David Lacey's IT Security Blog

I've written before about the continuous growth in spin, FUD and disinformation that we can expect to experience in the Information Age. It's a natural and inevitable consequence of networks. Rumours and misunderstandings can also be triggered or spread by exaggerations or innocent misinterpretations of facts.   

A typical example in the information security world is the recent press reporting of the claim that malware may have been a contributory cause of a fatal Spanair crash that killed 154 people two years ago.  Reading the initial reports in popular security blogs and online magazines provides an entirely different picture from the more considered, specialist analysis.

The lesson is that we should all think twice before jumping to conclusions from sensational press reports. The truth is out there somewhere, but it's getting increasingly harder to find. 

However smart or daft you think Intel might be to pay a hefty premium of 60% to buy McAfee, there's no doubt that this $7.7 billion acquisition represents a major event in the security solution space. It's worth considering for a moment the underlying logic and consequences of this surprising move

Business fashion is clearly a factor. The pendulum is swinging towards vertical technology companies, after decades of horizontal specialization. Of course, this might be no more than this year's fad. Pendulums eventually swing back, whether driven by customer preferences or vendor ambition. The pendulum for outsourcing, for example, has just swung from mega-sourcing to multi-sourcing. That trend's clearly going the opposite way.  

Financial circumstances must have a bearing. Intel has a huge amount of cash and, like anyone else in that position, will be struggling to find decent investments that can meet their appraisal criteria. McAfee also has a higher profit margin, which might enhance Intel's P&L account, at least in the short term. These considerations, however, are more of a supporting argument than a driver for the acquisition.   

In fact the real motivation behind the deal is an initiative to embed more security in hardware. Intel confidently believes that McAfee's security technology will help create "hardware-enhanced security." They see security as the "third pillar of computing devices" (in addition to power efficient performance and Internet connectivity). This is a great idea in theory. It will help build the higher assurance solutions we need for the future, and help us shoe-horn security into the growing multitude of non-PC, Internet-connected devices. Intel and McAfee are reported to have been working on such developments for some time. 

No doubt other chip makers will be thinking on the same lines. But why pay over the odds for a company when you can simply partner? And why pick an aging software security company, dominated by an overriding commercial interest to milk a fat cash cow? McAfee themselves claim that they have the "core security DNA" to help develop Intel's future security capability. The problem is that contemporary security technologies are not the best basis for responding to emerging security challenges. Many have reached their sell-by date. Some never delivered on initial promises. Security vendors have yet to satisfactorily solve yesterday's problems, never mind tomorrow's challenges. 

In an ideal world, we would ditch our clunky legacy solutions and develop better technologies. But innovation is thin on the ground in a security market that seems content to adopt common practices that often fall well short of the best available. Users prefer familiar concepts to experimental ones.   

Past experience of security acquisitions by large vendors has also demonstrated high risks of culture clash, restructuring pains, and a loss of momentum in further product development. Smart, innovative competitors can benefit from these distractions. Large companies are less agile than smaller ones.    

But new developments in hardware security will require a solid security base. McAfee can bring this to the table. The real enabler for hardware security, however, is trusted computing, and the foundations are already out there in the form of hundreds of millions of TPM chips in laptops and servers. Exploitation of this capability is still in its infancy, but that will come with time. Many laptops are being shipped with self-encrypting drives - a vast improvement on software encryption - yet few laptop purchasers seem aware of this. And when skilfully combined with virtualization technology, trusted computing offers tremendous opportunities for innovative, security solutions.

So hardware security is certainly coming our way, though it might not take the form initially suggested by an Intel/McAfee merger. In fact, a smarter and cheaper option for a chip manufacturer might be to buy Wave Systems, a security vendor specializing in hardware based trusted computing solutions.   

The latest Kaspersky Labs analysis of Information Security Threats in the Second Quarter of 2010 is essential reading. It's by far the best of the vendor research summaries of malware trends.

This edition has an interesting ZeuS Trojan, as well some interesting observations on the growing threat to non-Windows platforms. Most interesting, however, are the remarks about the low level of attacks on Australian machines, which is attributed to the fact that ISPs down under refrain from providing Internet access to computers without antivirus protection or firewall installed. It's a lesson for the rest of the world. 

The bad news about UK education is that computing is going out of favour. The good news is that psychology is booming. Tomorrow's employees might have less ability to program a computer, but they'll be better equipped to understand customers and to manipulate public opinion. That's a step in the right direction for information security management: we only need a small number of expert technologists, but we need an army of good communicators. 

