Predictions for 2014

| No Comments | No TrackBacks
| More

It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last year I made half a dozen predictions for 2014. How well did I do?  Let's examine them.

Escape from monoculture

A year ago I forecast that new security technologies would provide a greater choice of defensive options, making things less predictable for attackers. It hasn't quite happened yet, but there are some emerging alternatives that look promising.

A new generation of attacks

I also drew attention to the inevitable fact that the next generation of APT attacks would be richer, more sophisticated and stealthier. That's certainly happened, so much so that we can't detect the latest attacks, as illustrated by the recent discovery of a sophisticated APT attack (Regin) dating back six years.

A backlash against security standards

I also predicted a growing backlash against security standards, which have increasingly effective. That's certainly been a major issue this year, commencing with the FIC 2014 January opening conference theme of "Is cyber security a failure?" Unfortunately there is no realistic alternative for regulators to the growing mass of bureaucratic standards.    

Improving strategic crisis response

On an optimistic note I forecast that enterprises would develop improving crisis management capabilities, correcting a long-standing weakness. I've certainly seen signs of this with the growth in deployment of SIEM technologies and security operations centres (SOCs).  

Cyber skills gap grows

I also noted the growing shortage of high-end cyber skills, fuelled by the need to seek out a special kind of person for key monitoring and analysis tasks. Interestingly, there are now several proactive initiatives to employ or help find security work for dyslexic and autistic graduates. This approach will grow.

No change at NSA    

I forecast no major changes in the operations at NSA, following Snowden. And I've yet to see any indication of this. Large scale intelligence gathering is necessary to combat terrorism, and that threat is growing.   

Learning points

The events of 2014 demonstrated a number of inescapable truths. Fast-changing subject areas tend to be held back by their legacy. The consequence is that they fail. Evolution will not deliver solutions. Nothing short of a revolution will succeed. New technologies, new skills and a new realism are needed to transform the effectiveness of cyber security. 

One day wonders

| No Comments | No TrackBacks
| More

Last week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to meet up and exchange ideas. I like Hugh because he's not like the regular, dull vendors or CSOs that churn out the accepted security mantra. And he understands the importance of the human and political factors in achieving effective security.

Hugh updated me on his latest Blue Coat research on "One day wonders" i.e. websites that exist for less than a day. It's an important landscape as a surprisingly high 71% of all web sites exist for 24 hours or less. More worrying is the disturbing fact that these sites attract hackers, villains and other bad people.

Of course most one-day wonders are legitimate and exist to deliver a better user experience. Many are organizations such as Google, Amazon and Yahoo with a substantial Internet presence. That's why they're popular. Unfortunately there's a darker side, as malware operators seek to generate large numbers of popular sub-domains built on a foundation more evil domains. Sites are selected to support mass attacks on targeted victims, attacks that are highly scalable, difficult to track and easy to implement.   

Hugh and I also had an imaginative debate on current trends, including the Internet of Things. We both agree that security cannot be contained within devices alone. Against a landscape of continuously fragmenting technology (into larger networks of smaller devices), rapidly changing platforms, and uncertain access policies, security must migrate into the network. The challenge of course is where, when and how this will materialise. And of course who will control it. 

Security and the Internet of Things

| No Comments | No TrackBacks
| More

Whether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for forward-looking security practitioners. The label of course is simply a passing fashion. Just like EDI or Knowledge Management it's not likely  to survive for more than a year or two, though the problem and solution spaces it occupies will continue to blossom for decades.

So what is it exactly? And what sort of security does it require? These are good questions that have yet to be answered adequately. I can imagine a future world in which billions of devices interact safely and securely. But this world is far from possible with today's technology. In fact today's initiatives are no more than very small beginnings: a handful of private machine-to-machine networks, a few attempts to standardise on communications protocols, and one or two initiatives to develop a public catalogue for sensor data.

All of this falls well short of the world imagined by the brilliant Neil Gershenfeld fifteen years ago in his visionary book "When things start to think". Radical change is very easy to imagine, but it's extremely hard to bring it about. There remain many tough problems yet to be solved to realize the Internet of Things. Ones that spring to my mind for example are the following. 

