Putting the SEC into DEVOPS

| No Comments
| More

I've been pressing for greater speed in security management for many years. "Replace the Deming Loop with the Boyd (OODA) loop" has been my mantra. Yet when I first encountered DEVOPS, I immediately thought it would fail because it broke the segregation of duties principle. Perhaps it would be fine for a small start-up or a vendor, but not for a large enterprise subject to all manner of regulatory demands and frequent audits that inspect segregation of duties arrangements.  

I've since changed my view, for the following reasons.

DEVOPS is a compelling movement, which enables continuous software delivery through automation and closer coordination of development and production teams. It introduces a powerful cultural change. And faster delivery means quicker bug fixing and therefore faster elimination of security vulnerabilities. This is a big security benefit, but what about those regulatory controls and standards that demand separation of duties and environments for development and production work?

The answer is that we need to bring these traditional ideas up to date. The starting point is to recognize that there is more than one driver behind these requirements. Segregation of duties is an anti-fraud check which applies to financial processes. No one person should be allowed unsupervised, end-to-end control over financial transactions. In contrast, separation of development and production environments is a broader, operational control to preserve the integrity of the production environment from the side effects of untested software.

These requirements are in fact expressed as two separate ISO 27001 controls. Unfortunately, they're often conflated, with many people interpreting segregation of duties as a need for separate development and production teams. But that that's not strictly necessary. We do need to separate the processing environments, but we don't have to segregate the development and operations staff.

In fact, segregation of duties is just one solution to the anti-fraud. It's often referred to as the "4 eyes principle" which is a broader and better way of expressing the requirement. That can mean simply having a second person authorize any changes (such as a new release), which then opens up a door to DEVOPS teamwork, though we are still constrained by the need for an extra check.

To eliminate potential delays from a secondary check, we need to update our concept of trust and control. The old-fashioned concept of trust was perhaps best summarized by the old Russian quote (equally ascribed to Stalin and Lenin) that "Trust is good but control is better". Now that might have worked in an over-manned, slow-changing, industrial age environment. But it's impossible in a fast-moving, empowered, information age world. A better adage is the Ronald Reagan quote (also based on a Russian proverb) of "Trust but verify", which enables speed and empowerment.

The choice now is how best to implement such an ongoing checking mechanism, and whether, for example, an anomaly detection system might be sufficient to remove or reduce the need for human intervention. That justifies a bit more thinking. But I can envisage that on a small scale (which this is) something along the lines of a self-organizing map (a neural network) might serve as a fast, convenient method of periodic human/machine checking.

There are of course further things we need to achieve secure DEVOPS. Most importantly we need sound design and enforcement of access control policies, profiles and permissions. Interestingly, this is an extremely simple subject which is surprisingly poorly implemented. But that's for another blog posting.  


Forecasts for 2016

| No Comments
| More

Heavy demands for research and consultancy have restricted my blog postings this year. It's a reflection of the unrelenting growth in anything connected with cyber security. My New Year's resolution however will be to return to regular blogging.

A year ago I forecast that the Internet of Things would the primary focus of this year's research, but that few applications would emerge. That certainly happened, though I think the IoT hype was pipped by the hype for Bitcoin block chain, which even merited a major feature in the Economist. 

Despite all the hype and investment around block chain applications I remain pessimistic about its use for serious finance applications. In my view, anything that doesn't scale well, can be taken over, and presents a major threat to tax collection is unlikely to succeed in the long term. 

It was a no-brainer to predict that the treacle of regulatory compliance would become ever deeper, and that Governance, Risk and Compliance (GRC) solutions would remain immature (because of the large scope and complexity of the underlying data). That situation will get even worse as enterprises prepare for the new EU General Data Protection Regulation (GDPR). I know some companies are concerned about the mountain of paper required to demonstrate evidence of GDPR compliance. But that's mainly because of a lack of visibility and management of information flows. And it's certainly not a bad thing to correct that situation.  

Prediction has been the new dimension for security this year with increased promotion of artificial intelligence solutions and threat intelligence services. This is double-edged sword for the CISO, who will face an inevitable increase in false-positive reporting, which cannot be ignored because of the possibility of a nugget hidden within. My advice is to maximise the use of simple, rules-based mining before turning on the AI technology, and to generally ramp up the resources devoted to security event and trend analysis.