I've been off the air for several weeks, enjoying a seasonal break, and also working in the excellent Sultanate of Oman. (I have to admit that Muscat is one of my favourite locations, whether for business and pleasure.) 

I find it interesting to compare and contrast the differences in information security emphasise and skills across the world. In the USA, for example, it's clear that technology rules. In the UK, process is King. (Our legacy to the world is ISO 27000). In the rest of the World, however, it's generally people and culture that top the agenda.

Oman is especially interesting as it has a good vision of the importance of security education, and a surprising level of sophistication in its awareness initiatives. Not only does it aim to educate its citizens in information security, it also thinks very carefully about the images and the presentation of material. Talking to InfoShield, their top information security consultancy, I was impressed with their understanding of psychology and communications in the design of their awareness materials.          

When it comes to marketing communications, every country is different. Americans, for example, who are more used to loud, brash advertising, might find the Omani material a little understated. But that's what works best in the region. The real skill in security awareness lies in understanding how best to engage with the target audience.

In an ideal world, security awareness materials would be extensively tailored to specific types of person in different regions. This is not always practical for international campaigns, so a certain degree of compromise is needed. Unfortunately, it's rare to find good examples of this. When I worked for Shell, we conducted extensive research to identify images that were both familiar and popular in all geographic regions. One image we came up with was a porcupine, an animal that is popular in every region, and which defends itself with multiple points of security.

Looking at the security awareness materials available on the Internet, I have to say that they are generally poor, lacking in imagination and with little thought given to psychology and perception. Given that the future of information security lies largely in the hands of users, we should all be aiming to raise our game in our capability to communicate across networks. It's arguably the most important skill in information security management, yet one that is rarely taught, or sought after.   

This month's news has highlighted three developments that reflect the changing nature of the security landscape.

The expulsion of Russian spies demonstrates the limitations of cold war tradecraft in a transparent society. The publication of over 90,000 military documents on Wikileaks illustrates the difficulty of safeguarding secrets in a networked world. And the Washington Post exposure of the sprawling size of the homeland security budget illustrates the expense in attempting to keep up with the mushrooming number of sources of intelligence.

These stories show that security and intelligence agencies have failed to transform their philosophy and methods to suit an information-rich, networked society, in which the nature of espionage, war and security are quite different.

We need a new philosophy for safeguarding information assets in an information age. One that appreciates the changing value and nature of knowledge, relationships and transactions in the emerging world. One that minimises secrets and focuses on reducing the business damage from the inevitable leaks. And one that develops richer intelligence systems that are better able to navigate a superabundance of data.    

More than a decade ago, I recall presenting these concepts to a UK government security conference. Everyone nodded their heads in agreement. Yet in the past ten years information security standards and governance systems have barely moved on. We continue to invest in outdated methods. Today's initiatives in professional development, for example, focus more on yesterday's needs rather than tomorrow's world. We need much greater foresight, and, more importantly, a new willingness to change our ways.     

I read that US Cyber Czar Howard Schmidt is scheduled to hold a meeting on Wednesday with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano, where he is expected to discuss how to improve private-sector cyber security through economic incentives. The meeting is expected to consider tax, liability and insurance incentives among other steps to encourage industry to increase its network security.

It's an interesting development, reflecting the inescapable fact that smart intervention is needed to stem the growing threats of e-Crime, espionage and, inevitably, cyber wars and terrorism.  

If you're interested in tracking the proceedings at Thursday's e-Crime conference in Wales, there's a live blog with session highlights and a Twitter feed (use the hashtag #ecrimewales). You can even post questions for the speaker Q&A sessions. I'll be speaking on security for small and medium enterprises. It's a topic on which we all need to ask searching questions and find better answers.

This Thursday, e-Crime Wales is holding its annual e-Crime Summit at the Celtic Manor Resort in Newport. It has become one of the major security events of the year, attracting excellent speakers and hundreds of delegates. This year I'll be speaking on SME security, as well as sessions from ex US Government agents Ed Gibson and Richard Hollis.

If you've not checked it out, e-Crime Wales has, in my view, the best Web site for business education on e-Crime. I'd recommend it as a model for all organisations developing security awareness material.  

