David Lacey's IT Security Blog

The US press and wire services report that the US Government has warned that US online stock trading and banking Web sites are the potential target of an al-Qaeda attack. The warning is reported to have originated from a Jihadist site.

A Homeland Security spokesperson is reported as saying: "There is no information to corroborate this … threat”. Reuters report that: “A person familiar with the warning said al Qaeda may be aiming to penetrate and destroy the databases of U.S. online stock trading and banking Web sites. But there was no evidence to suggest the effort could cause harm”.

Are we right to play down such warnings? They could well be false alarms. And our banks might well be adequately protected. There’s also a risk of crying wolf. But there’s also a danger of complacency. Personally I’d prefer to see a little more paranoia about the dangers of hostile cyber attacks.

Last year ZDNet accused me of being a “doomsayer” for a relatively mild prediction I made back in 1999 that the “Electronic Pearl Harbour” would not happen until around 2006. That particular prediction was based on an analysis of several Technology Road Mapping exercises, which indicated a cumulative build up threats, impacts and exposures that were expected to peak at around this time. Professor Fred Piper mentioned this in a speech earlier this year, posing the question: “Who is right?”

But regardless of what anyone thinks, it’s always better to be safe than sorry.

We’re all familiar with the old adages about the Cobbler’s children having no shoes and the dustiest part of the house being the top of the Hoover. So it’s not surprising to find that some security companies don’t run a tight ship. A good recent example is Guidance Software, a top user vendor of digital investigation products. They’ve just settled a case brought by the FTC. It looks pretty damning. They failed to look after customer data to their advertised claims. And they’ve naturally and perhaps rightly attracted some mocking snipes from security pundits.

But does it mean that the products they sell are not secure? Not necessarily. And does it mean their operations are not secure now? Probably not, as they’ve had to make formal assurances to clean up their act. They’ve also taken on some very high profile non-executive directors who now have their reputations on the line, including George Tenet an ex-CIA Director. The interesting question is whether they are that much different from other security vendors. Were they unlucky to get caught? Hard to say. Will it happen to others? Absolutely. We can expect more of this type of case because there are a lot of insecurities out there and the compliance noose is tightening fast.

So there are some lessons here. Firstly, if your business is security then you need to maintain very high standards. Secondly, watch those assurances on your web site - they might come back to haunt you. Thirdly, if you’re a customer, don’t assume that just because you’re dealing with a security company or bank that everything will be completely secure. All of them are likely to have their weak spots. And fourthly, don’t write a company off because of one bad incident. Because - think about it – would you rather trust an organisation that had been found out and put its house in order, or one that you knew nothing about?

I was interested to read about the latest assault on Oracle security by database security expert David Litchfield of NGSS. It comes as no surprise to me, as the focus of attacks and security controls are progressively and inevitably migrating from the infrastructure layer to the application space. Databases are the new target, because today's attacks are criminally motivated and that’s where the money is. So you can expect database vendors to come under increasing fire to tighten up their coding standards and product testing.

Of course the vendors already know this. I am regularly asked by application and database vendors what I think of their security. It often leads to a brief flurry of activity. But too often the response is a marketing initiative, rather than an attempt to transform their business processes. I guess that’s to be expected. Most software companies are run by commercial people, not technology gurus or security visionaries. Microsoft eventually saw the light and transformed their priorities, training, product development processes. It cost them a lot of time and money. Now other software vendors must bite the same bullet. It’s essential to meet today’s business expectations. You can’t avoid it. Even if the hackers don’t get you first, the regulators will sooner or later put a gun to your customer’s head.

Not that I'm pointing the finger at Oracle, because they do seem to have been raising their security game in recent years, and in fairness you should also check out Eric Maurice's response on his Oracle blog.