A longer term trend I drew attention to last year is the progressive commoditisation of many cyber security services, which are relatively easy to execute with scripts and open source tools. As technology becomes more powerful and easier to use, the security skill set will change, and enterprises will need to differentiate between areas that demands deep expertise and experience and those that can be easily carried out by an enthusiastic trainee.

A further trend to watch is the progressive growth of Cloud based services which will demand a different security architecture from traditional enterprise perimeter solutions.  

The main trend in 2016 however will be a step change in the control and visibility of IT assets and information flows, as enterprises begin to exploit more powerful tools for discovery, analysis and management of information transfers. The introduction of the EU GDPR will certainly boost the sales of asset management and managed file transfer services.   

In praise of the Digital Catapult

| No Comments
| More

I admit to being a long-standing critic of past UK government research initiatives. Having sponsored and managed several partly-funded research projects I've been disappointed with the decreasing incentives to convert blue-sky research into actual products. (The funding reduces to zero as you progress ideas towards commercial ventures.)

Clearly I'm not alone in this view as increased funding now seems to be aimed at encouraging start-up initiatives. I fully support this change and I've been pleased and impressed to be associated with the new London Digital Catapult Centre. This is a venture that reflects the latest thinking on how government funding can encourage innovation. It's not an incubator, it's not a research centre, but it has great facilitation potential.

Strip away the gimmicks of the automated yellow minion and the machine that blows bubbles in response to tweets and you'll discover an interesting mix of researchers, entrepreneurs, investors and subject matter experts coming together to discuss emerging trends and business opportunities.

As I've often said, innovation in security will not come from industry (who are focused almost exclusively on compliance), or academia (who respond increasingly to industry demands), or vendors (who simply wish to promote new features). Real invention demands a serendipitous blend of users, vendors and investors, ideally enhanced by a left-field subject matter experts and the odd futurologist.

And that's what you'll find at a Digital Catapult workshop. New thinking needs a blend of contrasting experiences and perspectives. The Digital Catapult centres are equipped to deliver this. In a short two-day "pit stop" on identity and trust I discovered a surprising number of innovative product concepts, and was delighted to encounter kindred spirits open to my own inventions and ideas.

To be honest I've lost faith in traditional universities, vendor and research centres. Few new products are truly innovative and many lack the left-field and subject matter expertise needed to conceive killer products. If anything new and successful emerges in the security space in the next decade I'm sure it will have been identified and discussed at a Digital Catapult centre.   

What's new in Cyber security?

| No Comments
| More

I missed the opening of this year's Infosecurity Europe as I was speaking in Zurich. I did however catch the end, though there was little to fire my attention. The theme was dated, the slogans on stands (e.g. "security re-imagined") were unrealistic, and the talks were from original. The exhibition however was much bigger and even more crowded. As usual, the conference was essentially a huge networking event, as well as a chance to seek out what might be new in cyber security.

Just about everyone in security attends at least one day of Infosecurity. I bumped into dozens of old acquaintances and met lots of new people, ranging from IT researchers to behavioral psychologists. This conference seems to attract a more diverse set of people than other big security conferences.

Little innovation was on show though there is much happening behind the scenes. For me, the underpinning trend is the continuing growth in the use of artificial intelligence (AI) in security products. Such technology is becoming mainstream. It has its advantages and shortcomings.

Things have certainly changed. Fifteen years ago when I was promoting the use of AI it was a dirty word in many academic circles. The Professor running Microsoft's research labs in Cambridge told me he binned anything he received on the subject. Yet today Cambridge is the home of the most hyped security product in this space: Darktrace, a learning system inspired by the human immune system.

Clearly someone has been paying attention to my long-promoted advice that security technologies needs to steal ideas from nature, especially the human immune system. Back in 1999 I sponsored a three year project to develop a fraud detection system based on the human immune system. The technology worked to an extent, but was a long way from being ready for business deployment.

There are huge challenges in developing AI systems. We don't fully understand the human immune system, and we can't keep up with the accelerating changes going on across a modern, global enterprise. I always imagined that perfecting such technology would be a long haul. Professor Stephanie Forrest at the University of New Mexico for example has been trying to develop intrusion detection systems based on this approach for two decades.

