David Lacey's IT Security Blog

A few months ago I commented on Guidance Software, a company with a near monopoly on the PC forensics market with their EnCase product. That was following their recent settlement with the FTC. And since December, when they floated on the Nasdaq I’ve been keeping an eye on their share price (currently up 26% on the issue price) as it’s not often we see an IPO for a security technology company. So I was interested yesterday to run into Brian Karney their product development director, who's in London to promote their products. In particular I was keen to hear their take on what’s new in the forensics world.

And things certainly have moved on in computer forensics. Today you can interrogate PCs across a network, so there’s no need to seize end user’s PCs and cart them away for examination. But more interestingly, you can also use this capability for e-Discovery, searching across remote PCs for traces of documents needed for litigation cases. Now if you were designing an information archiving capability to support e-Discovery, you probably wouldn’t think to use such a specialised technology. But if, like many organisations, you suddenly find yourself in a situation where you have to search across numerous remote PCs, then this technology would be very handy. Which just goes to show how versatile some security technologies can be.

The status of Scotland Yard's current strategy on e-Crime can be seen in a recent report published by the Metropolitan Police Service. It's an illuminating read. Clearly there is much to be done, and the size and scope of the problem space is growing each year at a substantial rate. But progress is way too slow. e-Crime prevention and response needs a huge boost in leadership, resources and equipment. Without it, we’ll all get swamped by the growing waves of criminalisation of hacking and malware. We've already lost momentum with the absorption of the NHTCU into SOCA. Let's hope that the authorities can eventually grasp the nettle and begin to plan for the future threats that are heading our way.

Those of you in the medical profession might be familiar with a UK publication called Primary Care Today. I was recently approached via the BCS to contribute a short article for this on-line magazine about the importance of IT security in a primary care setting. Like all such pieces it had to be short (700 words), comprehensive and cater for a varied readership. Not an easy task. But one that all security organisations face from time to time, usually with the added difficulty that it has to be repeated on a regular basis with a fresh perspective. You can read my attempt on the Primary Care Today website. There’s certainly an art in conveying user awareness given the constraints of any popular medium and the competition for space. You need an eye-catching introduction, a memorable end-line and in between a list of points that must sound interesting despite the act that though not all of them will be relevant to each reader. It’s an interesting exercise that all security professionals should tackle every now and then, if for no reason than to remind ourselves that effective communications are not as easy as we might sometimes imagine.

Last week’s highlight for me was a trip the Channel Islands to lead a one-day Sapphire masterclass in planning for the future. I must admit I do enjoy these sessions, as I always learn something new from the delegates. This class was especially good because the audience was smart, experienced and quick to grasp planning concepts and techniques.

I’m a great believer that the future of technology and security is fairly predictable. Amongst other things, that’s because the trends are strong and consistent. It's also because new technologies take many years to research, develop and productise. So we can see what’s in the pipeline if we take the trouble to look. You’ll also find that the opinions of most IT and security professionals are surprisingly consistent.

So what does the future hold? What kind of world are we heading for? Well that would require far more space than this blog posting because the future is very rich. But in general I can tell you that if we survive the expected Avian Flu pandemic, then we can expect a richer, healthier, more connected and highly automated world. But security will be very different. So my advice is to start planning now for the future because existing approaches might not survive the current decade.

I couldn’t make last week’s RSA Conference in San Francisco because of other commitments, but I was interested to read the transcript of the keynote session given by Bill Gates and Craig Mundie. In particular the comments about moving away from physical security perimeters took me back fifteen years to my days at Shell when we first addressed the problem of how to manage connectivity and access control across shared networks. In those days IPsec looked a promising solution but that was before VOIP had entered the equation and before we experienced the pitfalls associated with making IPsec work across organisational boundaries. I tend to agree with Paul Simmond’s reported comments on the Microsoft keynote address. IPsec is not the solution. We need security at higher levels (in OSI model terms). The Jericho Forum has been studying these problems for several years. Microsoft should learn from their not inconsiderable experience.

And by the way, if you do rely on IPsec for your security, do check out the learning points from Royal Holloway University’s research on how to break badly configured implementations.

Mark Twain once commented that “reports of my death have been greatly exaggerated”. And so it might prove for standalone security products. At last week’s RSA Conference, Art Coviello predicted that vendors of such products would disappear within three years. As President of RSA, he’s always guaranteed a plum platform at the Conference to promote his latest views. And he does have a point. Users do prefer broader, integrated solutions. And having been absorbed by EMC, RSA can vouch for the fact that bigger vendors are keen to respond to this market demand.

But the fact remains that not many integrated solutions deliver the most effective solution. Even established technologies such as IPS are far from commodities. They vary tremendously in their capability and effectiveness. And if you look ahead, you can see a raft of specialist, unique security technologies in the R&D pipeline.