All of these legacy weaknesses in our databases and applications will all take a long time to fix. So what can an organisation do to compensate for security inadequacies in their database applications? Well I’m afraid the answer lies in more add-on point solutions. The latest must-have security product is the database firewall. It would be nice if such technology was incorporated into leading application and database software products, but that’s some time away. In the meantime, if you’re concerned about your database security - and you should be – then you should check out Secerno, a new technology start up out of Oxford University, based on some very interesting intelligent monitoring software designed by Dr Steve Moyle, one of the leading UK experts on database security.

My last posting stimulated some interesting discussions about the merits of strategic IT platforms with integrated security features versus “best of breed” security “point solutions”. Which is best? The simple answer is that we would all love to see the former but in many cases are forced to run with the latter. Unfortunately it sends a mixed message to vendors. They see what sells and spot that it doesn’t correspond to what customers say they really want. There’s even a danger they might even stop listening to their customers. I recall a colleague of mine at Shell once saying to a group of vendors at an Open Group meeting: “Just because you can’t build it, doesn’t mean we don’t want it”. A decade later people still remember that statement. But vendors don’t want to hear this. They want something they can easily build now that will guarantee sales. So they paid no attention to his requirements, though it might have given them a longer-term edge.

In the past, vendors could safely ignore this contradiction in the marketplace. Because security didn’t sell IT platforms. And any security procurements were generally based on implementing or replacing individual products, such as a file encryption system, a remote authentication system, an enterprise firewall or an anti-virus solution. But the market has changed. Customers today have more sophisticated, all-encompassing requirements. They are building security architectures. They are thinking "services" rather than "components". And IT vendors can now offer better security features in their products, though many still fail to hit the spot.

So what is a point-solution vendor to do? The simple answer is to ensure that their product or service can be integrated into a broader business solution. At the very least, proprietary protocols and interfaces should be avoided at all costs. But what exactly is a “broader business solution”? This is a good question because I believe there are two quite distinct answers. The first option is to be able to integrate with other security products in the same IT services space. Be part of an integrated network services solution for example. The second is to be part of a complete end-to-end security or risk process, such as vulnerability management, delivering a complete solution across business, security and IT functions.

Which approach works best? The jury is still out. Analysts would probably recommend the former, but I will always prefer the latter. Because I believe that security is a process that needs to be integrated and managed consistently across the enterprise. And I’ve been highly impressed in recent months working with security vendors such as nCircle who have been progressively extending the capabilities of their discovery tools to interface with the business risk profiling requirements of their customers. But whatever direction a vendor chooses, the important point is to listen very closely to the needs and wants of their customers. And if you can't build what they want now, then keep them in mind until you can.

Today marked the opening of a two-day conference and exhibition in London on counter-terrorism, ambitiously titled “Building a Secure World”. Highlights included excellent keynotes by the BBC’s star correspondent Frank Gardner OBE, and Sir Richard Mottram, Cabinet Office Permanent Secretary responsible for Intelligence, Security and Resilience. Both emphasised that the War on Terror was now primarily a battle of ideas and values, though there are other major strands including military, financial and intelligence initiatives. Clearly there is a long way to go, especially the work to influence hearts and minds.

The current UK Strategy is interesting for any security professional, comprising “4 Ps” to contain the risks: Prevent terrorism, Pursue terrorists, Protect the public (and UK interests), and Prepare for the consequences. No rocket science here but a nice, balanced set of objectives. And who should pay for all the extra security measures that Industry must implement? The UK Government policy is clear. Consumers should pay through Industry. UK companies should not expect cost sharing from Government.

Best quote of the day was from the floor: “We keep analysing the future through the rear-view mirror”. Absolutely correct and one of the main reasons we often get things wrong. I was also impressed to hear people using the more appropriate term “weapons of mass effect” rather than “weapons of mass destruction”. Now how many of our IT systems fall into that category?

Lecturing yesterday on the MSc course at Royal Holloway University of London reminded me of the importance of professional training for Information Security staff. As the late George van Eps, a jazz guitarist, once put it: “Luck won’t do it, and ignorance can’t”. Unfortunately there’s nowhere near enough professional training around. And the capacity of our university courses is very limited. So we are heading for problems in the future, unless we change our ways.