Perhaps we just needed Mike Lynch's magical Bayesian logic. Certainly something has accelerated the maturity of the technology which now appears to be ready for prime time.

But be warned. False positives might be acceptable in a research, intelligence or relatively small environment. In a large enterprise however they can be time consuming to process and deadly if you ignore them. We've all heard about the CISO who lost his job after not acting on an intrusion alert.   

As I've pointed out for the past fifteen years, the future of security will be probabilistic rather than deterministic. But it's a slow change. Don't expect instant results.    

Minimising the snooping

| No Comments
| More

It was interesting to see Tim Cook, CEO of Apple, voicing his opinions that government and companies should not have access to private consumer information. It's rich coming from a vendor with access to so much of our personal information. 

I don't mind security services having access for national security purposes. It's necessary in an increasingly dangerous world and they safeguard it well. Employees are vetted, keep their mouth shut (Snowden excepted), and there is no evidence of data breaches or misuse after decades of interception. 

If only we could say that about vendors.   

Cyber security in Britain

| No Comments
| More
I almost forgot to mention that last week's New Statesman carried a major feature on Cyber security in Britain, including articles from Francis Maude, Peter Sommer and myself. (Mine's the doom and gloom "Ghosts in the Machine" piece.)

Showing our true character?

| No Comments
| More

Last week GCHQ was censored over its sharing of internet surveillance data with the United States. There's no real surprise here. But what is interesting is to read it in the context of the New Statesman's feature last week about growing political interest in the "Anglosphere" - a global alliance of English speaking countries.  

I am reminded of Bill Hayden's observation from Tinker Tailor Soldier Spy "I still believe the secret services are the only real expression of a nation's character". 

If you can't beat them...

| No Comments
| More

I keep reading defeatist talk. The latest is from a chap called James Lewis, a cybersecurity expert at the Washington DC based Center for Strategic and International Studies, who has been claiming that businesses should "stop worrying about preventing intruders getting into their computer networks, and concentrate instead on minimising the damage they cause when they do".

It would be a very black day for cyber security if businesses stopped worrying about intrusions. Let's face it the reason we have so many is because we don't try hard enough to stop them. The attackers are fast, smart and agile, and our defences are sloppy, dumb and slow to react. The DC man is right to point this out, but the answer is to beef them up, not let the security managers off the hook.   

Valuable intellectual property can be safeguarded by not storing it on networks. We don't do enough of this. Intruders can be stopped or quickly detected by state-of-the-art defences, though these are rarely deployed effectively even in large enterprises. Admittedly, some intelligence services have the capability to by-pass any defence, but such attacks are selectively mounted and should not be a reason for a wholesale abandonment of confidence in preventative measures.

The "dwell time" of a sophisticated APT intrusion is the serious new metric, though there is no mention of this in the international standard on this subject ISO 27004, which is perhaps where it all goes wrong. The modern CISO is bogged down in hundreds of pages of paper nonsense which stops them applying common sense and judgement. The target should be to reduce the dwell time from several years to less than a day. 

Zero days should be the target. But then that would be bordering on prevention...

Predictions for 2015

| 1 Comment
| More

The last two years have been an eye-opener for business, governments and citizens. They should now be aware of the vulnerability of information systems to penetration by spies, hackers and criminals. But do they care? Not that much it seems, as they clearly continue to trust service providers with their data.

Perhaps we might experience one or two wake-up calls this year. Certainly we can expect that everything to do with intellectual assets and cyber security will be bigger, faster and more volatile, as that is the underlying nature the Information Age. At the same time we can expect that little or nothing will get fixed or be any more secure, as that costs money and reduces business opportunity.       

So what in particular will be waiting in the wings for cyber security professionals in 2015? Here are my personal forecasts.  

The Internet of Things will be primary focus of this year's research, investment and hype. But there will be no killer applications or compelling business cases. It will remain largely a solution looking for a problem, held back by a lack of imagination, standards and security. The idea of publishing sensor data to citizens is a daft aspiration from a security point of view. But researchers and product developers do not listen to security experts.     

There will be no escape for security managers from the growing treacle of regulatory compliance. Amazingly, implementing an information security management system to ISO standards requires as many as fifty individual pieces of documentation. But the paper overhead will continue to increase with more competing standards and questionnaires surfacing each year. (I've had to develop a sophisticated 4D relational database to keep up.) Technology can help but current GRC solutions are immature, and some add to the swamp of data to be processed. This will be the year for CISOs to invest in more efficient enterprise solutions.