The latest edition of the Economist has a major feature on Cyberwar, complete with a sensational image of an explosion in a civilian area, as well as a fascinating tale of a logic bomb. Unfortunately, perhaps seduced by this imagery, it misses the bigger picture of information warfare, which as I've said before is more the art of illusion, rather than the science of sabotage. There's certainly plenty of fear, uncertainty and doubt in this feature, however, as well as a good dose of spin. 

"Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection... That's why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection."

So opens the latest research report from Symantec. It's one I find a little hard to accept because many claims simply don't ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.  

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don't have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses? 

No organisation should place any sensitive personal data in a cloud service without understanding the implications for regulatory compliance. It's easier said than done, however. The whole point of cloud computing is that you shouldn't have to worry where the data is held. Unfortunately, legal requirements demand otherwise.

The ideal solution is for Cloud computing vendors to deliver appropriate assurances to customers. But so far there's little indication of this. And working out what legislation applies in each country can be a difficult task for customers, especially as it's a moving target.  

One source that will help is Forrester Research's privacy 'heat map' which provides high level information on the data protection and privacy across a range of countries. It's a useful starting point for anyone contemplating offshore services. 

While our attention is focused on football in South Africa, it's worth taking note of other developments across the African continent, especially the growing threat presented by millions of networked, insecure PCs. The Internet has arrived in Africa, ahead of the security needed to make it safe. 

Fortunately this problem is receiving increasing visibility and attention. Countries such as Kenya are implementing legal and regulatory frameworks, and kicking off awareness campaigns. Security products and services are also becoming increasingly available. But security skills and experience are in short supply. It's a growing problem that is bound to have an impact on all Internet users in the future.

'The Global Threat from across the Seas' is the timely theme for a security day next month in London on HMS President. It's free to members and a modest £50 for non-members, and it promises to be an excellent day out.  

A reference in a Team Cymru news alert drew my attention to an interesting media article about the security of smart meters, a fast-moving development which justifies a lot more scrutiny, public debate and policy. 

Smart grids offer huge potential, not only for efficiency improvements, but also for a degree of remote manipulation and misuse. Utilities claim the meters have been extensively security tested, yet many respected security experts point to underlying vulnerabilities. And there are clearly some major governance issues concerning privacy, economics and consumer rights.

New technologies always present such challenges, especially from a security perspective. Firstly, there are insufficient, forward-looking, mandatory standards. It's always been the case. Two decades ago, when mentioning my concerns about the security of networked SCADA systems to a colleague, he expressed surprise that any external connections were even permitted. I replied that new developments don't come with rules. Standards emerge long after the problems have surfaced.

Secondly, risk assessments are backward-looking. We haven't yet experienced a wave of highly publicised attacks on SCADA systems. Realistic assessments won't reflect long-term developments in the threat landscape, no matter how concerning they might seem. But security risks are constantly rising, often in step changes as new vulnerabilities or offensive techniques emerge.

Thirdly, industrial control systems tend to be designed with reliability or safety in mind, rather than security. Instrumentation systems might address all manner of failure conditions, but they rarely take account of calculated sabotage. I was once asked by a safety authority to design a security box that could guarantee that a hacker wouldn't get through more than once every one hundred years. That, of course, was to satisfy the demands of a safety calculation. Unfortunately, it's not the way attackers think or operate.  

The Sun came out last Thursday to celebrate the award of a Royal Charter to the Information Technologist's Company. It was a spectacular event: a formal service at St Paul's Cathedral followed by a procession of pikemen and musketeers, and topped by a Royal dinner at the Mansion House with the Lord Mayor of London. It's also a sign of the times. The IT industry underpins the success of the City, and rightly deserves a place at its top table.   

Last Friday I attended an excellent cyber security event sponsored by Neustar, who deliver some of the vital services that enable the Internet to function securely. I was particularly impressed by an eye-opening presentation by Rodney Joffe, Neustar's Chief Technologist, on DNS security. Ensuring business traffic is secure over the Internet demands a lot more than we might think. Enterprises are exposed to many underlying risks of espionage and modification of data in transit. Threats of IP hijacking are a real and present danger. All security managers should make it their business to understand the potential security risks associated with the Internet. We are entering a decade that is likely to be dominated by large-scale compromises of business information and services. 