Information Security is a rich, complex subject, getting bigger by the day. Most of the leading professionals I know were self-taught. You could get away with a couple of decades ago, because there was no established body of knowledge, very little in the way of professional training and few specialist areas. Today, the scope of the subject is huge, encompassing many niche areas, each worthy of an individual course in themselves.

So what should we be doing to improve the situation? In my view the answer is to put more people through MSc or Post-Graduate Diploma courses. That’s the level of study required to do the job today. I did this at Royal Mail Group and it works. I put all my Information Security staff through Royal Holloway training and it transformed the quality of the in-house function. There is no substitute. Certification bodies, personal development scemes and professional societies are the icing on the cake. None of them can make a real difference without the underpinning professional education.

We should all be concerned about the growing criminalization of hacking, highlighted in a new, updated report by McAfee on Organised Crime and the Internet. This publication confirms a disturbing trend for criminals to recruit top computer students from UK universities. The report also suggests that children as young as 14 are being drawn into online crime by the promise of "celebrity status" among their peers.

Unfortunately, what might seem attractive at first will quickly become a highly dangerous lifestyle for the hackers, their family and their friends. Cyber crime is a dark, dirty business, not the glamorous profession that many young people would like it to be.

One of my colleagues drew my attention to a recent posting on the GetSafeOnline blog pointing out the lack of IT security training at MI6. In the new James Bond film, Casino Royale, a Swiss banker asks Bond to enter a password for a bank account that will hold the $150m winnings from a poker game. What password does he use? The name of his girlfriend. Stupid you might say? But on the the contrary it merely illustrates the daring risk appetite we associate with these bucaneering chaps at MI6. Unfortunately the reality of HMG Security is quite the opposite, as illustrated by the non-memorable 12 random character user identifier needed to prevent anyone else attempting to pay my VAT returns. Of course, a normal commercial organisation would never be able to afford this luxury, given the negative impact on customers and the high cost of help desk transactions to handle their complaints. But there's a simple solution. Just charge the tax payer for the phone call.

Last week’s $14.5 million settlement payment by Hewlett-Packard to California’s top prosecutor may have diffused a crisis. But it leaves many question marks about the ethics of big companies, the insecurity of personal information, and the methods used by security investigations. This case, which introduced the word “pretexting” to many vocabularies, demonstrated once again the shocking vulnerability of personal data to social engineering attacks. Too many organizations are willing to disclose sensitive information on the basis of a few, easy-to-obtain facts. But there are no excuses for security investigators to exploit these weaknesses by employing shady practices. We should all close ranks against any companies that think it’s acceptable to use impersonation techniques in the name of security, regardless of their legality. Security professionals should aim for the high ground, not sink to cheap tricks.

I’ve been pointing out for some time that professional Information Management has largely collapsed in most organizations. It’s to be expected of course, following the radical changes in communications that have accompanied the introduction of IT networks. But such a situation will never be permitted to last indefinitely. If the consequences of bad corporate practices don’t frighten companies into action, then the lawmakers and regulators certainly will.

And so we enter a new age of electronic discovery and document management with the introduction this month of new Federal Laws that require companies to store electronic data as soon as they become aware that it might be of interest in a potential Federal Court case. And who pays for the massive costs of retrieving all these documents for a Court case? The retriever does of course, which will make it attractive for small companies to make claims against bigger ones - though they had better make sure that they also have their own house in order. And claiming that the discs have failed - the modern equivalent of “the papers were lost in the fire” - won’t help you, because you will need to present solid, forensic evidence to support your claims.

So what should affected organisations do? The answer is to bite the bullet and get your house in order. Because if you don’t take appropriate steps to control, index and archive all of your emails, instant messages, documents and spreadsheets, then you could be exposed to expensive, future liabilities. Fortunately there are a host of brand new technologies designed to help you solve these problems. For example check out Chronicle Solutions for control and archiving of in-flight documents such as email, web access and instant messaging, and Mathon for all those Word documents and spreadsheets stored on company servers.