Prediction is the new, 4th dimension for security. The theme of this year's Infosecurity Europe is "Smart data to detect, contain and respond". But the theme is outdated: smart vendors such as Qualys have already added "predict" to the thirty-year old "prevent, detect, respond" paradigm. A decade of regulatory compliance treacle has relegated prediction to the back burner. It need to bounce back. Let's all aim to reverse this trend by pushing the focus firmly towards the future. It could be the single most important paradigm shift of the year 2015.      

Small data is the answer: We've seen increasing hype and emphasis about "big data" over the last few years. The hype is slightly misplaced. The data does not have to be big, but it needs to be intelligently selected and creatively combined. As Deming correctly pointed out (though he is a bad poster boy for the Information Age), running a business on visible figures alone is one of the seven deadly diseases of management. Today we have numerous sources of data, within and without the enterprise. Fusing this data will help shed visibility of risks and incidents. The data does not have to be big. Searching out, capturing and combining small data is the real key to predictive analytics.

The commoditisation of cyber security: t's sad to say but many companies have been foolishly paying outrageously high fees for security experts that are little more than standards readers or script-kiddies armed with open-source software tools. There is a place for the expert and there is a place for the army of trainees. Don't mix them up. Smart companies will outsource the latter to low cost off-shore service providers.

Cyber terrorism is a step closer

| More

Behind the escalating war of words between North Korea and the United States in the wake of the cyber attacks on Sony lies a dangerous, but inevitable trend: the beginnings of real cyber terrorism.

Although we have yet to witness a major cyber terrorist incident, the potential for one is real, both in terms of motivation and vulnerability. The inescapable fact is that critical national infrastructure is vulnerable to damaging attacks and offensive techniques continue to outstrip our ability to counter them.

Back in 1999 I forecast that the electronic Pearl Harbour would occur around 2006-08, and was branded a doomsayer. Unfortunately, there are still many authorities in denial about the risks. They are the elephants in the room: too damaging to contemplate and too expensive to fix. They will not be addressed until a massive incident occurs.      

Predictions for 2014

| More

It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last year I made half a dozen predictions for 2014. How well did I do?  Let's examine them.

Escape from monoculture

A year ago I forecast that new security technologies would provide a greater choice of defensive options, making things less predictable for attackers. It hasn't quite happened yet, but there are some emerging alternatives that look promising.

A new generation of attacks

I also drew attention to the inevitable fact that the next generation of APT attacks would be richer, more sophisticated and stealthier. That's certainly happened, so much so that we can't detect the latest attacks, as illustrated by the recent discovery of a sophisticated APT attack (Regin) dating back six years.

A backlash against security standards

I also predicted a growing backlash against security standards, which have increasingly effective. That's certainly been a major issue this year, commencing with the FIC 2014 January opening conference theme of "Is cyber security a failure?" Unfortunately there is no realistic alternative for regulators to the growing mass of bureaucratic standards.    

Improving strategic crisis response

On an optimistic note I forecast that enterprises would develop improving crisis management capabilities, correcting a long-standing weakness. I've certainly seen signs of this with the growth in deployment of SIEM technologies and security operations centres (SOCs).  

Cyber skills gap grows

I also noted the growing shortage of high-end cyber skills, fuelled by the need to seek out a special kind of person for key monitoring and analysis tasks. Interestingly, there are now several proactive initiatives to employ or help find security work for dyslexic and autistic graduates. This approach will grow.

No change at NSA    

I forecast no major changes in the operations at NSA, following Snowden. And I've yet to see any indication of this. Large scale intelligence gathering is necessary to combat terrorism, and that threat is growing.   

Learning points

The events of 2014 demonstrated a number of inescapable truths. Fast-changing subject areas tend to be held back by their legacy. The consequence is that they fail. Evolution will not deliver solutions. Nothing short of a revolution will succeed. New technologies, new skills and a new realism are needed to transform the effectiveness of cyber security. 

One day wonders

| No Comments
| More

Last week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to meet up and exchange ideas. I like Hugh because he's not like the regular, dull vendors or CSOs that churn out the accepted security mantra. And he understands the importance of the human and political factors in achieving effective security.

