David Lacey's IT Security Blog

Bruce Schneier's excellent blog drew my attention to an interesting web site that prints copies of expenses receipts "for novelty use only". Perhaps our members of Parliament might find this useful. But to be honest they were unlucky to be so heavily scrutinised, because in practice expense claim fraud is a much more widespread practice than many managers realise.  

Submitting paper receipts is irritating and far from foolproof. Personally I've always believed that life would be much easier if we replaced these paper trails with an agreed allowance. Many organisations pay set allowances to staff for business travel. This is much easier to administer and less open to uncertainty or fraud. A further example of smart design is the UK flat rate scheme for calculating input VAT for small businesses, based on a set percentage for each category of business.

We should design more systems on this basis. Not only do they make our lives easier, they can also reduce the temptation for small-time fraud.

I've just got back from speaking in Athens at HAISA 2009, the leading international symposium on the human aspects of information security. Picking up today's Computer Weekly, my eye was naturally drawn to an interesting article on why staff break security rules.

CW reports that researchers at Nottingham Trent University have actually discovered that many staff will knowingly break or bend security rules in order to perform a job more efficiently, to help a colleague, or to provide good customer service. They also noted that complacency can set in when staff have been working in the same area for a long time and they know they will "get away with it".

Of course they could have saved a lot of time by simply asking me or any experienced security or safety manager. We've known all this for decades. Perhaps, as Basil Fawlty might put it, the researchers might be qualified to set up a course in the not-too-subtle art of stating the bleeding obvious.

The UK Government has just unveiled a new cyber strategy. It's a step in the right direction but it needs to be much tougher if it's to correct the weakeness in critical infrastructure. Tests by IO Active on new US smart grid sensors are reported to have revealed alarming flaws. Mandatory standards are the only way forward.

In times of recession there's always talk about where information security budgets are heading. Some of it is prompted by marketing spin, some by genuine concern and some by wishful thinking. Many people claim that security budgets are holding up, but at the same time there's a visible slowdown in some parts of the security market. The causes of this are numerous: the result of bank mergers, restructures, cutbacks, skills shortages, revised business priorities, changes in procurement policy and project delays and cancellations.

But against this trend is a clear growth in the need for information security services, driven by increasing risks and compliance requirements, greater recognition of the importance of security by senior management and a need to correct a long-standing lack of investment in the security of legacy systems and infrastructure. On top of this we have the steady spread of sophisticated security practices to many small and medium sized enterprises who had previously managed with little more than firewalls and anti-virus software. In fact, in the absence of a recession, information security would be booming.   

Making sense of the impact of these contradictory trends is not easy. Projecting ahead is even harder. Some economic trends, such as unemployment, are counter-intuitive.  Experience from previous recessions shows that job losses don't peak until long after the recession has ended. There's more downsizing to come. The pundits vary in their degree of optimism. Bruce Schneier has been warning of the difficulty of keeping on top of security workloads that have increased due to layoffs. Gartner report that security budgets are currently flat, while the rest of IT is in a state of decline. But they project better times ahead, suggesting that new projects will be driven by regulatory compliance initiatives and areas affected by cost cutting measures. In fact it's clear that we're heading for a sustained battle between corporate governance demands and business reality. And at the end of day, it's sales and cash flow forecasts that call the shots.

What will be the impact on security? The answer is bad, a major setback in fact. When Gartner talk of better times ahead they mean for vendors. Sales will eventually pick up, but in the meantime a lot of damage will have been done to information security management systems, which take years to build, but can dissolve within months through neglect. And information security today already requires a lot more investment, as we race to catch up with an accelerating threat landscape, after a much delayed start. This is a bad time to be throwing out the baby with the bathwater.

One of the things that strike me as imbalanced about information security is the relatively low proportion of women entering the profession. It might be the traditional image of security as an "old boy" network that discourages this. Or possibly the perception that it's a profession for technology geeks who like to meddle with firewalls and cryptography. But given that the future of security is likely to require an increasing use of psychology and communications skills, perhaps we should now be aiming to change the perceived image in order to attract a more balanced cross-section of practitioners. 

I shall certainly be doing my best to achieve this at W-Tech in London on Wednesday, which is expected to attract more than a thousand women with an interest in IT. I'll be speaking on how to manage the human element in information security. In my view the most important future security skill is the ability to persuade large numbers of people to do something that they wouldn't otherwise do. And that's certainly not a skill for which men have a monopoly. 

Reed Exhibitions have published a series of podcasts recorded by Hall of Fame speakers at this year's Infosecurity Europe. The subject was "the next big issue in security".

Mine was on data integrity, or rather the lack of it. It's a widespread exposure which I expect will soon become visible to all, though it's still below the radar of most organisations. If you thought confidentiality was a tough problem to address, just wait until you try responding to attacks on data integrity.

