The Electronic Pearl Harbour gets a step closer

| No Comments | No TrackBacks
| More

As I expected we keep finding more and more security vulnerabilities in devices that shouldn't have them: essential control systems that govern the safety of critical infrastructure. The latest batch have been found by my IOActive colleagues in satellite communication (SATCOM) systems.

IOActive analyzed and reverse-engineered publicly-available firmware updates for technologies manufactured by Harris, Hughes, Cobham, Thuraya, JRC, and Iridium. They discovered multiple, high risk vulnerabilities in all SATCOM device firmware studied by IOActive. These vulnerabilities might enable a malicious hacker to intercept, manipulate, block, and in some cases take control of the physical device. The vulnerabilities included hardcoded credentials, undocumented protocols, insecure protocols, and backdoors.

As I've suggested before, we might find that Die Hard 4 was rather understated. 

Enhanced by Zemanta

Security: From Theoretical Business Enabler to Essential Overhead

| No Comments | No TrackBacks
| More

Dropped through my door last week was the flyer advertising Infosecurity Europe 2014. The theme is "Security as a business enabler - are you fit for 2014?"

It is an unfortunate choice of words, reflecting a profession that is hopelessly out of touch with reality. There is nothing remotely new about this idea. Thirty years ago we regarded security as a business enabler in defence and intelligence circles. But this is not the case in a modern business environment where enterprises do not invest in unproven leaps of faith. Security as a business enabler is no more than wishful thinking. The slogan reflects an immature business perspective, quite the opposite of the impression sought.

There is nothing wrong with Infosecurity's marketing. They will have consulted the usual suspects, our long-standing professionals and pundits. The flaw lies with the community which promotes this nonsense. Business enablement might be a great line to sell to executive boards. It sounds very impressive. But it is no more than an illusion. The reality is that compliance, not business, drives security.

Compliance is a powerful driver but it is hopelessly inefficient. Without it however there would be no proactive security functions. Instead security programmes would swing wildly from under-manning to over-investment, driven primarily by major incidents.   

In the absence of incidents no sensible business manager would invest in security. It costs money; it slows down development processes; it restricts sharing and exploitation of customer data; and it reduces system agility. Security cannot guarantee a solid return on investment. The business case for it has to rely on the fact that is an essential, inescapable business requirement. Get it wrong and you might end up in jail.  

Unfortunately security has become a growing overhead. Many large enterprises now have more than 300 security staff and there may be many more times this number policing compliance. We need to manage the solution space more quickly and efficiently. But we are prevented from doing so by so-called best practices demanding increasingly detailed analysis of the problem space through risk assessments, gap analyses, form-filling and audits.    

Compliance has hijacked the security agenda and, left unchecked, its demands will continue to grow. It is not logical to expect that any business with a proliferating security overhead would wish to experiment with theoretical visions of business enablement. Instead security needs to get real and grow up. 

Enhanced by Zemanta

Compliance is not security but has its place

| No Comments | No TrackBacks
| More

Several weeks ago an Australian friend of mine sent me a delightful note pointing out how recent events and media reporting had confirmed some controversial points I had made last year in the Australian press 

There is now growing evidence that compliance does not guarantee security, though the reverse can sometimes be true. For many years I have been lecturing on the difference between real security and compliance. Most security professionals instinctively get it. But the distinction is not addressed adequately in training courses or acknowledged by institutes, so the practice remains riddled with misconceptions about the roles effectiveness of security and compliance. 

The reason we have compliance is because people do not willingly spend time or money on security. Business has no appetite for spending money to dodge risks that have yet to materialise. And there is no guaranteed return on investment for security. It's a leap of faith, the type of thing that finance managers hate. Without compliance there would be little or no security in today's more demanding commercial environment.

But a compliance programme cannot make an enterprise secure. On the one hand it's designed to improve matters, so one could argue it's better than nothing. On the other hand it can be counter-productive as it diverts scarce resources from addressing more immediate, specific risks. (This is a debate I regularly have with Professor Fred Piper.) In the absence of a major incident, however without compliance nothing would get done. So we need it and we would demand it if it was not there.

Compliance can make a difference but it's painfully slow and expensive. The PCI DSS standard comes in for lots of stick. But without it, the level of payment card fraud would be higher. It might not be perfect or efficient but it motivates a lot of security improvement in an area that has traditionally been dangerously open to compromise.