Hugh updated me on his latest Blue Coat research on "One day wonders" i.e. websites that exist for less than a day. It's an important landscape as a surprisingly high 71% of all web sites exist for 24 hours or less. More worrying is the disturbing fact that these sites attract hackers, villains and other bad people.

Of course most one-day wonders are legitimate and exist to deliver a better user experience. Many are organizations such as Google, Amazon and Yahoo with a substantial Internet presence. That's why they're popular. Unfortunately there's a darker side, as malware operators seek to generate large numbers of popular sub-domains built on a foundation more evil domains. Sites are selected to support mass attacks on targeted victims, attacks that are highly scalable, difficult to track and easy to implement.   

Hugh and I also had an imaginative debate on current trends, including the Internet of Things. We both agree that security cannot be contained within devices alone. Against a landscape of continuously fragmenting technology (into larger networks of smaller devices), rapidly changing platforms, and uncertain access policies, security must migrate into the network. The challenge of course is where, when and how this will materialise. And of course who will control it. 

Security and the Internet of Things

| No Comments
| More

Whether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for forward-looking security practitioners. The label of course is simply a passing fashion. Just like EDI or Knowledge Management it's not likely  to survive for more than a year or two, though the problem and solution spaces it occupies will continue to blossom for decades.

So what is it exactly? And what sort of security does it require? These are good questions that have yet to be answered adequately. I can imagine a future world in which billions of devices interact safely and securely. But this world is far from possible with today's technology. In fact today's initiatives are no more than very small beginnings: a handful of private machine-to-machine networks, a few attempts to standardise on communications protocols, and one or two initiatives to develop a public catalogue for sensor data.

All of this falls well short of the world imagined by the brilliant Neil Gershenfeld fifteen years ago in his visionary book "When things start to think". Radical change is very easy to imagine, but it's extremely hard to bring it about. There remain many tough problems yet to be solved to realize the Internet of Things. Ones that spring to my mind for example are the following. 

  • Where is the bullet-proof data ontology to enable reliable translation of critical data between systems? (I've heard a few whispers about vocabularies under development. That's nowhere near enough.)  
  • How can we develop access policies for interaction between devices when we're not quite sure where, when, how, or by whom the data will be exploited? Security technology is worthless without a requirements specification. 
  • Who will control the security and where will it sit? Will it be in devices? I think not. Will it be in the network? I think so. But who takes control? 
  • Who will be liable for serious incidents arising from accidental or deliberate misuse or manipulation of sensor information? Against a business landscape of increasing product liability this is no trivial question.  

We are clearly at a very early stage in developing the vision for the Internet of Things. Perhaps, just like the World-Wide-Web, it will begin as an anarchistic Wild West of experimental but dangerous, read-only applications. And maybe it will begin to flourish for business applications when we finally develop a security breakthrough equivalent to the acceptance of the SSL protocol.

One thing that is certain is that we will not achieve much progress without early casualties. So let us hope that there are pioneers brave enough to accept or ignore the risks.

Special skills for special security problems

| No Comments
| More

I was pleased to read in the Sunday Telegraph that GCHQ values the security skills of dyslexic young people, employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully support this idea. Unfortunately most professional development schemes fail to recognize these abilities, generally promoting dull management capabilities rather than sharp analysis skills.

Eventually this will change, though the transition will be slow. There are however a few catalysts. My book "Managing the Human Factor in Information Security" hinted at these skills but failed to lead a revolution. It was however one of the first security books to point out the importance of cognitive skills, such as problem solving, attention to detail, curiosity, pattern recognition, and systems thinking.

Vinod Patel, a father of two boys with autism, has been more successful. He advocates the use of graduates with high functioning Autism or Asperger's to look for patterns and anomalies in big data and use their excellent memory and procedural capabilities to remediate security threats. 

He has already developed a ready workforce of appropriately skilled practitioners, as well as a source of additional resources through the National Autistic Society, with the support of Professor Baron-Cohen of the Autism Research Centre at Cambridge. Vinod has found some success in persuading security companies to exploit their talents.  Just check out this remarkable video.

Isn't that a great security story? 