  • Where is the bullet-proof data ontology to enable reliable translation of critical data between systems? (I've heard a few whispers about vocabularies under development. That's nowhere near enough.)  
  • How can we develop access policies for interaction between devices when we're not quite sure where, when, how, or by whom the data will be exploited? Security technology is worthless without a requirements specification. 
  • Who will control the security and where will it sit? Will it be in devices? I think not. Will it be in the network? I think so. But who takes control? 
  • Who will be liable for serious incidents arising from accidental or deliberate misuse or manipulation of sensor information? Against a business landscape of increasing product liability this is no trivial question.  

We are clearly at a very early stage in developing the vision for the Internet of Things. Perhaps, just like the World-Wide-Web, it will begin as an anarchistic Wild West of experimental but dangerous, read-only applications. And maybe it will begin to flourish for business applications when we finally develop a security breakthrough equivalent to the acceptance of the SSL protocol.

One thing that is certain is that we will not achieve much progress without early casualties. So let us hope that there are pioneers brave enough to accept or ignore the risks.

Special skills for special security problems

| No Comments | No TrackBacks
| More

I was pleased to read in the Sunday Telegraph that GCHQ values the security skills of dyslexic young people, employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully support this idea. Unfortunately most professional development schemes fail to recognize these abilities, generally promoting dull management capabilities rather than sharp analysis skills.

Eventually this will change, though the transition will be slow. There are however a few catalysts. My book "Managing the Human Factor in Information Security" hinted at these skills but failed to lead a revolution. It was however one of the first security books to point out the importance of cognitive skills, such as problem solving, attention to detail, curiosity, pattern recognition, and systems thinking.

Vinod Patel, a father of two boys with autism, has been more successful. He advocates the use of graduates with high functioning Autism or Asperger's to look for patterns and anomalies in big data and use their excellent memory and procedural capabilities to remediate security threats. 

He has already developed a ready workforce of appropriately skilled practitioners, as well as a source of additional resources through the National Autistic Society, with the support of Professor Baron-Cohen of the Autism Research Centre at Cambridge. Vinod has found some success in persuading security companies to exploit their talents.  Just check out this remarkable video.

Isn't that a great security story? 

We need to speed up security

| No Comments | No TrackBacks
| More

I'm finally back blogging after a delightful summer break. Surprisingly, not a lot has changed in the cyber security world. Big security breaches have been surprisingly thin on the ground. And most have resulted from predictable human failings or greed, rather than technical weaknesses. There have been few recent reports of dangerous APTs, except perhaps for an inevitable attack on Apple users, many of whom may have naively assumed they were immune from such threats.

Anyone that understands the motives of attackers and the vulnerability of our critical infrastructure will know that professional attacks have not gone away. They are just much harder to detect. There is clearly much more to come, especially given with a steeply increasing terrorist threat.

I sense however that we are some years from a major disaster, though I expect it will occur well before we are able to implement effective countermeasures. That's because the most significant failing of the security community is in responding quickly to new threats. There are one or two exceptions of course, generally in areas where business sets stretch targets for security developers.

The mobile world is one such area. A few days ago I attended the excellent, annual exhibition at the Royal Holloway University Smart Card Centre. There were some first-class presentations, especially the talk by Dr. Klaus Vedder, a real expert in this field, who convinced me that mobile devices are the focus of the fastest-moving developments in cyber security. Product developers race to bring new technologies to market in record time. And they need to be sufficiently secure for the marketplace.

In sharp contrast the presentations on government cryptographic development reflected a legacy of lethargy, underpinned by outrageous demands from a bygone age. New products require a minimum, five-year time scale, and must be designed to be secure for 20 years and to protect data for 30 years. Such assumptions reflect an absence of business pressure for stretch targets.

Security processes are slow because nobody in business cares sufficiently to whip them into shape. Society should demand better than this to safeguard our critical intellectual assets.  







Meetings with remarkable security men

| No Comments | No TrackBacks
| More

This week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in Cyber Security at Columbia University; Chair of RSA Conference; and Chief Security Strategist at Blue Coat. He's also a larger-than-life character, with a keen interest in technology, human behaviour, and innovation.

