November 19, 2009

The new art of war

The National Journal has an interesting article on cyberwar, pointing out some of the opportunities and hazards associated with this new form of conflict. It's very different from anything we've seen before and it demands very careful consideration to avoid attacks damaging valuable business assets. It's also a very sneaky form of conflict. As I've often said, it's more the art of illusion than the science of sabotage.

It's also far too easy to trigger covert attacks. Minor, local conflicts can quickly escalate and cause global impact. In cyberspace, as John Suler points out in his online book The Psychology of Cyberspace, people can be tempted to go much further than they might in the physical world, exploring dark subjects, taking risks and becoming unusually hostile.

Cyberspace is a surprisingly dangerous medium in which to conduct warfare. Let's hope that future cyber warriors are alert to the dangers. 

November 18, 2009

Small companies are the key to security innovation

The Global Security Challenge finals which took place at London Business School last week were a revelation to anyone who believes that security innovation is dead. There's certainly little imagination and innovation to be seen in the products emerging from big vendors and research establishments. But many breakthroughs are initially developed by clever individuals or small start-up companies.

So it's no surprise to find an impressive range of unique and imaginative new security solutions in the Global Security Challenge finals, which is specifically aimed at small enterprises. Many were game-changing developments, such as a technology that can detect liquid explosives in suitcases, a new form of lightweight body armor that can survive point-blank grenade attacks, and a video camera that takes such high resolution pictures that you don't need an optical zoom capability. The cyber security finalists were also impressive, including two technologies that offer a step change in real-time vulnerability management, using very different approaches. (I'll cover these in a later posting.)

So if this initiative is delivering the new security solutions we need, what else is needed? The answer is a lot more of the same. We need more attention and support for the SME and start-up sectors. Many of the finalists in the Global Security Challenge have less than half a dozen staff and exist primarily on research awards and prizes. Yet they have also managed to develop complete products and gain real customers. We need more pump-priming investment to stimulate these sectors.

 

November 17, 2009

Oman sets the bar on security awareness

Last week I was fortunate to have been presenting at a MIS Training CISO Executive Summit in Muscat. The Sultanate of Oman has long been my favourite business and holiday location. It's also a place where managers understand the importance of the human factor in business and security.

In the past, the people perspective has been low on the management agenda of Western organisations. The only time an executive board pays attention to staff is when they need a headcount reduction. But the business world has changed. Networks are empowering people to unprecedented levels of influence. We need to educate and listen to employees, customers and citizens, because the focus of decision making has shifted from the corporate centre to the front-line workforce. Managers, staff and customers are the engine of intellectual property generation, as well as the thin red line that safeguards these assets.

This is why I was highly impressed with The Sultanate of Oman's new information security awareness programme. It's a government sponsored, nationwide initiative, and it's tailored to the local culture. Madison Avenue executives might not be especially impressed with the simplicity of their images and messages. But they would be wrong. What counts for success is a good understanding, empathy and a resonance with the target audience.

From that perspective, Oman has set the bar for an initiative that other countries must also meet. There might be a wave of technology coming from the West. But there is also a wave of best practices in citizen education building from the East.

November 6, 2009

Towards the paperless office

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...

November 1, 2009

The limitations of risk assessment

I've just posted a short article on the limitations of risk assessment on my Infosecurity blog. Those of you who've read my book on Managing the Human Factor in Information Security will know I have many concerns about the practice of risk management, though I also take the view that it's an essential governance tool that's most definitely here to stay. I do however believe that we need a better, stricter approach to information security management.  

October 31, 2009

Chinese Cyberwarfare Capability

It's hard to ignore the report by Northrop Grumman Corporation on the Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, if only because of its size and authoritative style.

The title gives a hint as to what to expect: a lengthy, 88 page assessment which any good journalist or diplomat could have condensed down to a page with a bit of effort. Even Bruce Schneier has declined to read it, relying on his readers to pick out the salient points.

Written in the style of a military standards manual but littered with superfluous adjectives and acronyms, the report tells us that the Chinese are serious about cyber warfare and aim to penetrate our systems to steal information and perhaps change the data.

Yes, that's what we'd all assumed for many years. So what else is new? 

October 28, 2009

Lessons from the safety field

I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.

It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.

All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.

October 27, 2009

Opinions on RSA Conference Europe 2009

Big conference web sites seem to be evolving into on-line magazines. RSA Conference and Infosecurity Europe publish news items and blog postings all year round. During last week;s RSA Conference Europe, Dawn Erska of SolutionSet was circulating with a Flip video camera filming opinions from speakers and attendees. You can view her montage of clips on the RSA Conference web site.   

October 26, 2009

Higher standards for identity assurance

Not a week goes by without a news item about yet another breach of personal data. The latest one is a compromise of data on the Guardian newspaper's jobs website. I think we all agree that there's a pressing need for a step change in the standards we apply to the protection of personal information. That's certainly what was agreed by a group of experienced practitioners at a recent ISSA UK debate. The findings from that debate were written up and published in a white paper, supported by former Home Secretary, The Right Honourable  David Blunkett MP. It's essential reading for anyone working on systems handling sensitive citizen information.

October 22, 2009

Money in the Cloud

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.  

Subscribe to this blog

Archives

Recent Comments

Tracey Rawli on Towards the paperless off... : There are some others issues driving migration awa...
MadaboutDana on Towards the paperless off... : Well, David, many SMEs have been running 99% paper...
Website prot on Lessons from the safety f... : People are lazy to fix the vulnerabilities even wh...
Bruno Keroua on Information Security acro... : This is indeed an important concept that has to be...
Penetration on Online banking security (... : The story is a bit thin on detail as to the select...
Gaston Boiss on The Limitations of Busine... : Great Article! You might also want to also check o...
virtual desk on Single point failures... : System outages are inevitable and always have been...
Tony J on Cybercrime in the UK... : Hi People, I received one mobile message stating ...
David Howard on Single point failures... : This article asserts that Cloud Computing and the ...
Anonymous on Single point failures... : I couldn't agree more, we really do need to raise ...
Follow Computer Weekly on Twitter