We need to speed up security

| No Comments
| More

I'm finally back blogging after a delightful summer break. Surprisingly, not a lot has changed in the cyber security world. Big security breaches have been surprisingly thin on the ground. And most have resulted from predictable human failings or greed, rather than technical weaknesses. There have been few recent reports of dangerous APTs, except perhaps for an inevitable attack on Apple users, many of whom may have naively assumed they were immune from such threats.

Anyone that understands the motives of attackers and the vulnerability of our critical infrastructure will know that professional attacks have not gone away. They are just much harder to detect. There is clearly much more to come, especially given with a steeply increasing terrorist threat.

I sense however that we are some years from a major disaster, though I expect it will occur well before we are able to implement effective countermeasures. That's because the most significant failing of the security community is in responding quickly to new threats. There are one or two exceptions of course, generally in areas where business sets stretch targets for security developers.

The mobile world is one such area. A few days ago I attended the excellent, annual exhibition at the Royal Holloway University Smart Card Centre. There were some first-class presentations, especially the talk by Dr. Klaus Vedder, a real expert in this field, who convinced me that mobile devices are the focus of the fastest-moving developments in cyber security. Product developers race to bring new technologies to market in record time. And they need to be sufficiently secure for the marketplace.

In sharp contrast the presentations on government cryptographic development reflected a legacy of lethargy, underpinned by outrageous demands from a bygone age. New products require a minimum, five-year time scale, and must be designed to be secure for 20 years and to protect data for 30 years. Such assumptions reflect an absence of business pressure for stretch targets.

Security processes are slow because nobody in business cares sufficiently to whip them into shape. Society should demand better than this to safeguard our critical intellectual assets.  

Meetings with remarkable security men

| No Comments
| More

This week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in Cyber Security at Columbia University; Chair of RSA Conference; and Chief Security Strategist at Blue Coat. He's also a larger-than-life character, with a keen interest in technology, human behaviour, and innovation.

Blue Coat products have a strong position in the market (80% of Fortune 500 they tell me) based on their easy-to-deploy security appliances which have the useful feature of providing visibility of encrypted SSL traffic. They have recently added additional features such as sandboxing and advanced analytics to combat APT threats, making them a good choice for an enterprise security gateway.

Not surprising we talked about encryption. Default encryption has been suggested as the best way to protect web users' privacy online, and it's on the increase as more and more organizations switch from http to https. Hugh tells me that around 25% of incoming business traffic is now encrypted. However, this trend presents a major problem for enterprises, as it also enables attackers to hide their communications. Security demands the ability to read traffic. Encryption creates as many problems as it solves. In my view it will not succeed. The future is more likely to be a hyper-connected world in which no information is secure.  

Information sharing is another hot issue we discussed. I take the view that it's simply not viable as legal, compliance, and political considerations discourage any release of sensitive information to third parties. Governments can't easily share secrets with international companies. And executive boards don't like security managers telling others about incidents. Countries with state-owned industries clearly have an advantage here, though such an infrastructure carries its own baggage.

Another topic was conference audiences. RSA Conference has seen a trend away from a technical security community towards a more business oriented security community. My view is that security managers are going native. They need to stand up to, rather succumb to business managers. I've also noticed that compliance and audit functions are now setting more of the security agenda. Large financial organizations now have almost ten times more people policing them than securing them. At this rate ISACA conferences will overtake RSA conferences in size. 

We both agreed that speed, imagination, and attention to the human factor are the keys to security in the future. CSOs need to escape the burden of compliance and be empowered to practice real security. Personally I don't believe this will happen until after an electronic Pearl Harbour incident.    

Unfortunately we ran out of time to discuss deeper issues. But we did agree to continue the discussion next time Hugh is in town. 

Ten answers to cyber security

| 1 Comment
| More

My last posting was perhaps a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten answers.

  1. Invest more public money into imaginative new approaches to malware detection.
  2. Ditch standardized, tick-box, compliance processes. Give freedom to security managers to implement innovative solutions.
  3. Place more emphasis on technical solutions and less on bureaucratic governance processes, which have become excessively bloated.  
  4. Empower CISOs to overrule business objections on grounds of cost or delay.
  5. Massively speed up the implementation processes for security solutions, from years to days.
  6. Escape from the pervasive security "monoculture" of identical controls which makes it easy for attackers. Security by obscurity is no bad thing.
  7. Design security systems to counter projected future threats, not just today's.   
  8. Recognize Ross Ashby's Law and harness the scalability of technology and networks to leverage security.
  9. Expect users to make mistakes. Take account of this when designing systems. 
  10. Manage crises as opportunities to gain free publicity and drive through change. Smart companies can emerge stronger.     