Blue Coat products have a strong position in the market (80% of Fortune 500 they tell me) based on their easy-to-deploy security appliances which have the useful feature of providing visibility of encrypted SSL traffic. They have recently added additional features such as sandboxing and advanced analytics to combat APT threats, making them a good choice for an enterprise security gateway.

Not surprising we talked about encryption. Default encryption has been suggested as the best way to protect web users' privacy online, and it's on the increase as more and more organizations switch from http to https. Hugh tells me that around 25% of incoming business traffic is now encrypted. However, this trend presents a major problem for enterprises, as it also enables attackers to hide their communications. Security demands the ability to read traffic. Encryption creates as many problems as it solves. In my view it will not succeed. The future is more likely to be a hyper-connected world in which no information is secure.  

Information sharing is another hot issue we discussed. I take the view that it's simply not viable as legal, compliance, and political considerations discourage any release of sensitive information to third parties. Governments can't easily share secrets with international companies. And executive boards don't like security managers telling others about incidents. Countries with state-owned industries clearly have an advantage here, though such an infrastructure carries its own baggage.

Another topic was conference audiences. RSA Conference has seen a trend away from a technical security community towards a more business oriented security community. My view is that security managers are going native. They need to stand up to, rather succumb to business managers. I've also noticed that compliance and audit functions are now setting more of the security agenda. Large financial organizations now have almost ten times more people policing them than securing them. At this rate ISACA conferences will overtake RSA conferences in size. 

We both agreed that speed, imagination, and attention to the human factor are the keys to security in the future. CSOs need to escape the burden of compliance and be empowered to practice real security. Personally I don't believe this will happen until after an electronic Pearl Harbour incident.    

Unfortunately we ran out of time to discuss deeper issues. But we did agree to continue the discussion next time Hugh is in town. 

Ten answers to cyber security

| 1 Comment | No TrackBacks
| More

My last posting was perhaps a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten answers.

  1. Invest more public money into imaginative new approaches to malware detection.
  2. Ditch standardized, tick-box, compliance processes. Give freedom to security managers to implement innovative solutions.
  3. Place more emphasis on technical solutions and less on bureaucratic governance processes, which have become excessively bloated.  
  4. Empower CISOs to overrule business objections on grounds of cost or delay.
  5. Massively speed up the implementation processes for security solutions, from years to days.
  6. Escape from the pervasive security "monoculture" of identical controls which makes it easy for attackers. Security by obscurity is no bad thing.
  7. Design security systems to counter projected future threats, not just today's.   
  8. Recognize Ross Ashby's Law and harness the scalability of technology and networks to leverage security.
  9. Expect users to make mistakes. Take account of this when designing systems. 
  10. Manage crises as opportunities to gain free publicity and drive through change. Smart companies can emerge stronger.     

Ten top experts and ten steps backwards

| 1 Comment | No TrackBacks
| More

I was fascinated to see that the latest issue of Forbes magazine has a feature on cyber security. It sets out what must be fixed according to ten top experts. Have they got it right? 

The answer sadly is a resounding "no". But just how bad can that be? Unfortunately it's pretty dire. On this evidence the problem lies with the experts, not the practitioners. It's unfortunate because many executive boards don't listen to their security managers, but they do pay attention to media pundits.

So what did the top ten experts suggest? 

Not a lot that makes sense to real practitioners. Every one of them "muttered something about there being no silver bullets". In my view that's a negative attitude because we would all like to find a silver bullet and there's absolutely no reason why they should not exist. Such reasoning reflects a lack of imagination and a disdain for smart solutions. 

I expected more from Brian Krebs, an investigative journalist, who could only say that "it requires a mindset shift. I'd like to see more users place far less reliance on automated tools". Not good advice in my view. In a fast moving, dynamic environment, we need more technology and automation.

Scott Charney,a Microsoft VP, suggested that the answer was for "companies to be transparent about how they handle data" and "to have robust corporate programs to protect privacy". Such statements are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.     

Cisco's Chris Young suggests that the problem is increased by the so-called "Internet of Things" which demands a "threat-centric approach to security". Personally I thought we'd already been doing that for thirty years or more.   

Chad Sweet, a CEO of a security and risk advisory firm, suggested that we need "cyber audits" to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.