The need to manage perception seems to be a hot topic these days. Stuart King’s blog posting earlier this month got me thinking about the importance of personal perception. But managing perception across an organization is an issue that crops up whenever I give a talk on the human aspects of security. Influencing people is especially important in security because it's subect that's rarely in the forefront of peoples’ minds. And many aspects of security are either hidden or outside of their personal experience.

Managers, users and customers all need to be more aware of potential risks and the impact of security incidents. They need to understand their responsibilities and how to use the controls at their disposal. They also need to be deterred from even contemplating unauthorised activities. All of this requires more than education. It requires changes of attitude and behaviour. And as any psychologist will tell you, if you wish to change behaviour, you will have more success if you focus on the perceived consequences of peoples’ actions, rather than the corporate policies and rules that attempt to influence them.

It's no easy task, though there are some techniques and methodologies to help this problem. Typically, you can’t always argue the facts directly with people because many of them will adopt a defensive attitude. It’s always more effective if people can discover the importance of security for themselves. This requires imaginative scenarios, games or storylines to encourage people to at least temporarily suspend their disbelief and consider the fuller implications of security risks or incidents. This is the basis of many classic learning techniques such as scenario planning. The trick is not to stray too far from the real world. Unless for example you really want people to “think the unthinkable” (which might be useful for contingency planning).

Because any serious attempts to change perception need to be firmly grounded in reality. Mere spin or fantasy will never be as effective in the long run. Perception management is a powerful amplifier - but never a substitute – for the truth.

For some years I’ve been observing the quiet infiltration of Neuro-Linguistic Programming (NLP) into many respectable professions. I’m not an expert on NLP but it seems to me to be a rather bizarre mixture of science, ancient religion and new age thinking. Lately, I’ve noticed it being used in the IT Security field, mainly for social-engineering exercises.

NLP is a highly controversial field that offers practical benefits, though it lacks a reliable scientific basis. Even the Wikipedia entry is disputed. If you believe its practitioners, you can read peoples' subconscious signals and manipulate their behaviour. With a bit of practice you might even be able to hypnotize people into carrying out your suggestions. Of course the problem is that it’s not guaranteed to be 100% reliable, so you can easily be wrong or perhaps fooled by someone sending out false signals. So don’t try it for poker unless you’re certain your opponent is not an exponent.

So what should we do with this strange new tool? Exploit it or consign it to the dustbin? Some professional psychologists assure me it’s one of the most powerful tools in their armoury. Others tell me it is dangerous, to be avoided. It’s your choice. Because the jury will always be out on tools that only work some of the time.

I was highly impressed with the company and the discussion at a CIO dinner in London last night. A main topic of conversation was Second Life, the new virtual reality world that seems to have captured everyone's attention and imagination.

Many people are investing serious amounts of time and money, creating avatars to explore and enjoy this mysterious new world. Even my Welsh Terrier has developed an alter ego. These identities are now becoming so valuable that even top CIOs are suggesting that they might be a good reference site for understanding the issues around Identity Management. It's a very interesting idea. They're an obvious target for Identity Theft. But we haven't yet heard any reports of problems. How do they do it? I think we should be told.

So Bill Gates has also discovered that Digital Rights Management “is not where it should be” according to reports from a group of influential bloggers he invited to Redmond. ”We don't have the right thing here in terms of simplicity or interoperability” he is quoted as saying. And what should people do who want to transfer songs across systems? “Buy a CD and rip it.”

So much for progress. The whole future of IT Security hinges on our ability to safeguard data at rest and in flight across multiple applications and infrastructures. This does not need rocket science. Just sensible application of well-established security technologies.

But expectations need to be kept in check. After all we still haven’t got fit-for-purpose access control systems. ACLs don’t cut it. And Role-Based Access models are not rich enough to meet the real-world requirements of a normal organization. Nor are they agile enough to keep up with the wholesale restructuring that’s part and parcel of normal modern business life.