Ten top experts and ten steps backwards

| 1 Comment
| More

I was fascinated to see that the latest issue of Forbes magazine has a feature on cyber security. It sets out what must be fixed according to ten top experts. Have they got it right? 

The answer sadly is a resounding "no". But just how bad can that be? Unfortunately it's pretty dire. On this evidence the problem lies with the experts, not the practitioners. It's unfortunate because many executive boards don't listen to their security managers, but they do pay attention to media pundits.

So what did the top ten experts suggest? 

Not a lot that makes sense to real practitioners. Every one of them "muttered something about there being no silver bullets". In my view that's a negative attitude because we would all like to find a silver bullet and there's absolutely no reason why they should not exist. Such reasoning reflects a lack of imagination and a disdain for smart solutions. 

I expected more from Brian Krebs, an investigative journalist, who could only say that "it requires a mindset shift. I'd like to see more users place far less reliance on automated tools". Not good advice in my view. In a fast moving, dynamic environment, we need more technology and automation.

Scott Charney,a Microsoft VP, suggested that the answer was for "companies to be transparent about how they handle data" and "to have robust corporate programs to protect privacy". Such statements are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.     

Cisco's Chris Young suggests that the problem is increased by the so-called "Internet of Things" which demands a "threat-centric approach to security". Personally I thought we'd already been doing that for thirty years or more.   

Chad Sweet, a CEO of a security and risk advisory firm, suggested that we need "cyber audits" to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.

Edith Ramirez, a chairwoman at the FTC thinks the answer is encryption. Perhaps she has yet to experience the down side of this magic bullet, which many of us have found to create as many problems as it solves.  

Heather Adkins, a Google security manager, sees the problem as a technical one associated with 60s and 70s vintage systems. (Gosh. What was wrong with them?)  She thinks the answer is to reduce the attack surface, which is a great idea if you are actually in a position to do that. Unfortunately many business trends are going in the opposite direction.

Daniel Suarez, a sci-fi writer (Whoa!) suggests the answer is to scrap the Internet and build an Apollo-like, secure network for critical infrastructure. He's right but it's an impossible dream.  

Peter Singer, an author, thinks it's all about human incentives. The answer is to adopt a mantra of "keep calm and carry on". This is very pragmatic of course, but ultimately rather too defeatist.  

Christopher Soghoian, a technologist, suggests that the problem is politics and the need to have a forceful agency that makes everyone patch vulnerabilities. Dream on.

Joe Sullivan, CSO at Facebook, suggests the answer is to have a security infrastructure that keeps up with the billions of people coming online. That seems like good advice, so let's look to Facebook for a secure environment.    

Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions, and journalists. If our pundits cannot see the solutions we are doomed to wait many years before the real issues are recognised and the real solutions developed. 

Frameworks, Bloody Frameworks

| 1 Comment
| More

Last night a friend sent me an email drawing attention to the UK Government's new cyber security scheme. This one is called "Cyber Essentials". So what's new? And what does it offer?

The answer is very little. It contains no new advice or controls. It's incomplete and insufficient. And it's not mandated by regulators. In fact it's nothing more than a restructuring of advice already covered by more important standards.

It's unfortunate that governments and institutes insist on publishing their own versions of standards at a time when many enterprises are forced to address specific ones. The most widely enforced standard at present is the Payment Card Industry Data Security (PCI DSS) standard. But this important standard is not even mentioned in the Cyber Essentials guide.

The unfortunate truth is that cyber security standards are a nightmare for enterprises of all sizes. Big companies are required to provide annual evidence of the existence of hundreds of control requirements. Small retailers are forced to employ expensive consultants to translate technical standards into action.

It's not advice we need, but consistency. In a world awash with standards, where tick-box compliance has replaced security, what matters is structure more than content. This perhaps explains why the Cyber Essentials contains an appendix mapping the new standard onto several others. Unfortunately it doesn't cover the 220 controls in the PCI DSS so it's no use to the millions of retailers out there.