It would be nice to think that good security would guarantee compliance. Unfortunately that's not correct either. Regulators and auditors require a large number of small boxes to be ticked and an unreasonable amount of processes, paperwork and evidence to support security claims. Smart, slick operators do not survive audits. Compliance rewards bureaucratic security managers.  

If you take a look in any leading financial enterprise today you are likely to find hundreds of security professionals being driven by thousands of auditors of varying kinds. Twenty years ago these functions were a tiny fraction of their size today. Yet security has not visibly improved. Ninety percent of the work is focused on developing content-free processes, counting assets, assessing risks, writing policies that go unread, measuring last year's performance or generating evidence that a control is in place. Very little work is focused on implementing real countermeasures.   

Efficient and effective security will only happen following three things. Firstly, a great big incident or liability that scares directors into spending money on countermeasures that actually work. Secondly, an understanding by the security profession of the root causes of incidents and the approaches needed to eliminate them. And thirdly, the recognition that large-scale culture changes are possible if top management is sufficiently motivated.

Some supporting evidence for these claims can be found in the history of industrial safety. In the early part of the last century many production methods were unacceptably dangerous, especially in the United States. It took many decades to drive through change, but by the end of the century safety was transformed and embedded across manufacturing industries. Some of this was driven by compliance but the largest cultural changes were directed by executive boards and shaped by an understanding of the root causes of incidents, the nature of an effective safety culture, and a genuine recognition that safety is everybody's responsibility. In the security profession we are a long, long way from achieving that goal.

Enhanced by Zemanta

Research does not guarantee innovation

| 1 Comment | No TrackBacks
| More

Earlier this week I attended the excellent Stevenson Science lecture at Royal Holloway University on "The Birth of Machine Cryptanalysis at Bletchley Park" given by Dr Joel Greenberg of the Bletchley Park Trust. When listening to any account of wartime code breaking one cannot fail to be impressed by the astounding level of innovation demonstrated by the early cryptographers. Such creativity is rarely encountered in today's commercial environment which stamps out mavericks and encourages tick-box conformance, short-term action and widespread copying of other people's practices.

The lecture was followed by a private dinner at which the Dean announced the University's plans for a new Innovation Centre. There's been a slight hitch in accommodation. (I'm told the earmarked site was sold to house builders.) But the concept must be applauded. Innovation is essential to help us escape from the damaging culture of conformance and compliance that has poisoned our cyber security efforts. And funding of fresh thinking is the key to finding the silver bullets to kill advanced persistent threats.  

Unfortunately it's more likely to be more of same rather than anything new: one step forward and another back. The step forward is the creation of a bigger research effort and an incubator for new developments. That is certainly welcome though it might not necessarily create any new funding. The step back is that the research will still be under the direction of the usual suspects, i.e. the government and industry sponsors, supported by an advisory board of establishment figures. So don't expect to see anything that is left-field, long term or high risk.

The problem is that government research bodies don't like to fund anything that looks remotely like a product: the closer you get to anything practical the quicker the funding tails off. In contrast vendors and venture capitalists tend not to fund anything that takes more than 18 months to develop. They are only interested in money or new features for their products. That's why we have so few innovative security technologies. New approaches tend to disappear down the gap between blue sky research and product development.

Fifteen years ago I sponsored the development of a model of the human immune system for fraud detection. It worked but needed further development. The concept died when the funding ran out. A similar fate killed another promising research project to detect human behaviour of security interest in digital networks. No less than a decade of funding is required to take a new technology from the drawing board to the market place. In the case of cryptography it can be even longer, as new approaches take many years to be accepted and implemented.   

Groundbreaking ideas rarely result from themed research. Creativity requires a high level of freedom coupled with a clear focus on a challenging problem - the more impossible-sounding the better. NASA research works because it focuses relentlessly on solving problems. MIT Media Lab works because it recruits students with creative ideas and gives them freedom to choose and direct their own work. MIT Media Lab researchers can develop a magic trick, design a new musical instrument or tackle a seemingly-unsolvable problem. Sponsors can visit and discuss their business requirements with researchers but they have to "charm" the researchers into cooperating. Promising projects will run for many years. That's how to encourage and enable real innovation. Anything less is merely jobs for the research boys.  