Many thanks to everyone who attended my new book launch last week, kindly hosted by Commerzbank on behalf of ISSA-UK, and sponsored by BSI. Amongst other things the book sets out a security framework for managing outsourced services, a vital requirement for an emerging business landscape characterized by increasingly broader and deeper externalization of activities. It would be nice to see further work building on the foundations and principles of the book. Outsourcing demands a raft of specifications, codes of practice and new processes. There are many gaps in published guidance on outsourcing that have yet to be filled in. 

The progressive worsening in BP's share price might in part reflect a continuing failure to address the finer points of strategic crisis management. Following on from the recent Toyota crisis, it leaves a worrying impression that many big international enterprises are not well equipped to manage large-scale incidents.

This is not a new problem of course. We've experienced many disasters before, and there are well established principles on how to go about crisis management. The snag is that they're not widely appreciated. Neither are they easy to execute. In fact very few senior executives, no matter how bright or well trained, seem to be able to translate expert advice into reality. 

Good crisis management is a rare skill. There are a few reasons for this. Partly it's because most executives are immersed in an organisation culture that is often itself a major contributing factor to the crisis, preventing them from seeing the wood for the trees. Partly it's because few executives are comfortable playing a dynamic, decision-making role that's completely different from their day job and prior experience. And partly it's because it's hard in practice to think clearly, objectively and strategically when you're under enormous pressure.

You can certainly spot some questionable decisions in BP's response: attempting to play down the size of the disaster; presenting a British image to an outraged US community; and offering up the CEO as a potential whipping boy. Lack of preparation or rehearsal for such events might also be a contributory factor, as there are press reports of factual errors in the published oil spill response plan.

As Dr Peter Sandman, a risk communications expert, once put it "The engine of risk response is outrage". An engineering response, not matter how elegant, will never suffice. Citizen rage needs to be directed to an appropriate target. President Obama clearly recognises this and is channelling it, along with his own rage, towards BP's British management.   

There are numerous learning points from this and other crises. My book "Managing the Human Factor in Information Security" contains a whole chapter on the subject of incidents and crisis management, setting out many of these points. It's a difficult art but one that needs to be studied and practised by a lot more senior executives.   

The excellent Dragon Research Group at Team Cymru, a leading, not-for-profit Internet security enterprise, is seeking to award up to $10,000 for an innovative project in the area of information security. The aware includes a top mentor. Proposals may consist of software, hardware, training, facility or multimedia components. Naturally, the solution will be open source. And, unlike government research grants, you don't have to fill in a hundred-page application form. It's a great opportunity. 

This week I joined an expert panel (as a last minute replacement) at a CNI Expo conference at London Excel on the subject of security and resilience for the public and private sectors. 

The conference had an excellent format, with top security experts and government officials debating key issues on national security risks, rather than simply delivering long-winded presentations. It was reasonably well attended, though I was surprised that there were not more attendees from government security departments, who have a big stake in the issues discussed. With a new government in power, this is certainly the time to challenge or influence public policy.

I tried my best to be controversial. That's not difficult. Public sector information security is laden with legacy thinking and practices. Bureaucratic controls frameworks continue to tick the boxes for the policymakers, but they fail to connect with end users, small businesses and citizens. I've long argued that we need a revolution in priorities, skills and methods. Government is a good place to start. 

Interestingly, some security authorities often take the view that their standards are higher than the private sector. That might be true but expectations don't always translate into practice. Closing the loop is the weak link in public sector security.

Priorities are also an issue. The role of risk management was a key item on the conference agenda. It's increasingly used to shape the national security agenda and determine priorities. There are dangers here, as less visible threats can slip through the net. High-level heat maps look professional at first glance, but they are over-simplistic snapshots of the threat landscape, failing to capture the richness and volatility of the growing range of emerging hazards. 

Security priorities are too often driven by knee-jerk responses to major incidents rather than smart analysis of the factors that might help to prevent them in the first place. Understandably, there's too much focus on known problems rather than future ones. I tend to share the view of the expert from Chatham House, who argued for more attention to less visible future threats, such as a shortage of energy. 

I'd go further and suggest that future cyber security risks are more likely to be based on modification and manipulation of data, rather than espionage or denial of service. That's something very low on our agenda. I'd also argue for more focus on safeguarding flows of information, including transactions and relationships, rather than static stocks of historical data.     

Of course it's easy for outsiders like me to be critical. It's hard to innovate when you're at the centre of public policy, constrained by politics, media coverage and a serious lack of resources. But this is the time to be creative, forward-looking and bold. National security needs a boost and a change. So let's start with a heated debate.