Edith Ramirez, a chairwoman at the FTC thinks the answer is encryption. Perhaps she has yet to experience the down side of this magic bullet, which many of us have found to create as many problems as it solves.  

Heather Adkins, a Google security manager, sees the problem as a technical one associated with 60s and 70s vintage systems. (Gosh. What was wrong with them?)  She thinks the answer is to reduce the attack surface, which is a great idea if you are actually in a position to do that. Unfortunately many business trends are going in the opposite direction.

Daniel Suarez, a sci-fi writer (Whoa!) suggests the answer is to scrap the Internet and build an Apollo-like, secure network for critical infrastructure. He's right but it's an impossible dream.  

Peter Singer, an author, thinks it's all about human incentives. The answer is to adopt a mantra of "keep calm and carry on". This is very pragmatic of course, but ultimately rather too defeatist.  

Christopher Soghoian, a technologist, suggests that the problem is politics and the need to have a forceful agency that makes everyone patch vulnerabilities. Dream on.

Joe Sullivan, CSO at Facebook, suggests the answer is to have a security infrastructure that keeps up with the billions of people coming online. That seems like good advice, so let's look to Facebook for a secure environment.    

Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions, and journalists. If our pundits cannot see the solutions we are doomed to wait many years before the real issues are recognised and the real solutions developed. 

Frameworks, Bloody Frameworks

| 1 Comment | No TrackBacks
| More

Last night a friend sent me an email drawing attention to the UK Government's new cyber security scheme. This one is called "Cyber Essentials". So what's new? And what does it offer?

The answer is very little. It contains no new advice or controls. It's incomplete and insufficient. And it's not mandated by regulators. In fact it's nothing more than a restructuring of advice already covered by more important standards.

It's unfortunate that governments and institutes insist on publishing their own versions of standards at a time when many enterprises are forced to address specific ones. The most widely enforced standard at present is the Payment Card Industry Data Security (PCI DSS) standard. But this important standard is not even mentioned in the Cyber Essentials guide.

The unfortunate truth is that cyber security standards are a nightmare for enterprises of all sizes. Big companies are required to provide annual evidence of the existence of hundreds of control requirements. Small retailers are forced to employ expensive consultants to translate technical standards into action.

It's not advice we need, but consistency. In a world awash with standards, where tick-box compliance has replaced security, what matters is structure more than content. This perhaps explains why the Cyber Essentials contains an appendix mapping the new standard onto several others. Unfortunately it doesn't cover the 220 controls in the PCI DSS so it's no use to the millions of retailers out there.

There's no benefit in having all the rights words, but not necessarily in the right order. Any framework is a means to an end, not an end in itself. If that end is to complete a questionnaire, then the questionnaire structure is the sequence you require. If it's to design a compliance workflow system, you need a framework structured around organisation responsibilities. If it's just for use as a reference document, you simply need a good index.

There are more than a dozen ways of structuring a security standard. I know because I experimented with all of them when drafting the original BSI Code of Practice back in 1993. You can do it around process, services, life cycles, technology, job function, subject areas, etc. Or you can simply pluck headings out of the air, as many standards do. 

The COBIT 5 standard is structured around organizational processes. The ITIL standard around IT services. ISO 27000 was originally structured around ten "natural subject areas" as might be encountered in enterprise security manuals. The ISF Standard of Good Practice is structured around six areas of IT Security responsibility, mapped onto several dozen individual topics. In contrast ISO management systems tend to follow a "Plan, Do, Check, Act" life cycle.

Other standards are more arbitrary. The PCI DSS follows an unusual structure of twelve broad control requirements grouped into six overall headings, which collectively define more than two hundred individual, prescriptive requirements. A further complication in navigating PCI DSS requirements is the fact that the standard is also enforced through a "Prioritized Approach" which sets out the controls in a completely different order, reflecting the urgency of their implementation.

Further security standards published by governments and specialist circles such as The Cloud Security Alliance have only added to the navigation challenge facing CISOs. The Cyber Essentials standard adds a tad more confusion by adopting a new structure of five subject areas pointing to "Ten Steps to Cyber Security". Will the madness ever end? 