There's no benefit in having all the rights words, but not necessarily in the right order. Any framework is a means to an end, not an end in itself. If that end is to complete a questionnaire, then the questionnaire structure is the sequence you require. If it's to design a compliance workflow system, you need a framework structured around organisation responsibilities. If it's just for use as a reference document, you simply need a good index.

There are more than a dozen ways of structuring a security standard. I know because I experimented with all of them when drafting the original BSI Code of Practice back in 1993. You can do it around process, services, life cycles, technology, job function, subject areas, etc. Or you can simply pluck headings out of the air, as many standards do. 

The COBIT 5 standard is structured around organizational processes. The ITIL standard around IT services. ISO 27000 was originally structured around ten "natural subject areas" as might be encountered in enterprise security manuals. The ISF Standard of Good Practice is structured around six areas of IT Security responsibility, mapped onto several dozen individual topics. In contrast ISO management systems tend to follow a "Plan, Do, Check, Act" life cycle.

Other standards are more arbitrary. The PCI DSS follows an unusual structure of twelve broad control requirements grouped into six overall headings, which collectively define more than two hundred individual, prescriptive requirements. A further complication in navigating PCI DSS requirements is the fact that the standard is also enforced through a "Prioritized Approach" which sets out the controls in a completely different order, reflecting the urgency of their implementation.

Further security standards published by governments and specialist circles such as The Cloud Security Alliance have only added to the navigation challenge facing CISOs. The Cyber Essentials standard adds a tad more confusion by adopting a new structure of five subject areas pointing to "Ten Steps to Cyber Security". Will the madness ever end? 

The future of mobile? Bright but cloudy

| No Comments
| More

Tuesday evening saw the London launch of IDATE's 2014 version of their DigiWorld Yearbook, an excellent guide to telecoms, Internet and media markets. It was a useful opportunity to catch up with emerging trends in the mobile world and the over-the-top services that are changing our lifestyles and challenging our security. So what did I learn?

IIDATE (not the Internet dating agency) is a European think tank represented by around 50 major players in the digital economy, largely vendors, regulators, and, refreshingly, a few French banks. Interestingly for security professionals, the UK branch is chaired by Steve Durbin who is also Managing Director of the Information Security Forum.  

The Yearbook reveals that global digital markets have shown "growth in slow motion" (3.3%) though European revenues remain in decline, perhaps reflecting a weak economic climate and inefficiencies in a fragmented supply side. Emerging markets are well up of course and not held back by legacy infrastructure.

Delving further into the numbers we can see an overall growth of 20% in Internet services, with the strongest growth in social media sites, mobile apps and video services. The Cloud is also a star, with high growth and revenues (up 30%) and accounting for a quarter of online revenue.

Clearly customers in mature markets are getting picky and vendors being squeezed despite a strong appetite for bandwidth and mobile services. What are the issues for Europe?  Three things according to Anne Bouverot, Director General of the GSM Association. Firstly spectrum: there isn't enough and it takes a decade to transform. Secondly taxation: it's far too high and runs counter to digital inclusion. And thirdly consolidation: it's needed to extend services and reduce costs.  

How does an investment bank view such a business environment? Very positively according to Jeffrey Krogh, a tech-savvy BNP Paribas director. Slow growth means companies need to cooperate and take out cost, which sets the scene for convergence. He believes we're just at the beginning of a wave of radical consolidation.

What about 5G? What is it and when is it coming? The answer is that we don't yet know but it has to be different and much more than 4G. The UK Ministry of Culture is planning to launch a consultation paper in July.        

So much uncertainty, as well as so many red herrings. What about those clever Google ideas about balloons and drones? Not so smart on closer inspection according to Anne Bouverot. Balloons get blown about in three dimensions which is not good for service delivery. And the site of a drone is likely to terrify citizens in many emerging countries. 

Enhanced by Zemanta

About this Entry

This page contains a single entry by David Lacey published on April 24, 2016 12:21 PM.

Forecasts for 2016 was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.


Recent Comments

  • Emad Uddin: what a joke, Not possible at all. read more
  • Philip Virgo: Lets also get our priorities right. The Lizard Squad has read more
  • Philip Virgo: Did not the way the Russians took the US-supplied Georgia read more


-- Advertisement --