Enhanced by Zemanta

Yet another contents list

| No Comments | No TrackBacks
| More

For the past decade the real enemy of security practitioners has not been the hackers and malware that threaten our systems but the numerous best practices, compliance demands and audit actions that take up all of the time and resources of the security function.

Security standards and frameworks add to the burden of security managers by insisting that evidence of governance, assessments and controls are presented according to a structure laid down by standards authorities, many of whom might have little sharp-end experience.

And so we have the latest distraction: a "Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology, which appears to contain not a single new control, technique or technology, but one that merely restructures existing controls and guidance according to a new contents list.

Anyone who truly understands the rare art of designing models and architecture will appreciate that the top levels of any model are shaped purely for political or cosmetic purposes. They add little real value to the purpose or content of the guidance.

And of course there is an unlimited number of ways of structuring a set of controls. It can be done by lifecycle, process, technology, organisation, etc. Ideally the structure should be based on the purpose of the framework, as it is primarily a means to an end, not an end in itself. Unfortunately this rarely happens.  

The original set of baseline controls designed by Donn Parker in the 1980s contained several different contents lists, reflecting different needs. When drafting the original BS7799 we decided to have a single structure. Having presented over a dozen different structures to the BS7799 team, we all agreed unanimously to base in on "natural subject areas", i.e. the structure most of us had already adopted for our own security manuals.

There's nothing wrong of course in experimenting with new structures. But these should only be a accepted when there is clear, added value. Otherwise it's a case of, as Eric Morecambe might say, of using all the right words but not necessary in the right order.  

Enhanced by Zemanta

Let's get real about cyber security

| No Comments | No TrackBacks
| More
This week I was speaking at FIC 2014, a leading French International Conference attended by 3,000 people, including Ministers, privacy experts and leading CSOs. 

It was refreshing, prompted  by a valiant theme of "Has cyber security failed". The speakers were reasonably balanced and the audience were informed. They voted two thirds in agreement of failure. 

It's a major admission of the need for change by governments and regulators. We need radical change and innovation. France has kicked off a debate. Let's hope that all countries pay attention. The consequences are too important to ignore.    
Enhanced by Zemanta

Farewell Sir Christopher Chataway

| No Comments | No TrackBacks
| More
Sir Christopher Chataway who died today was a great athlete and a famous sports commentator. Not many security professionals will recognise the valuable contribution he made to cyber security as Chairman of the Bletchley Park (BP) Trust, at a difficult time when it was struggling to achieve recognition and funding. 
BP would never have survived in its present form without the stellar efforts of all those on the BP Trust who helped transform it from a mothballed relic to an information age attraction. 
Well done Christopher and all those who supported the Trust. 
Enhanced by Zemanta

The world in 2018 (or not)

| No Comments | No TrackBacks
| More

Now I'm not saying that I get everything right about the future. But I can certainly spot the excesses of other futurists. The latest example is IBM's predictions for the next five years.

The most important thing about forecasts is to understand the human, societal and legal blockers, as well as the limitations of technology and developers to deliver on promises. Against this background, IBM's suggestions seem rather naive, especially against a five year timeline.  

The classroom will learn you

Not only is it bad English but it seems rather sinister to suggest that technology should assess children's potential and be relied on to identify dyslexia instantly.

Buying local will beat online

I couldn't think of anything more likely to send me quickly to the exit than the prospect of a salesperson intercepting me in the aisle in which the products I'm interested are located.

Doctors will use your DNA to keep you well

The prospect of doctors determining my medication based exclusively on DNA readings fills me with concern. I prefer a human diagnosis based on a richer set of symptoms and experience.

A digital guardian will protect you online

The idea that a digital guardian learns about a user and authenticates transactions is a sound one in theory but will citizens be comfortable with a third party system that continuously shadows their behaviour? I think not.

The city will help you live in it

The prospect of large scale urban sprawl is bad enough but the idea that decisions on urban services are directed by crowdsourcing is enough to make central planning a desirable option.  

As a Daily Telegraph letter writer might put it "Am I alone in thinking this?"    