The future of mobile? Bright but cloudy

| No Comments | No TrackBacks
| More

Tuesday evening saw the London launch of IDATE's 2014 version of their DigiWorld Yearbook, an excellent guide to telecoms, Internet and media markets. It was a useful opportunity to catch up with emerging trends in the mobile world and the over-the-top services that are changing our lifestyles and challenging our security. So what did I learn?

IIDATE (not the Internet dating agency) is a European think tank represented by around 50 major players in the digital economy, largely vendors, regulators, and, refreshingly, a few French banks. Interestingly for security professionals, the UK branch is chaired by Steve Durbin who is also Managing Director of the Information Security Forum.  

The Yearbook reveals that global digital markets have shown "growth in slow motion" (3.3%) though European revenues remain in decline, perhaps reflecting a weak economic climate and inefficiencies in a fragmented supply side. Emerging markets are well up of course and not held back by legacy infrastructure.

Delving further into the numbers we can see an overall growth of 20% in Internet services, with the strongest growth in social media sites, mobile apps and video services. The Cloud is also a star, with high growth and revenues (up 30%) and accounting for a quarter of online revenue.

Clearly customers in mature markets are getting picky and vendors being squeezed despite a strong appetite for bandwidth and mobile services. What are the issues for Europe?  Three things according to Anne Bouverot, Director General of the GSM Association. Firstly spectrum: there isn't enough and it takes a decade to transform. Secondly taxation: it's far too high and runs counter to digital inclusion. And thirdly consolidation: it's needed to extend services and reduce costs.  

How does an investment bank view such a business environment? Very positively according to Jeffrey Krogh, a tech-savvy BNP Paribas director. Slow growth means companies need to cooperate and take out cost, which sets the scene for convergence. He believes we're just at the beginning of a wave of radical consolidation.

What about 5G? What is it and when is it coming? The answer is that we don't yet know but it has to be different and much more than 4G. The UK Ministry of Culture is planning to launch a consultation paper in July.        

So much uncertainty, as well as so many red herrings. What about those clever Google ideas about balloons and drones? Not so smart on closer inspection according to Anne Bouverot. Balloons get blown about in three dimensions which is not good for service delivery. And the site of a drone is likely to terrify citizens in many emerging countries. 

Enhanced by Zemanta






No progress on the conference front

| 1 Comment | No TrackBacks
| More

It's remarkable that in the face of the most sophisticated espionage threats, the most capable cyber-criminals, and the most severe compliance requirements ever experienced, the cyber security community cannot muster a single, new idea.   

Certainly the conference circuit has lost the plot. It cannot even think dream up an innovative slogan. The theme at this year's RSA Conference was sharing and learning. Compelling stuff! The theme of Infosecurity Europe was business enablement. Old ideas that fail to deliver in practice.

Walking through Infosecurity Europe was a dull experience: no buzz, lacklustre sessions, no new ideas, and no gee whizz technologies. The only visible change this year was the size of the stands which looked to be a metre higher.

Real security is dead. Speeches, products, training and university courses are building on a failed legacy of ISO standards, risk assessment and compliance. We need to kill this monoculture and replace tick-box security with creative problem solving. More importantly we need to persuade executive boards to trusted and empower CISOs to take hard decisions, rather than pretending they are there to enable business operations.

But we are a long way from achieving such these aspirations because they are not recognised or supported by the cyber security community. 

Enhanced by Zemanta

Testing can be fun

| No Comments | No TrackBacks
| More
It's interesting how many people are attracted to penetration testing, thinking it's more interesting and fun than conventional product testing, They're wrong. Scanning platforms for vulnerabilities is dull and boring. In contrast, smashing up physical products is fun, challenging and satisfying. Check out BSI's Kitemark testing lab which tests everything from fire extinguishers to condoms. Now that's what I call testing.
Enhanced by Zemanta

The Electronic Pearl Harbour gets a step closer

| 1 Comment | No TrackBacks
| More

As I expected we keep finding more and more security vulnerabilities in devices that shouldn't have them: essential control systems that govern the safety of critical infrastructure. The latest batch have been found by my IOActive colleagues in satellite communication (SATCOM) systems.

