David Lacey's IT Security Blog

This morning’s IT Governance & Risk Management email shot from Computer Weekly carried a reference to a Burton Group report on trends in the security technology marketplace. Unfortunately it looks like you have to buy one of Burton Group’s services before you can read the report. But the Computer Weekly summary says enough. The conclusion is obvious. And it’s essentially the same as the point I was making six months ago.

Large vendors such as RSA have been forecasting for some time that the security market will consolidate and eliminate the growing army of small single-point solution vendors. In my view that's no more than wishful thinking. In fact I think we'll see the opposite. Burton Group seems to have nailed their colours firmly to the fence that divides the interest of big vendors from small security start-ups. They conclude that “consolidation of the security market will remain the norm, but best-of-breed security firms will continue to emerge to address gaps in technology”. In classic Janet-and-John style, Bob Blakley instructs us that "the bad guys are sticking arrows into the customers and the customers are therefore driving their vendors to cover up the parts of their body to which the arrows are being stuck".

It’s all blindingly obvious. As I pointed out at the start of the year, it takes a long time for new technology companies to be acquired by large vendors. Which provides a growing window of opportunity for start-up companies. And new threats will come thicker and faster because of powerful trends in the business and technology landscapes. You don’t need to employ an expensive analyst to work that one out.

The UK newspapers are full of more stories about the dreadful state of Heathrow Airport. But it’s not surprising. It's a sign of the times. And the fault lies with security. Because its objectives are outdated. They need to be refocused to reflect the new challenges of the Information Age.

In the past, security was primarily directed at safeguarding static assets, whether physical or intellectual. The introduction of networks has generated the need to move towards a more dynamic security model. In particular, the new focus needs to be on exploitation rather than ownership of assets. Because we now have a powerful international infrastructure to move information to where it can most profitably be used.

Alvin Toffler first pointed this out several decades ago. He wrote that “as time goes on the most important thing about a scientific and technological base may not be what information is in it at any given moment, but the speed with which it is continually renewed and the richness of communication carrying specialized know-how to those who need it and acquiring knowledge swiftly from all over the world. It is not the stocks but the flows that will matter”.

But Toffler missed a bigger picture. It’s not just flows of information but flows of people and products that generate business value. I’ve been preaching this message since the atrocities of 9/11 led to many business flows being stopped dead in their tracks in the name of security.

I’ve made this point many times to national security representatives. The response is always the same. “Yes we agree that security must be balanced against business needs.” Wrong. It should set out to keep business moving. The authorities just don't get it. And that’s one reason why Heathrow is in such a mess.

At this time of the year my eyes usually glance westward to see what’s being revealed at the Black Hat and Defcon conferences in Las Vegas. Over the years these back-to-back events have served as a showpiece for announcements of hot findings from the esoteric community of code buffs who study security vulnerabilities.

So what happened this year? Not a lot according to reports from seasoned attendees. What’s going on? After all it should have been a bumper year for exploits given the continuing growth in the security research field. Brian Krebs’ report in the on-line Washington Post hits the nail on the head. Could it actually be that the research community is becoming more responsible, mindful of the serious consequences of disclosing a gaping hole in a protocol or platform? Or is it because security researchers are now more inclined to sell their vulnerabilities privately to the highest bidder?

I always smile when I hear security consultants advising that organisations should create a security culture. Why? Because quite simply there is no such thing. Security means entirely different things to different people. And of course there’s more than one way to skin a cat. No single approach works best across every situation and community. People respond differently according to their religion, culture, background, location, ambitions and motives. Amongst many other things.

As Douglas Macgregor, a famous MIT social psychologist, pointed out in his classic 1960 book "The Human Side of Enterprise", there are fundamentally different approaches to managing people. It’s all a matter of taste. Some managers favour an authoritarian management style. Others prefer a more participative approach. And in practice you can achieve effective security either by instilling fear, paranoia or suspicion into your staff, or by building on positive motivators such responsibility, trust and empowerment.