Predictions for 2014

| No Comments | No TrackBacks
| More

So what will 2014 hold for cyber security professionals? Will it be something new or more of the old? The answer is bit of both. We have all reached a crossroads in the way we manage security. Some CSOs will soldier on ahead - with diminishing effectiveness - while others will others will benefit from taking a fresh direction. Here are my forecasts for the state of security in 2014.   

Escape from monoculture

New security technologies will provide a greater choice of defensive options. I've reported before on the danger of security 'monoculture', i.e. we have all been implementing identical security defences, providing attackers with a simple testing platform for attacks. New products that detect malware through behaviour and characteristics other than traditional signature scanning will present a new challenge for attackers.  

A new generation of attacks

Forward-looking security professionals have been wondering what comes next after Stuxnet et al. That code was developed many years ago. The next generation of attacks will inevitably be richer, more sophisticated and even stealthier. There are enough political, commercial and criminal motives to encourage further attacks, so we can expect to see some spectacular threats - if we can detect them. They may already be amongst us.

A backlash against security standards

Wherever I go in the world I find a huge percentage of security managers who believe that security has failed, and the major culprit is compliance along with the bureaucratic standards it promotes. I've been saying this for years but lately I detect that governments and regulators are beginning to see the light. Compliance cannot go away. In fact it's likely to become even stronger. There will however be a rethink of the standards we need to achieve effective security. But don't expect an early solution.   

Improving strategic crisis response

Crisis management has been a long-standing weakness in all enterprises, for both business and security crises, especially at the strategic level which aims to safeguard the intellectual assets of the organisation. The growth in major incidents, CERTs, SOCs and SIEM tools has all helped to raise awareness of the need for better crisis management. It will be a long journey. But it's a healthy sign that enterprises are finally looking beyond simple incident management processes and business continuity plans.

Cyber skills gap grows

We all know there's a shortage of high-end cyber skills. Ask anyone that runs a security testing company. It's because skills such as high-speed reverse-engineering require a special kind of person. Training courses can't fix this problem, especially those that teach ancient security rituals. People with special skills can't be mass produced. They have to be sought out. And that's a more difficult challenge.

No change at NSA    

Don't expect any major changes in the operations at NSA, despite continuing Snowden revelations. The weakness is primarily with visible oversight and public presentation of policy, rather than day-to-day operations. The reality is that you we have to gather large amounts of intelligence to prevent terrorist incidents. And that threat has not diminished. There is no evidence of widespread misuse of the data gathered. Admittedly there is a theoretical possibility of a future dictator abusing the power. But that's arguably a lower risk than the threat of terrorists gaining access to weapons of mass destruction.

And on that controversial note I'll wish everybody Seasons Greeting.  

Enhanced by Zemanta

Predictions for 2013

| No Comments | No TrackBacks
| More

It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last December I made five predications for 2013. How well did I do?  Let's examine them.

Attacks get nastier

I forecast that attacks would become more damaging. It didn't happen quite the way I imagined. Some data breaches were massive (e.g. Snowden) but most attacks were designed primarily to steal data than damage business operations. We await the latter. It's simply a matter of time.

Big challenges from Big Data

Big Data enables powerful user access and new opportunities for bigger data breaches. The potential was illustrated by the Snowden case which highlighted the massive power that is now in the hands of our administrators and power users. We are witnessing the slow death of the 'least privilege' principle. The worst is yet to come.      

Final death of corporate perimeters

The users have left the building, the applications are progressively following, and the enemy is already inside. Everybody is aware of the challenge. The Jericho Forum has therefore disbanded their evangelic mission and declared success. All that remains is for enterprises to follow their mew instincts and implement security at the application and data levels. 

Security speeds up

Security managers are speeding up their act, supported by a new generation of security tools that deliver real-time, continuous security. There are no excuses today for delay in detecting and mitigating vulnerabilities. Security managers should take full advantage of the new opportunities presented by Cloud security technology for speed and empowerment. 

SMEs discover security

For decades SMEs have been the soft underbelly of big business and critical national infrastructure. They still are. I predicted that 2013 would see the beginning of a slow change in this sector. Certainly there is greater awareness and interest with governments and regulators. But we yet to see any significant change despite the fact that we (ISSA-UK) set out a practical blueprint nearly two years ago.    