I see that the US Department of Homeland Security has launched a blog. The initial efforts appear to be very formal and official, more like a series of press releases, in contrast to the more natural, imaginative and reader-oriented style of the excellent (though sporadic) postings on the Transportation Security Administration blog. So far the Homeland Security blog has not attracted many comments. But it's early days yet. Let's hope that it evolves into a more insightful communications channel that's sufficiently streetwise to be termed a blog.

One of the tricks for impressing your customers is to under-promise and over-deliver, thereby ensuring you will exceed their expectations. It doesn't work well in competitive markets where promises are the key to business. But it's fine in monopoly situations. That probably explains why I was relatively pleased with the long awaited Digital Britain report. It's far from perfect and promises few concrete actions, but, from a security perspective it's a major improvement on the interim report, on which I submitted comments on behalf of the ISSA UK.

It looks like the Digital Britain team has responded to some of the points the ISSA raised. But I'd like to have seen it go much further on security. For me, the key points are that the report clearly recognises the importance of security, especially the need for consumer support and advice, and it endorses initiatives such as the Internet Governance Forum and Get Safe Online. The missing actions are the need for tougher, mandated security standards for critical infrastructure, and the urgent need for a big injection of resources to beef up security education and investigation.

Security is primarily driven by events, so I guess we'll have to experience a few big incidents before the government bites the bullet and invests in better security. But at least the Digital Britain report is a step in the right direction.   

By the way, Computer Weekly has a useful page that brings together a wide range of comments on the Digital Britain report.  

A news item about the possibility of Mars colliding with the Earth caught my eye yesterday. Of course it's not likely to happen for billions of years, but it's a sobering thought that the entire planet might one day be obliterated. Is it something we should start planning for now? Several years ago, I met a lady at NASA research in California who, amongst other things, was exploring fallback options for a future loss of the moon. Interestingly and surprisingly the presence of the moon is absolutely vital to support life on Earth, though one day its orbit will fail.  

Such thoughts beg the question "What's the worst thing we should plan for?" Former trader and author Nassim Nicholas Taleb uses the metaphor of a "black swan" to describe the impact of rare, unpredictable events that take us by surprise. Such events cannot be accommodated in traditional models of prediction. He argues that we place too much weight on the flawed assumption that past events will repeat. We should devote at least a small amount of our time and money on planning for highly unlikely outcomes.

Unfortunately, we don't have many methods for examining the consequences of extreme events. Scenario planning is one option. Shell, for example, has for many years conducted long-term scenario planning to ensure their business managers are prepared for alternative futures. There's a danger of course that such thinking could make them too risk averse. But this is a company that thinks long-term. I recall they even used to take steps to ensure they could continue business following a nuclear war.

Goldman Sachs used to plan for a "worst of the worst" or WOW scenario in which twenty different asset classes might fall to the lowest recorded level in recent years all on the same day. But, amazingly, that turned out to be nowhere near as bad as the recent financial meltdown. In fact, such exercises are neither realistic nor foolproof. But in practice they are useful for helping to prepare business managers for unexpected shocks.

Business continuity planning is a more practical tool for preparing for the worst. But how extreme should the options be? In practice, such plans address the more familiar forms of disaster. And most experienced managers prefer to operate on the basis of "no double jeopardy", i.e. it's unlikely that two improbable events will occur at the same time. Unfortunately, however, that can happen under certain conditions of networks and markets, though, to be fair, in those cases, it's generally triggered by a single, higher-level event.

Crisis exercises are a much better vehicle for "thinking the unthinkable". Like scenario planning, the use of an imaginary storyline encourages managers to suspend disbelief and go along with the plot. This results in a self-discovery of learning points that could not be conveyed through logical argument. Business managers generally become defensive if you try to present a case for addressing an unlikely event. It's better that they come to that conclusion themselves.  

This century we've already experienced major terrorist incidents, wars and market crashes. Pandemics and cyber wars are waiting to hit us in the near future. As networks connect more and more people, data and objects, they create new opportunities for high-impact events. For that reason we should all be aiming to raise our game in preparing for the unexpected.  

The BBC News website has an interview with Sir Tim Berners Lee on the future of the Internet. When asked what the future of the Web would look like, he replies that if all the things that he can imagine happening would come to pass, we will have failed, because we need the creativity of people thinking about new sorts of data and how they might use it.

That comment applies even more to information security. If we rely on no more that our current set of ideas, we'll all be doomed to an insecure cyber world of crime, paranoia and missed opportunities. More of the same is not good enough. Security needs periodic, breakthrough technologies. One or two of these tend to emerge every decade. In the past we've benefited from public key cryptography, anti-virus scanners, firewalls and intrusion detection. But most of these break down over time. So where's the next silver bullet?