IOActive analyzed and reverse-engineered publicly-available firmware updates for technologies manufactured by Harris, Hughes, Cobham, Thuraya, JRC, and Iridium. They discovered multiple, high risk vulnerabilities in all SATCOM device firmware studied by IOActive. These vulnerabilities might enable a malicious hacker to intercept, manipulate, block, and in some cases take control of the physical device. The vulnerabilities included hardcoded credentials, undocumented protocols, insecure protocols, and backdoors.

As I've suggested before, we might find that Die Hard 4 was rather understated. 

Enhanced by Zemanta

Security: From Theoretical Business Enabler to Essential Overhead

| No Comments | No TrackBacks
| More

Dropped through my door last week was the flyer advertising Infosecurity Europe 2014. The theme is "Security as a business enabler - are you fit for 2014?"

It is an unfortunate choice of words, reflecting a profession that is hopelessly out of touch with reality. There is nothing remotely new about this idea. Thirty years ago we regarded security as a business enabler in defence and intelligence circles. But this is not the case in a modern business environment where enterprises do not invest in unproven leaps of faith. Security as a business enabler is no more than wishful thinking. The slogan reflects an immature business perspective, quite the opposite of the impression sought.

There is nothing wrong with Infosecurity's marketing. They will have consulted the usual suspects, our long-standing professionals and pundits. The flaw lies with the community which promotes this nonsense. Business enablement might be a great line to sell to executive boards. It sounds very impressive. But it is no more than an illusion. The reality is that compliance, not business, drives security.

Compliance is a powerful driver but it is hopelessly inefficient. Without it however there would be no proactive security functions. Instead security programmes would swing wildly from under-manning to over-investment, driven primarily by major incidents.   

In the absence of incidents no sensible business manager would invest in security. It costs money; it slows down development processes; it restricts sharing and exploitation of customer data; and it reduces system agility. Security cannot guarantee a solid return on investment. The business case for it has to rely on the fact that is an essential, inescapable business requirement. Get it wrong and you might end up in jail.  

Unfortunately security has become a growing overhead. Many large enterprises now have more than 300 security staff and there may be many more times this number policing compliance. We need to manage the solution space more quickly and efficiently. But we are prevented from doing so by so-called best practices demanding increasingly detailed analysis of the problem space through risk assessments, gap analyses, form-filling and audits.    

Compliance has hijacked the security agenda and, left unchecked, its demands will continue to grow. It is not logical to expect that any business with a proliferating security overhead would wish to experiment with theoretical visions of business enablement. Instead security needs to get real and grow up. 

Enhanced by Zemanta

Compliance is not security but has its place

| 1 Comment | No TrackBacks
| More

Several weeks ago an Australian friend of mine sent me a delightful note pointing out how recent events and media reporting had confirmed some controversial points I had made last year in the Australian press 

There is now growing evidence that compliance does not guarantee security, though the reverse can sometimes be true. For many years I have been lecturing on the difference between real security and compliance. Most security professionals instinctively get it. But the distinction is not addressed adequately in training courses or acknowledged by institutes, so the practice remains riddled with misconceptions about the roles effectiveness of security and compliance. 

The reason we have compliance is because people do not willingly spend time or money on security. Business has no appetite for spending money to dodge risks that have yet to materialise. And there is no guaranteed return on investment for security. It's a leap of faith, the type of thing that finance managers hate. Without compliance there would be little or no security in today's more demanding commercial environment.

But a compliance programme cannot make an enterprise secure. On the one hand it's designed to improve matters, so one could argue it's better than nothing. On the other hand it can be counter-productive as it diverts scarce resources from addressing more immediate, specific risks. (This is a debate I regularly have with Professor Fred Piper.) In the absence of a major incident, however without compliance nothing would get done. So we need it and we would demand it if it was not there.

Compliance can make a difference but it's painfully slow and expensive. The PCI DSS standard comes in for lots of stick. But without it, the level of payment card fraud would be higher. It might not be perfect or efficient but it motivates a lot of security improvement in an area that has traditionally been dangerously open to compromise.

It would be nice to think that good security would guarantee compliance. Unfortunately that's not correct either. Regulators and auditors require a large number of small boxes to be ticked and an unreasonable amount of processes, paperwork and evidence to support security claims. Smart, slick operators do not survive audits. Compliance rewards bureaucratic security managers.  