Great minds do not think alike on this subject. Galileo, for example clearly favoured an educational approach, declaring that “You cannot teach a man anything. You can only help him discover it within himself.” Other revolutionary leaders, such as Uncle Joe Stalin, preferred to wield the lash. “Trust is good, but control is better”, he was heard to say. So you have a choice. You can be nasty or nice. Which one should it be? Impossible for me to say. Because the most appropriate approach depends on you, as well as the nature of the community you’re trying to change, and its chosen management style.

Today the House of Lords Scientific and Technology Committee published its long-awaited report on “Personal Internet Security”. It’s worth reading and quite a good introduction to the subject for a lay person. (Your CEO for example.)

The report makes many excellent and timely recommendations, including more research into alternative network architectures, higher security standards for Internet services, less immunity for ISPs, more liability for vendors and banks, introduction of a data security breach notification law, beefing up the Information Commissioner’s Office, establishing a national e-Crime unit supported by a network of forensic laboratories, and tougher sentencing guidelines.

This report demonstrates that the establishment has grasped the importance of the Internet and its security to society and industry. It’s a welcome sign of the times. And it provides a good blueprint for immediate Government action.

A recent survey, carried out by NetIQ, claims that most IT Security Managers believe that their board-level superiors pay only lip service to compliance and security, i.e. they don’t take it seriously. Is this really correct? Or are we misinterpreting the signals from above?

I reckon the latter is nearer the mark. I’ve discussed IT security with dozens of managing directors in different industries. In my view they all take security very seriously indeed. Which is no surprise, given that they constantly handle sensitive information, and that they’re often much better informed about serious incidents than their staff. So why is there a difference in perception? I can see three possible reasons. Firstly, there is a lack of visibility of senior management thinking. Most directors are discreet. They rarely go around broadcasting their views about sensitive subjects, such as security. Secondly, they might have higher priorities. Most organisations have risk management processes in place that highlight major business risks for board-level intervention. If security doesn’t rank in their Top 50 risks, you can’t expect it to be high on the Board agenda. Thirdly, any major expenditure requires justification. No managing director should be endorsing major investments in security without a clear business case. And sadly we rarely see good examples of these.

I'm always surprised to hear claims that security spending is difficult to justify. In my experience it's much easier than justifying expenditure on many other business initiatives. For comparison think about advertising campaigns which only work half of the time, CRM programmes that are an expensive leap of faith, or new product launches for which no sales are guaranteed. Security spending is easier to defend. There's a lot of published incident data to support its claims. And if you add up the numbers the ROI can be quite impressive. Not to mention the fact that there are legal and regulatory demands to reinforce the business case.

So if security is not being addressed, where might the problem lie? The answer is likely to lie either with the risk assessment process, for not highlighting the problem, or with local business managers, for not managing these risks. Or perhaps with the security function for not establishing a functioning security management system. But don’t blame the Board. At the end of the day they’re ones that risk a jail sentence. So they shouldn’t need reminding about the importance of compliance and security.

I was pleased to read that data mining has delivered spectacular results for the Insurance Fraud Bureau. Using Detica’s specialist services they were able to uncover gangs causing or faking car accidents, resulting in 74 arrests and a five-to-one return on investment, saving insurers at least £8 million.

I’ve long been a proponent of the use of data fusion, mining and visualisation techniques to detect fraud and solve business problems. I've sponsored several such projects in the past and was highly impressed with the potential for saving money through these techniques. The difficulty has always been the first hurdle of developing a convincing business case to invest in the necessary resources, technology and services. That's always the challenge when the technique is unproven and results cannot be guaranteed. It’s a leap of faith. When budgets are tight it's hard to persuade business managers to invest in experimental methods.

But as the IFB discovered the investment is more than justified. As Richard Davies, their Deputy Chairman, put it the results “exceeded all expectations” and “we never expected it to be as powerful as it turned out”. Yes, that’s the power of data mining. It’s one of the most under-utilised weapons against crime. And it can also solve all manner of day-to-day business problems.

