David Lacey's IT Security Blog

Last week's excellent ISSA-UK Chapter meeting, kindly hosted by KPMG, highlighted two interesting security developments in cloud computing.

The first was that this is a rapidly developing subject area. At the start of 2009, very little analysis on the risks and solutions could be found. Now we have several guidelines and can listen to a raft of articulate presentations on the subject. 

The second is that some security thinking on this subject is misconceived: recommending that clients undertake rigorous due diligence, audits and real-time monitoring. That approach would bring vendor services to a halt and lead to a massive duplication of effort.

The whole point of cloud services is to deliver a standardized, uninterrupted service. Vendors should be persuaded to provide the highest level of independent assurances to clients. That's where our attention should now focus: on agreeing the nature of the standards, assurances and ongoing information feeds that we need.

Bruce Schneier's advice on the recently announced SSL vulnerability is sensible, but it raises the bigger issue that we're too slow in responding to flaws in critical, embedded systems. Experience has shown that it takes years, if not decades, to eradicate implementations of outdated cryptographic systems. The real learning point is that we need to step up our contingency planning in this increasingly critical area. Just what would you do if SSL/TLS was thoroughly compromised?    

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It's interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was "actual or imminent, not conjectural or hypothetical." That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

What are the skills we should be looking to teach the information security professionals of the future? It's a good and timely question given the current proliferation of training courses and the growth in professional development schemes.

I've been disappointed with much of the accepted wisdom drawn from analysis of member surveys by professional institutes. They tend to have employed the wrong approach. We need some original, logical and lateral thinking. Inspired by this thought, I've drawn up a list of my seven top skills for the future information security profession. They are:

1. An understanding of psychology to plan interventions that can might actually have an impact on the behaviour of staff.

2. Social networking skills to influence and harness the support of large numbers of users and customers over social networks.

3. Skills in marketing communications to design compelling, effective awareness campaigns and materials.

4. Strong commercial management skills to specify and manage security across business partnerships and outsourced supply chains.

5. Sophisticated crisis management skills to safeguard the organisation's intellectual assets (not just the data) in the likely event of a major security breach.

6. Digital forensic skills to detect and prove when an intruder has infiltrated or modified the organisation's intellectual assets.

7. A sound knowledge of legal and regulatory requirements and issues.  

You can read more about my thoughts on how to go about forecasting future trends and skills on my latest Infosecurity Advisor blog posting.     

The Information Commissioner's Office has just published a detailed Guide to Data Protection. It's an excellent, well presented piece of work, though at 175 pages it's not likely to be read from cover to cover. But as a useful, free reference document, I'd advise every security professional to download a copy.

Most managers require a broader view of the compliance space than a perspective on just one aspect of compliance or on the requirements in a single jurisdiction. Building up a library of references to many pieces of legislation however takes a fair bit of time, so any up-to-date compilations are very welcome. That's why I was also pleased to see the publication of Stewart Room's long awaited bible: Butterworth's Data Security Law & Practice. Stewart's book is expensive, but you get a lot for your money.

Stewart is also an evangelistic doomsayer, who for some time has been pointing out that we're currently experiencing a 'bear market' in regulatory compliance in data protection. And he's not wrong about that. Today's compliance regime is mild compared to what's waiting in the wings. It's time for all of us to start raising our game in data loss prevention.

Elsevier are holding their first conference on human factors in information security in London on 22nd-24th February 2010. What's interesting is that it combines academic excellence and practical business experience. Very few conferences on this subject have been held, and they have generally been designed primarily for academic researchers. It's encouraging that the UK is hosting this conference as it sits somewhere between the US and Continental Europe in it's appetite for the subject. Hopefully it will set the scene for further conferences on this important subject.  

Congratulations to Graham Cluley of Sophos who won the Computer Weekly 2009 best blog award. Congratulations to Computer weekly also for unselfishly excluding their own bloggers from the competition. In the topsy turvy world of the blogosphere it clearly pays not to blow your own trumpet. 

Larry Ponemon, founder of the Ponemon Institute, has published a paper on 'Cyber Security Mega Trends', i.e. what senior level IT executives believe to be the biggest cyber security threats to US federal organizations. It's a useful read, not so much to predict the future - which can't be done through a market survey - but to understand the thinking and priorities of government IT executives.

I often find that the solution to a problem is not too far away from the problem itself. So it's interesting to note that all of threats mentioned can actually form the basis of potential security solutions:

• Cloud computing offers better security services because the cloud service provider gains a superior perspective of events.
• Virtualization technology can be used to prevent intrusions by rapidly rotating targeted servers to prevent an attack from succeeding. 
• Mobility ensures a more effective crisis response and can provide useful intelligence on the location and activities of people.
• Cyber crime and cyber terrorism provide justification to build larger security budgets and empires.
• Open source enables greater cooperation, review and bug-fixing for security products.
• Data breach notification means that enterprises are compelled to fix security exposures before the breaches occur.
• Unstructured data encourages the development of management tools that provide better intelligence through a richer analysis of data content.  
• Outsourcing motivates us to establish better inventories, standards and compliance processes. 
• Web 2.0 provides the social networking capability we need to harness the power of employees and customers to serve as a virtual security function.

As I often say, it's not difficult to turn a series of threats into a set of opportunities.

You can find an interesting posting of mine on innovation in security, inspired by the Global Security Challenge on Infosecurity Adviser, the news site of Infosecurity Europe. My point is that there's plenty of innovation around but it doesn't always make it into everyday use. We need a lot more investment and support to help make that happen.    

Regular readers of this blog will know that I've been forecasting for some time that data integrity will be the next big thing. That's nothing new. But what's really interesting is that many of my fellow security professionals are now starting to say the same thing. Data integrity was certainly one of the hottest issues raised at last week's Infosecurity Europe Advisory Panel. I've previously commented that it might take five years for people to respond to this challenge. Hopefully, awareness of the problem space might start to take off during 2010.

Data integrity is the third and arguably the most significant phase of information security. It's the final frontier to be tackled in contemporary information security, which is based on the three pillars of confidentiality, integrity and availability: a long-standing fusion of three distinct objectives that collectively map out a solution space that still contains many gaps. It's understandable that people tend to notice the availability and confidentiality aspects of security well before they spot the integrity issue. But the integrity challenge is quietly building up into a dangerous exposure. Bad data undermines business confidence, and in extreme cases it can permanently reduce the value of business services.

So why is data integrity such an issue? Firstly, much of our data is already bad but we don't advertise that fact. We keep it quiet. In many databases, it's not unusual to find that up to half the records contain errors of one sort or another. That's due to a combination of factors, ranging from transcription errors in call centres to the inevitable temptation to re-use old data outside of its original context. On top of that we have a range of network effects that distort incoming data through Chinese whispers, rumour, spin or good old fear, uncertainty and doubt. There's a tendency to believe anything that you hear from several different sources. In large networks, that can be deadly. But the most disturbing concern is the threat of an unauthorised intruder deliberately changing data to cause harm, whether for financial gain, spite or sabotage.

The starting point in addressing this relatively new problem space is to recognise that we need standards to assure customers, citizens and other stakeholders of the quality of the information in our databases. It's quite outrageous that none exist for services that can have a major impact on people's lives. A single percentage of error in a national database can represent a population the size of a major city. That demands scrutiny. Once we can see the size of the current exposure, there's no doubt that society and the media will demand action. But until that happens we're sitting on a ticking time-bomb that's just waiting to explode.