Learning points

The events of 2013 demonstrated several home truths of cyber security. The Snowden case illustrated these well. Firstly, you can't keep anything secret in a hyper-connected society. Secondly, the short term damage of a massive breach can seem less than expected, though the longer term effects will be surprisingly broad and disruptive. Thirdly, existing security practices are inadequate for addressing the risks presented by today's infrastructure. And finally, it takes a painfully long time for stakeholders to address issues that have for many years been staring them in the face. 

Enhanced by Zemanta

Qualys - A force to be reckoned with

| No Comments | No TrackBacks
| More

Last week I attended a sneak preview of the latest Qualys product road map. I was impressed, not so much by the functionality of the products - which is not especially original - as by the ambition and architecture of the new product range.

While other security vendors have been extending their products through acquisitions of best of breed point solutions, Qualys have been quietly re-engineering their services around a unified, secure, cloud architecture, avoiding the patchwork quilt of products that other vendors have inherited.

Qualys are also extending their product portfolio to match those of their competitors. It's a move that presents a potential competitive edge in economy and speed of maintenance, which is good news for a marketplace that needs low cost, up-to-the-minute security defences.

Enhanced by Zemanta

Security in a Land Down Under

| No Comments | No TrackBacks
| More

For most of this month I've been touring Australia with the excellent CSO Perspectives Roadshow, presenting on the subject of the future of cyber security. It's been a great opportunity to meet hundreds of local security managers, vendors and government advisers. And what a super community it is.

Australia might lack the scale and technology leadership of the US, and it might be little behind the UK in bringing together the government, industry and academic sectors. But there is a higher level of enthusiasm and openness to innovation, as well as a willingness to learn from the early mistakes of others.

Frank speaking and reporting are a breath of fresh air in a subject area that has become bogged down in compliance. It's no surprise that I managed to attract some controversial media coverage. Perhaps Australia can help lead the journey towards a better way of managing cyber security.

As Keynes once observed "The difficulty lies not in the new ideas, but in escaping from the old ones. We need a pioneering spirit to escape the shackles of the past.

Enhanced by Zemanta

Jericho Forum declares success

| No Comments | No TrackBacks
| More

It's not often that an institute decides that its mission has been accomplished, declares success and steps down. But that's what the Jericho Forum has done after a decade of evangelising the message of de-perimeterization.

Originally a private club of CISOs meeting to exchange views on security architecture, the forum quickly became a highly influential user/vendor circle of leading international experts, publishing guiding principles and commandments on how to develop secure information systems for an open networked environment.

Ten years ago this was revolutionary thinking. Today it's generally accepted that enterprise systems and data need to be hardened to mitigate the threats presented by shared networks. It's time therefore to move on to new security challenges.

The forum was officially dissolved at a meeting of the Open Group in London on Monday. The founding fathers (myself included) were presented with plaques commemorating our contribution. Fittingly the meeting was hosted at Central Hall Westminster, the location of the first meeting of the United Nations General Assembly in 1946. 

Enhanced by Zemanta

Visions of the Future

| No Comments | No TrackBacks
| More

I've just read an interesting report of future 2020 scenarios on cyber security put together by an esoteric institute called the International Cyber Security Protection Alliance (ICSPA). I don't know who they are but they have some excellent chaps such as John Lyons and the Right Honourable David Blunkett MP on board. It's a fascinating read and a valiant attempt to visualise life in the next decade and beyond. As a keen futurist I applaud such exercises but cannot help but see them with critical eyes.

Many attempts to predict the future fall into the trap of imagining the future as an exaggerated version of present trends, rather than taking a step back and trying to identify the real blockers, enablers and catalysts of the current and emerging drivers and trends. This one falls into a similar trap of extrapolating the present rather than imagining a different future.

Personally I find that 2020 is a hard call. I can generally see the next 18 months and imagine life a decade Or two away. But very little changes in five or six years. As even Bill Gates has noted we tend to overestimate the changes that will occur in the next two years and underestimate the changes that will occur in the next ten.

In the ICSPA report we see mention of attacks on critical infrastructure, augmented reality and the Internet of things. Yet these possibilities have been around and viable for the last two decades. SCADA systems have been vulnerable (and hacked) since the time they were first introduced. Augmented reality is based on a technology worn continuously by Thad Starner for two decades. And the Internet of things is little more than a rather lacklustre adaption of Neil Gershenfeld's pioneering visions at MIT Media Lab in the 1990s. 