Alvin Toffler pointed out a few decades ago that the 21st Century would be dominated by information warfare and espionage. That’s because intellectual property becomes increasingly valuable and powerful in a world connected by digital networks. Defending and exploiting intellectual assets is likely to present one of the biggest challenges for organisations in the future. But as William Gibson once put it, “the future is already here, it’s just not evenly distributed”.

Every now and then we see glimpses of subtle battles for information control in stories such as the alleged claims that machines belonging to organisations including Wal-Mart, Disney, Sony, the Labour Party, the CIA and the Vatican, have been used to rewrite Wikipedia entries. It raises the important question of what is fair, ethical and legal in a world dominated by information warfare. After all, it’s reasonable for organisations to aim to safeguard their interests. But where does prudent behaviour end and when do dirty tricks begin?

Information is the lifeblood of the Information Age. It should be the objective of organisations to harness the skills needed to surf, source and spin information for competitive edge. Is it wrong to manipulate information for personal or corporate gain? Or is it simply what the future compels us to do? Should we be more broadminded about competitive information exploitation? Or should we aim to stamp out any actions that might mislead the public? I’m reminded of the decision of the US Secretary of State in 1929 to close down the US code breaking office with the words “Gentlemen do not read each other’s mail”. That didn't last long.

My recent posting on pandemic planning prompted a comment suggesting a Top 10 list of actions. I couldn’t resist the challenge. Each organisation is different and requires its own specific action plan. But there are many common actions and principles. I’ve pitched this at organisations rather than citizens because the latter is a job for government agencies. And I believe they have most of this in hand.

The recent three-day unprecedented outage of Skype services highlights some interesting characteristics of contemporary networks. Does it matter what really caused it? Probably not. Because the real issue is that we don’t fully understand modern digital networks. Whether or not you accept the Skype line that it was all triggered by “a massive restart of users’ computers across the globe within a very short timescale”. Or whether you prefer to believe the inevitable accusations of rivals that it was all down to fundamental flaws in their systems. The problem is that large digital networks are a law unto themselves. They are often unpredictable and they frequently exhibit behaviour that appears to be self-generated.

Hub-and-spoke networks are particularly hard to fathom, because they possess entirely different topological (and other) characteristics from traditional point-to-point organic networks. Important characteristics such as performance, security and failure rates can be very, very different in these so-called, scale-free networks. You need to be an expert in complexity theory to gain any insight into what’s really going on.

Customer behaviour can also generate strange effects. Users might, for example, generate a huge increase in transactions when response times are slow by constantly pressing the send key. Collaborative, simultaneous network effects are also possible. Put all this together and we can expect some interesting times as organisations move towards increasing dependency on large-scale, hub-and-spoke digital networks.

In my view we need a lot more research and much better education to understand the real consequences of managing modern digital networks. I’ve occasionally pointed out some of these problems to business managers responsible for implementing new hub-and-spoke networks. Their reaction? Rather like a frightened rabbit in headlights.

Checking out the excellent FIRST Global News postings, my attention was drawn to a feature from the Telegraph Web site on “Top Web sites for Spies and Spying”. This article, amongst other things, comments on the new Jason Bourne film pointing out that it’s a “thinking man’s spy series…praised for it’s gritty style and widely credited with influencing the down-to-earth portrayal of James Bond in the remake of Casino Royale starring Daniel Craig”.

I have to disagree. Jason Bourne is an assassin, not a spy. He is aggressive rather than charming, as real spies should be. He would have been hopeless at gathering useful information from reluctant targets. Spies have to be friendly and charismatic to persuade people to give them secrets. From this perspective Daniel Craig is badly cast as James Bond. It was a mistake to switch from the excellent Pierce Brosnan, who was without doubt the definitive example of a top charmer and super spy. Ira Winkler will tell you that James Bond is not a great spy because he regularly gets caught. He also misses the point. That’s just an occupational hazard. The real trick is to come out on top, which Bond of course always did.