Researchers and vendors need to do a lot more to develop more imaginative frameworks and management tools to sort out Identity and Access Control and to get DRM working. That’s why I’m backing the Jericho Forum.

Bruce Schneier’s blog drew my attention to a recent report on the limits of predictive data mining for counterterrorism, published by the Cato Institute, a libertarian public policy research organization. We’ve already seen a fair amount of debate about the dangers of large-scale data mining for the identification of potential terrorists. And it’s been pretty damning. But this report provides a good, professional summary of some of the major issues.

Now I’m a great supporter of data mining, data fusion and information visualization to help solve business and security problems. In fact I believe they’re the most under-utilised management tool in the security armoury. But there are dangers in applying such techniques across large databases of information without strong human guidance and a very clear set of rules, patterns and filters to separate the wheat from the chaff. And that’s the problem. We simply don’t have enough of a basis to filter out the mass of false positives that will emerge.

Smart use of neural networks, especially Kohonan mapping, can be tremendously useful when applied on a smaller scale to identity anomalous behaviour. And the right combination of imaginative human and computer skills can work small wonders on large sets of data. We even built a partially-successful model of the human immune system to detect fraud in Post Office transactions. But you simply can’t expect computers to find needles in haystacks without an awful lot of reliable clues.

The highlight of yesterday’s 17th Hewlett-Packard Colloquium at Royal Holloway University of London was an excellent talk by Ian Curry, CISO of Reuters, which gave a fascinating insight into what Information Security means to a top Information Provider. As Ian put it, we are on “the cusp of a fundamental change in the way we consume information”. And Reuters - like all media companies – must re-invent itself to respond to the revolution in personal communications generated by the Internet.

For Reuters, amongst other things, this means becoming more of an editor of privately generated news items (like mobile phone photographs) rather than relying solely on a private international network of trusted reporters and photographers. It also means taking great care to control the integrity and accuracy of its information. Because a single, doctored image discovered by the Blogosphere might be spun into a crisis of confidence. It’s a real challenge but a great opportunity for Information Security. It will involve, for example, exploring new technologies that might help confirm the provenance and accuracy of text and images. But at the heart of it all is the importance of strengthening and maintaining Reuters’ core values of independence, freedom from bias, integrity and accuracy. Because your reputation is only as good as your last story or photograph.

As a futurist, I’m always interested in the long-term impact of new trends. So what’s my take on the future of News? Well, personally I’ve always been cynical about the doomsayers’ claims that real news might eventually die. If you’re interested in their line of reasoning then you must watch the flash movie EPIC 2014, a classic, visionary piece of work, which introduced the word Googlezon to the English language. But this is the same logic that predicted that Movies would kill Theatre, that TV would kill Film, that Video would kill TV, etc. Old media don’t have to die, they just need to adapt their business model and marketing.

Techworld reports a disturbing trend in the sophistication of malware. The problem is that it's declining.

Alexander Gostev, Head of Kaspersky Lab, points out that higher volumes of low-quality malware are taxing the resources of security companies. The quality is down but the quantity is up.

This is bad news because we know that the capabilities and criminal motivation of determined attackers are steadily increasing. But the security experts are being bogged down by a large amount of noise. It's a dangerous combination.

CISOs should ensure their organisations are well prepared for the possibility of a sophisticated, perhaps personalised attack. They should not rely on anti-virus companies continuing to respond in real-time to bail them out. Because the number of qualified experts is not infinite.

So the Home Office has decided to scale back its controversial plans for National ID Card Programme. Instead of a single, clean database generated from scratch, it will now build on three existing databases. This might be cheaper and present a much lower risk, but it represents a major step back for Identity Management across Government.

The critics and pundits will no doubt be pleased with themselves. They said it was too expensive, too risky and a threat to civil liberties. But most of the media debate missed the point. From an Identity Management perspective, a single, clean, meta authentication directory makes sense, provided the business case stands up. And there are Gateway reviews to examine this.

