach to security culture. It can be done. But not by diktat. It requires a more emotional engagement with people and a major programme of change. It also requires that security education and oversight extends as far as the risks extend, in this case to contractors.

Watch out for an article by me on organisational culture change in September's Infosec magazine.

Postscript - Infosec magazine now tell me that this feature has been held over until October. You'll have to wait a little longer.

The arguments continue about the recent court order by the Massachusetts Bay Transportation Authority to prevent MIT researchers from revealing flaws in the security of its e-ticketing system. It makes me wonder about the motivations behind contemporary research.

The real debate should not be about freedom of speech. It should be about why university research is wasted on attempts to find flaws in other people's operational systems, rather than developing useful security solutions. We all know that no system is foolproof. They all rely to some extent on security by obscurity. And you can't fix deep-seated flaws overnight. It's bad enough having a community of criminals looking to exploit ways to circumvent them. We could do without universities helping them.

I note that my fellow blogger Stuart King has been speculating on security topics for 2009. It's natural in his line of business. His company organises many international security events. Stuart sees little progress in getting to grips with existing problems, never mind new ones. But he does see a lot more focus on the people side of the problem.

I fully agree with that. we need to give much greater attention to security awreness and other human factors. The problem is that we haven't seen much in the way of products, services, methods or advice to help security managers with managing the people side. Understanding where to start is a real challenge for most organisations. Most of the things we really need to do are new concepts for security managers. And there aren't many good practices out there.

But two things are certain. Firstly, the way we currently go about educating staff is not fit for purpose. There is scope for a massive improvement. It must change. And, secondly, the return on investment from cutting incident levels is substantial. So it's worth spending more time and money on education.

The lack of guidance on the subject was the main driver for encouraging me to write my new book "Managing the Human Factor in Information Security", to be published by John Wiley in January 2009. Amazingly, you can even order it now over Amazon, though the manuscript is not yet finalised. In the process of writing this book I've assembled a large body of theory and practice, which convinces me that we can, and should, transform the way we manage the people side of security. We need no less than the equivalent of a Security 2.0 solution. And I don't mean the Symantec product of that name. I mean a new kind of security, one with a much stronger focus on people and their relationships.

It's encouraging to see the Cabinet Office publish a National Risk Register, which sets out the Government assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK. It's primarily designed to increase awareness.

The problem with risk registers is that when you combine risks at such a high level, they become so generalised and vague that they fail to serve much of a useful purpose. Take the section on electronic attacks, for example. It states that:

"The risk and impact of electronic attacks on IT and communication systems varies greatly according to the particular sectors affected and the source of the threat... There is a known risk to commercially valuable and confidential information in some government and private sector systems from a range of well resourced and sophisticated attacks."

That's not much use to anyone. But the fault is not with the Cabinet Office. It's the flawed process of risk management, which takes elaborate views of threats and exposures and shoe-horns them into an oversimplified set of categories, losing all the richness of the original assessment. It's clearly a process that's designed to tick a compliance box, not deliver a business benefit.

I see that McAfee has announced that it's buying Reconnex, a data loss prevention firm, for $46 million. It's the latest in a line of similar acquisitions by rival security vendors.  

Data loss prevention seems to be the hot new technology focus. Content monitoring has taken over the spotlight from firewalls and intrusion prevention. That's in line with my long-standing prediction that in the future, dynamic information flows, rather than static data stocks, will be the primary focus of information security. 

Technology can help prevent data leakages. But it will only work if people take the trouble to apply it and use it properly. We have the same problem with corporate policy. We can set out the rules, but managers don't have the time to read and absorb them. And even if they did, they're unlikely to have the time, budget or resources to enforce them. 

Effective prevention of data leaks needs to start with good security awareness, and the encouragement of a more sophisticated security culture. Not the old fashioned one that locks everything away from prying eyes. But one that appreciates the benefits of information sharing, yet, at the same time, also addresses the associated risks. That's the real challenge for data loss prevention.

I'm always fascinated by anything new of the topic of criminal profiling, the so-called "third wave" of investigative science. Geographical profiling, in particular, is surprisingly effective. So I was highly interested to read about the latest research going on at Queen Mary, University of London, which is studying the foraging habits of bumblebees to gain an insight as to how serial criminals might select their targets. Both bees and criminals, for example, tend to maintain buffer zones around their residences to avoid attracting attention. And both limit their travel to reduce cost or effort.

Profiling for cyberspace-based criminals requires a different set of metaphors and criteria. But it's a powerful tool that we need to develop a lot more. And it's the right approach for the crime. Bacause the best response against cyber attacks is to use the network and its data against the attacker.