If you take a look in any leading financial enterprise today you are likely to find hundreds of security professionals being driven by thousands of auditors of varying kinds. Twenty years ago these functions were a tiny fraction of their size today. Yet security has not visibly improved. Ninety percent of the work is focused on developing content-free processes, counting assets, assessing risks, writing policies that go unread, measuring last year's performance or generating evidence that a control is in place. Very little work is focused on implementing real countermeasures.   

Efficient and effective security will only happen following three things. Firstly, a great big incident or liability that scares directors into spending money on countermeasures that actually work. Secondly, an understanding by the security profession of the root causes of incidents and the approaches needed to eliminate them. And thirdly, the recognition that large-scale culture changes are possible if top management is sufficiently motivated.

Some supporting evidence for these claims can be found in the history of industrial safety. In the early part of the last century many production methods were unacceptably dangerous, especially in the United States. It took many decades to drive through change, but by the end of the century safety was transformed and embedded across manufacturing industries. Some of this was driven by compliance but the largest cultural changes were directed by executive boards and shaped by an understanding of the root causes of incidents, the nature of an effective safety culture, and a genuine recognition that safety is everybody's responsibility. In the security profession we are a long, long way from achieving that goal.

Enhanced by Zemanta






Research does not guarantee innovation

| 1 Comment | No TrackBacks
| More

Earlier this week I attended the excellent Stevenson Science lecture at Royal Holloway University on "The Birth of Machine Cryptanalysis at Bletchley Park" given by Dr Joel Greenberg of the Bletchley Park Trust. When listening to any account of wartime code breaking one cannot fail to be impressed by the astounding level of innovation demonstrated by the early cryptographers. Such creativity is rarely encountered in today's commercial environment which stamps out mavericks and encourages tick-box conformance, short-term action and widespread copying of other people's practices.

The lecture was followed by a private dinner at which the Dean announced the University's plans for a new Innovation Centre. There's been a slight hitch in accommodation. (I'm told the earmarked site was sold to house builders.) But the concept must be applauded. Innovation is essential to help us escape from the damaging culture of conformance and compliance that has poisoned our cyber security efforts. And funding of fresh thinking is the key to finding the silver bullets to kill advanced persistent threats.  

Unfortunately it's more likely to be more of same rather than anything new: one step forward and another back. The step forward is the creation of a bigger research effort and an incubator for new developments. That is certainly welcome though it might not necessarily create any new funding. The step back is that the research will still be under the direction of the usual suspects, i.e. the government and industry sponsors, supported by an advisory board of establishment figures. So don't expect to see anything that is left-field, long term or high risk.

The problem is that government research bodies don't like to fund anything that looks remotely like a product: the closer you get to anything practical the quicker the funding tails off. In contrast vendors and venture capitalists tend not to fund anything that takes more than 18 months to develop. They are only interested in money or new features for their products. That's why we have so few innovative security technologies. New approaches tend to disappear down the gap between blue sky research and product development.

Fifteen years ago I sponsored the development of a model of the human immune system for fraud detection. It worked but needed further development. The concept died when the funding ran out. A similar fate killed another promising research project to detect human behaviour of security interest in digital networks. No less than a decade of funding is required to take a new technology from the drawing board to the market place. In the case of cryptography it can be even longer, as new approaches take many years to be accepted and implemented.   

Groundbreaking ideas rarely result from themed research. Creativity requires a high level of freedom coupled with a clear focus on a challenging problem - the more impossible-sounding the better. NASA research works because it focuses relentlessly on solving problems. MIT Media Lab works because it recruits students with creative ideas and gives them freedom to choose and direct their own work. MIT Media Lab researchers can develop a magic trick, design a new musical instrument or tackle a seemingly-unsolvable problem. Sponsors can visit and discuss their business requirements with researchers but they have to "charm" the researchers into cooperating. Promising projects will run for many years. That's how to encourage and enable real innovation. Anything less is merely jobs for the research boys.  

Enhanced by Zemanta

Yet another contents list

| No Comments | No TrackBacks
| More

For the past decade the real enemy of security practitioners has not been the hackers and malware that threaten our systems but the numerous best practices, compliance demands and audit actions that take up all of the time and resources of the security function.