I must admit to some involvement with this Programme, having chaired the Private Sector User Group that helped to identify the business benefits for the ID Card. The business representatives involved were positive, though few would have been allowed by their PR departments to voice their support in public. I’ve also had the opportunity to discuss some of the societal issues with members of the public through the Royal Society Science in Society Programme. They were in favour provided the costs were not excessive.

Implementing an identity management programme in any organisation is a hard task. You know instinctively it’s the right move strategically. And you can identify dozens, perhaps hundreds, of solid business benefits. But up-front infrastructure investments that deliver longer-term savings shared across an organisation are never popular with business managers and investment appraisal functions.

In the case of ID Cards, the facts are also clouded by political spin, both for and against. And it’s an easy target for critics, who can simply play the FUD factor. Just point out that big Government IT projects never work, that the costs always overrun and that it will create a Big Brother State. Game over.

Looking back over 2006 I have to say that although it’s been largely more-of-the-same for many IT Security practitioners, there's undoubtedly been a significant shift in the perception of other stakeholders, whether business, IT or citizens. Partly it’s been due to increased compliance demands forcing many organisations to manage their operational risks. But largely it’s down to the increasing experience by everyday people of the importance of vulnerability management and the hazards of the Internet.

From my own perspective, with around two and a half decades of professional experience, I’m impressed with the degree of knowledge and professionalism that you can find in large organisations today, as well as the size of their budgets and headcounts. Back in the 80s there were only a handful of full-time practitioners, and no established body of knowledge on the subject. Practitioners were self-taught and operated independently. Throughout the 90s we saw increased networking and knowledge sharing, and the emergence of early security technologies. But few organisations had effective enterprise management systems. And many had yet to establish a professional function. The dotcom boom made some aspects of IT Security fashionable, and we briefly saw some rather ordinary security companies achieve staggering, though temporary, growth in market capitalisation. But this market was driven by investors’ greed, not real customer demand, so the boom was short-lived.

For me 2006 has been a watershed year for security process maturity, professionalism and technology. We’ve seen the birth of a new Institute – The IISP - though it has an awful long way to go to prove it can deliver anything useful. And for the first time, it seems that the majority of large organisations actually have a functioning management system, and a good professional relationship with other corporate functions. I’ve also seen an impressive range of specialised technologies emerge from start-up companies. These technologies will take a few years to be absorbed into the corporate tool box, but when they do they will provide unprecedented visibility and control of security across the enterprise.

So 2006 has been a good year for IT Security. The only thing we missed was the Electronic Pearl Harbour incident to wake us all up. Back in 1999 I forecast this was unlikely to strike until 2006. It didn’t happen. But it might well be on the Horizon as we enter the New Year.

Last week I gave a presentation on the subject of “Managing the Human Dimension” to Iain Sutherland’s excellent Independent Information Security Group. It got me thinking about the balance between the human and technology aspects of IT Security and how it continues to change. I’m often asked for my opinion about the most important aspect of IT Security. And I have to admit that my opinion changes every year.

In the early days of IT Security there were many academics in the USA, including some leading lights such as Bruce Schneier and Dorothy Denning, who firmly believed that everything in security could be solved with technology alone. They eventually saw the light and quickly began to focus more on the softer aspects of security. In contrast, there were also a handful of maverick, crusading consultants, such as Donn Parker at SRI International and our own Martin Smith in the UK, who preferred to play to their strengths and promote the importance of the human dimension. But in practice most CISOs quickly discovered that the logical starting point was to focus on policy, processes and standards, because that was the easiest way forward and the most obvious way to engage the Executive Board and kick off a long range Enterprise programme.

It’s getting to that time of the Season when many of us look ahead to a New Year with mixed emotions of hope, fear, uncertainty or just plain boredom. What will 2007 bring? Will it be more of same? Will it herald a new age of prosperity or danger? Here’s my Top 10 Security Trends of the coming Year.