Expecting big vendors to maintain a comprehensive portfolio of the latest, best-of-breed security solutions is likely to remain wishful thinking. Perhaps that’s what Art was really thinking when he said that “instead of working to perfect security we should be working to reduce business risk”. Because the main difference between business risk management and security is that the former generally operates at a higher level and rarely bothers to delve into the finer details of a technology solution. And with new attacks of increasing sophistication on the cards, it would be a fatal mistake to assume that all security products are equal.

Last night’s BCS Security Forum Strategy Panel meeting included an interesting round table discussion on complexity. It’s a subject that’s been occupying my mind for three decades ever since I was first introduced to the fascinating world of cybernetics and control theory at Cass Business School in the late 70s. It’s also a current hot topic for many IT and Security professionals who are encountering major challenges getting to grips with the increased complexity of modern infrastructures and systems. Why is this happening? And what can we do to improve the situation?

I’ve just been checking out the new Symantec IT Risk Management Report. It’s the result of a year-long study based on interviews with IT executives and professionals around the world. Such surveys are mandatory reading for security managers as they can provide a valuable insight into trends and provide useful collateral evidence for business cases.

So what does this report tell us? Unfortunately, like too many of these surveys, there’s not much that’s of practical use to a CISO. Highlights include unsurprising findings such as the following.

“IT professionals rate themselves more effective in their deployments of technology than of process controls.”

“More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations”.

“Best-in-class organizations perform with high effectiveness across most controls.”

“Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk.”

Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause.”

“Best-in-class IT Risk management requires a disciplined approach…across people, process, and technology.”

As Basil Fawlty once put it: “Can’t we get you on Mastermind…specialist subject: stating the bleeding obvious…”

On Thursday I attended an excellent seminar organised by Comsec Consulting, a company that is relatively new to the UK but with a long, pioneering history in Israel, The Netherlands and Japan. Nissim Bar-El, their CEO, is a well-known international figure in the Security world. Over the last twenty years he’s been quietly building one of the largest IT Security consultancies in Europe. You can see him on the front cover of the current UK edition of SC Magazine.

At the seminar Nissim raised the issue of complexity arising from the proliferation of security products – more than 700 at the last count – and highlighted the difficulties this presents for customers. Could there and should there be a consolidation of products? ZDNet and RSA amongst others have predicted this. A few postings ago I commented on the future of single point solutions. But as it’s a hot topic, I though I’d add a few more points and a little extra analysis of what might happen and why.

It’s not often you get to see security incident data from other organisations, so I was interested to read a report published this month about laptop losses and theft at the FBI. This type of data is hard to come by because few organisations (other than Royal Mail Group) maintain reliable, historical data on such security incidents. And even fewer publish such information. It’s good to see that the FBI has successfully reduced laptop losses by around two-thirds, from around a dozen a month to less than four a month. The figures seem consistent with other data I’ve seen. In Royal Mail Group the problem was initially bigger, though the reduction was greater. Such savings represent hundreds of thousands of dollars a year in incident and replacement costs, not to mention the value in reputation protection and safeguarding of valuable intellectual property. And it’s not difficult to reduce the losses. It just requires a small amount of research and analysis, followed by a few simple, targeted, educational interventions. It's certainly one of the easiest and cheapest security investments for any organisation. So let’s all copy this example.

Yesterday’s posting prompted a few questions about industry averages for the number of laptops that go missing. Such data would be very useful for business cases and benchmarking performance. Of course these figures vary across organisations and over time, depending on factors such as the mobility of staff, the degree of public transport used, and the vulnerability of the business environment.

One indication of the scale of the problem can be taken from surveys of City taxi drivers sponsored by Pointsec, a security vendor. They show that a surpringly large number of electronic devices are left behind in London black cabs. A survey carried out a few years ago showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis. One hopes that most of these were deposited in police stations and eventually recovered by their owners. The figures from similar Pointsec surveys in the USA are much lower (5-10%) because fewer executives use taxis. But these figures demonstrate just how forgetful staff can be. Pointsec also point out that 60% of identity theft arises from lost or stolen equipment.

Education and regular reminders are needed. My experience is that left unchecked, a typical organisation can expect to lose up to 5% of their laptops per year. But this figure can be reduced substantially to below 1% by smart, educational initiatives. Mobile phones and PDA losses will of course be much higher. They are at present less of a concern, though a growing one with increasing amounts of data being stored on them. It would be interesting to hear other experiences and views on levels of laptop or PDA losses.

Research just out today from Symantec indicated that the UK's online economy is suffering from a serious lack of confidence. Two thirds of consumers believe that they at risk from online fraud, and 30% agree that Internet security concerns prevent them making online transactions. This is worrying but not surprising.