Security standards and frameworks add to the burden of security managers by insisting that evidence of governance, assessments and controls are presented according to a structure laid down by standards authorities, many of whom might have little sharp-end experience.

And so we have the latest distraction: a "Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology, which appears to contain not a single new control, technique or technology, but one that merely restructures existing controls and guidance according to a new contents list.

Anyone who truly understands the rare art of designing models and architecture will appreciate that the top levels of any model are shaped purely for political or cosmetic purposes. They add little real value to the purpose or content of the guidance.

And of course there is an unlimited number of ways of structuring a set of controls. It can be done by lifecycle, process, technology, organisation, etc. Ideally the structure should be based on the purpose of the framework, as it is primarily a means to an end, not an end in itself. Unfortunately this rarely happens.  

The original set of baseline controls designed by Donn Parker in the 1980s contained several different contents lists, reflecting different needs. When drafting the original BS7799 we decided to have a single structure. Having presented over a dozen different structures to the BS7799 team, we all agreed unanimously to base in on "natural subject areas", i.e. the structure most of us had already adopted for our own security manuals.

There's nothing wrong of course in experimenting with new structures. But these should only be a accepted when there is clear, added value. Otherwise it's a case of, as Eric Morecambe might say, of using all the right words but not necessary in the right order.  

Enhanced by Zemanta

Let's get real about cyber security

| No Comments | No TrackBacks
| More
This week I was speaking at FIC 2014, a leading French International Conference attended by 3,000 people, including Ministers, privacy experts and leading CSOs. 

It was refreshing, prompted  by a valiant theme of "Has cyber security failed". The speakers were reasonably balanced and the audience were informed. They voted two thirds in agreement of failure. 

It's a major admission of the need for change by governments and regulators. We need radical change and innovation. France has kicked off a debate. Let's hope that all countries pay attention. The consequences are too important to ignore.    
Enhanced by Zemanta

Farewell Sir Christopher Chataway

| No Comments | No TrackBacks
| More
Sir Christopher Chataway who died today was a great athlete and a famous sports commentator. Not many security professionals will recognise the valuable contribution he made to cyber security as Chairman of the Bletchley Park (BP) Trust, at a difficult time when it was struggling to achieve recognition and funding. 
BP would never have survived in its present form without the stellar efforts of all those on the BP Trust who helped transform it from a mothballed relic to an information age attraction. 
Well done Christopher and all those who supported the Trust. 
Enhanced by Zemanta

The world in 2018 (or not)

| No Comments | No TrackBacks
| More

Now I'm not saying that I get everything right about the future. But I can certainly spot the excesses of other futurists. The latest example is IBM's predictions for the next five years.

The most important thing about forecasts is to understand the human, societal and legal blockers, as well as the limitations of technology and developers to deliver on promises. Against this background, IBM's suggestions seem rather naive, especially against a five year timeline.  

The classroom will learn you

Not only is it bad English but it seems rather sinister to suggest that technology should assess children's potential and be relied on to identify dyslexia instantly.

Buying local will beat online

I couldn't think of anything more likely to send me quickly to the exit than the prospect of a salesperson intercepting me in the aisle in which the products I'm interested are located.

Doctors will use your DNA to keep you well

The prospect of doctors determining my medication based exclusively on DNA readings fills me with concern. I prefer a human diagnosis based on a richer set of symptoms and experience.

A digital guardian will protect you online

The idea that a digital guardian learns about a user and authenticates transactions is a sound one in theory but will citizens be comfortable with a third party system that continuously shadows their behaviour? I think not.

The city will help you live in it

The prospect of large scale urban sprawl is bad enough but the idea that decisions on urban services are directed by crowdsourcing is enough to make central planning a desirable option.  

As a Daily Telegraph letter writer might put it "Am I alone in thinking this?"    

About this Entry

This page contains a single entry by David Lacey published on December 18, 2014 1:23 PM.

One day wonders was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

  • Dave Walker: It's an old adage, but still a good one: "Compliance read more
  • Rob Rowlingson: For my two penn'orth, we have to improve our software read more
  • Rob Rowlingson: Great summary David, thanks. Not long after I got in read more

 

-- Advertisement --