Why did these technologies not materialise in the past? It's a good question, and it represents one of the keys to understanding the future. Augmented reality has been a reality since the turn of century but has not caught on. There's clearly a major blocker. It may be cost, health and safety or a combination of both. Attacks on critical infrastructure have been possible for decades but the threat has not materialised (and I'm sure it will be well and truly mitigated as soon as a 9/11 type incident occurs). The Internet of things is a wonderful field for imaginative speculation but the business case and reality lags very far behind.

It's good however to stretch the minds of executives with far-fetched scenarios of the future. People tend to suspend their disbelief when contemplating fictional visions and accounts. The Royal Dutch/Shell Group has been exploiting this phenomenon for around forty years. It works. But it's a lot more effective when it's accurate. 

Enhanced by Zemanta

Life beyond consultancy

| No Comments | No TrackBacks
| More

Donn Parker just copied me in on his critique of Harry de Maio's new book. For those of you who might be more Gen Y than Baby boomer I should explain that Donn and Harry were old-school, cyber security pioneers. By that I mean that they figured out solutions from first principles, a breath of fresh air in the context of today's over-regulated business security environment.

Harry has certainly moved on to more esoteric activities. It's refreshing to see a former Deloitte senior executive writing alternative mystery books for adult animal lovers. Definitely a plus for the brand and essential reading for Deloitte's consultants, as well as any cyber security professional who wants to believe there's life beyond regulatory compliance.

Enhanced by Zemanta

APT Protection via Data-Centric Security

| No Comments | No TrackBacks
| More
I'll be contributing to a Webinar on APT Protection via Data-Centric Security next Thursday. Given the progressive erosion of corporate perimeter security it's about time we switched our attention to hardening our applications and data.The Jericho Forum have been preaching this for more than a decade. The message is finally getting through though its implementation has a long way to go.     
Enhanced by Zemanta

Even more on the History of BS7799

| No Comments | No TrackBacks
| More

nthony Freed has now published the final article in his series on the true background of BS7799 on his Tripwire blog. There are real lessons to be learned from these postings. I hope that students of regulatory compliance will take note. 

Enhanced by Zemanta

Business understanding of cyber attacks a decade out of date

| No Comments | No TrackBacks
| More

This is the title of an article from yesterday's Australian Financial Review, the leading Australian business newspaper. It was written by Chris Joye, a leading economist, fund manager and policy adviser, previously with Goldman Sachs, following an interview with me. Chris is a leading influence in business leadership in Australia. If he gets it, it's only a matter of time before the business community follow his lead.

It's good news to gain the interest of business leaders like Chris. It's another problem to exploit this spotlight. Let's hope that the Australian security community has the imagination to follow through.    

Enhanced by Zemanta

How to manage the risks of Advanced Persistent Threats (APTs)

| No Comments | No TrackBacks
| More

My new ISACA book on Advanced Persistent Threats has now been published. It's an excellent guide for any Business, IT, Security or Audit Manager responsible for safeguarding critical, sensitive or valuable intellectual assets.

In particular, it advocates a higher level response by enterprises at risk, based on a coordinated response and a range of enhanced security processes, awareness and technologies.  

It's free for members of ISACA and $60 for everyone else. At that price you would be well advised to join ISACA and gain the advantage of discounts of research reports and cheaper access to ISACA events.    

Enhanced by Zemanta

More on the history of BS7799

| No Comments | No TrackBacks
| More

Anthony Freed has been publishing further historical information on the true background of BS7799 on his Tripwire blog. There are some important learning points from these postings. It's particularly interesting to note that new standards are not taken up immediately but can have a major impact after a decade, by which time they may are likely to be out of date. 

Enhanced by Zemanta

About this Entry

This page contains a single entry by David Lacey published on April 20, 2014 1:17 PM.

Security: From Theoretical Business Enabler to Essential Overhead was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.


Recent Comments

  • Olga Smirnova: Dear David, may I kindly ask you to write me read more
  • Bill Courtney: In my experience, those who are fizzing with innovative ideas read more
  • Patrick: But what about chapter 11 read more


-- Advertisement --