What's the answer? Two things: higher security standards and better assurance for consumers that the standards are being applied. But we already have this in the PCI (Payment Card Industry) Security Standard. And it's been around for a couple of years. So why is not being applied? Several reasons: it's tough, it's highly prescriptive, it's expensive, and it's not been strictly enforced so far.

Prescriptive approaches always generate pushback, but they do ensure that organisations pay more than lip service to security. Most prudent organisations are responding to the PCI Standard, but slowly and reluctantly. Things will speed up when we see heavy fines being imposed. That's not happening just yet. But PCI Security Compliance is unlikely to go away. So keeping your head in the sand is not a sensible approach. The real shame is that we have to rely on heavily enforced standards to fix the problem. Because customer security concerns should be high on the agenda for every online business.

Stuart King's posting on the importance of process reminded me of the important issue of software development standards. I believe it's time for a big change, for a fresh approach. Because our legacy standards are no longer fit for purpose.

Back in the 80's the US Department of Defense established the Software Engineering Institute (SEI) at Carnegie Mellon University to address the issue of software quality. The SEI built on some emerging concepts from Total Quality Management to develop the first Capability Maturity Model (CMM) - a major breakthrough. Wonderful stuff, except that it was developed to solve the problems of large-scale Defense programmes. And in such environments, implementing and certifying development processes against several hundred pages of controls was no problem at all.

Fast-forward to 2007 and much of the critical software we depend on is developed by small start-up companies with no more than a dozen programmers operating in a highly informal environment. Does the Carnegie Mellon model fit this environment? Absolutely not. It remains a useful benchmark for any organisation that seeks to off-shore their software development. But it does not fit the shrink-wrapped package world, operating out of a Silicon Valley garage or a backstreet Soho office.

In addition we now have to accommodate the new science of security vulnerability management. No code should be cut today without meeting tough security standards to remove exposures to buffer-overflow and other nasty vulnerabilities. Microsoft has set the standard in this direction and they should rightly be applauded. But not everyone else gets it. And even then, we have a big hill to climb in order to update our System Development Lifecycle (SDC) methodologies and train our designers and programmers in how to develop security architectures and cut secure code.

So we need a new approach. We need a new software development standard that's lightweight enough to be adopted by small technology companies, but captures all the essential new security practices. Any ideas on how we get there?

For the last few weeks I've been reviewing a business process model for a client. It's an interesting task for me as I've always been fascinated by models and how best to structure them. Being a bit of a perfectionist and a keen futurist, my immediate reaction is always to see if I can find a model that is completely agile. It's a do-able challenge.

Of course I do have the advantage of having worked alongside leading data management luminaries such as Matthew West of Shell. So my first reaction was to catch up with the latest learning from Shell. And there is some impressive work going on there, especially in the use of applying 4-Dimensional concepts to high-quality business data architectures.

"Pretentious!" some of you might say. But that washes off me. I'm used to hearing this from old-fashioned security managers. Particularly the ones that hope we could reduce the entire subject area to a handful of simple common-sense principles. That will never be true. Security is a subject of growing complexity. And we have to step up to the challenge.

And there are some major learning points for Identity Management architectures in applying the 4D paradigm. Because we continue to build major problems into our identity management processes through a failure to take sufficient account of how entities change over time. Think about it. And try to spot how many deep-seated flaws you have embedded into your own access management systems. User roles and circumstances are in constant flux. We need to cater much more for this.

And when you grasp this concept you will also understand that we have some way to go to crack the so-called "laws of identity". We need to learn more from emerging science in related fields. That's the only way we will understand just how to design fully agile, fit-for-purpose identity management systems.

There's a sense of déjà vu about this week's Black Hat Conference, with yet another revealing presentation pulled at the last minute. Two years ago it was Cisco attempting to quash Mike Lynn's presentation. This week it's HID Global threatening legal action to stop Chris Paget, a security researcher, from demonstrating weaknesses in contactless RFID cards.

Like most people, I've always believed that such interventions are counter-productive. It's healthier to come clean about security issues than keep them hidden away. And, ironically, such action can serve to attract even more publicity and potential reputation damage. But for me, the real issue is whether society and industry is ready for RFID. Any new identification technology will present security challenges. RFID is no different. But there are some deeper issues with RFID.

Several years ago I served as a subject matter expert for the Royal Society's excellent Science in Society Programme, during which I sat with citizen focus groups debating issues associated with emerging technologies and their impact on privacy and security. I was highly impressed with how quickly they grasped the implications of these technologies and formed decisive views. Generally they were willing to accept some loss of privacy in the interests of greater benefits. Most of them favoured technologies such as Identity Cards provided that the costs were not excessive. The one exception was RFID. Many felt that it was intrusive and did not offer them clear benefits. Some found it "scary". I must admit I was surprised. But I came away with a clear learning point: that we should not introduce such technology without full understanding of the implications and a proper consultation with all stakeholders.