I’m always fascinated by reported figures and research statistics about the costs of security incidents. Generally they represent just the tip of the iceberg, because in practice you can’t nail down the lost sales, reputation damage and future legal claims that are directly attributable to the incident. Security researchers, most notably
the Ponemon Institute, have attempted to measure the costs of a data breach by analysing the total recovery costs, averaged across a number of real-life incidents. These figures suggest that the full cost of such breaches is likely to be as high as $100 to $200 per compromised customer account.

But real life rarely conforms to the projections of researchers and organisations can of course be very different in their scale, brand value and crisis response. So it’s interesting to note the unfolding claims and facts surrounding high profile incidents such as the recent data breach at TJ Maxx, which involved the nightmare scenario of a compromise of more than 45 million customer credit card details. Many analysts and pundits (including myself) were quick to speculate on the long term cost of this breach. Estimates of damages of the order of billions of dollars were suggested. Some security experts even thought they might be one of the first companies to be wiped out by a single security incident. So several months on, how has it turned out?

Well the costs are certainly significant. TJX’s second quarter results indicate that a figure of $130 million has been set aside so far this year to cover costs and potential liability. This is reported to include a staggering $11 million in security consultancy fees. By my reckoning that would buy you a security department several times bigger than the average Fortune 100 organisation. It’s not chickenfeed. But it is a long way from than billion dollar hit forecast by the pundits. And an organisation turnover measure in billions can easily survive a once-off hit of this size.

So after all, does the real, eventual size of the damage really matter? Probably not a lot in practice. Because a $100 million hit is more than sufficient to persuade Boards to take security very seriously indeed. And estimates of many further consequential damages, such as future lost sales, are largely academic, as they're not measurable and will never be known.

Over the last week, I’ve been interviewing a few selected security managers for a forthcoming Computer Weekly special. It’s been an interesting experience, and I was highly impressed with what I heard. Today’s security managers are far more sophisticated than they used to be. They have a better understanding of the business landscape and the emerging challenges. They also have a more realistic appreciation of the limitations of the resources at their disposal and how to get the best out of them. And they are more articulate when explaining complex security issues to directors and business colleagues.

Security has come a long way in the last two decades. Back in the eighties it was a backwater for aging operations managers, or auditors trying to escape the accountancy profession. In contrast modern security managers have to straddle the technical and the business dimensions of the problem and solution spaces. And they must be able to master the human factor, whether it's tackling staff, criminals or hard-nosed business managers. It’s a major challenge. A top CISO needs all the qualities of a CIO but with state-of-the-art know-how about current vulnerabilities and emerging threats. And many are rising to the challenge. I've seen far more successes than failures in recent years.

Where will it all end? Will we ever see security on the Board? Probably not, because at very senior levels it’s hard to justify operating within such a narrow specialism. One thing is certain however. Top security practitioners will continue to require a greater set of skills and knowledge than many other parts of IT and business. That's why the top jobs continue to attract such high salary packages.

My posting earlier this week on the costs of incidents created a few stirs, the most interesting one being an email from the excellent Ponemon Institute, who have been the source of many highly-publicised claims about the costs of data breaches.

Estimating the potential cost of security incidents is fundamental to corporate risk assessments and the resultant business cases for security spending. It’s clearly vital that security professionals have a sound model for estimating potential business damage. And the Ponemon Institute research is the most authoritative basis for this. Because it’s based on up-to-date analysis of real incidents. The Ponemon research also provides useful metrics for business cases, such as the total recovery cost per compromised customer account. Every security professional should become familiar with this research because it’s central to the justification for the resources and budgets needed to mitigate the risks of data compromise.

The difficulty of course is translating past research findings into future reality, especially when the scale is different. Such as in the recent incident at TJ Maxx, where many of us were tempted to extrapolate figures based on thousands of compromised accounts into estimates based on millions. And how well did we do that? Not at all well I'm afraid to say. Most analysts simply multiplied the historical average damage per account by the number of compromised customers. This projected a hit of several billion dollars prompting a wave of doom-laden warnings.

We should have listened to Larry Ponemon. Because he actually published statements at the time pegging the projected cost in a range of “hundreds of millions” of dollars. The TJX Group initially claimed a total cost estimate of around $25 million, but recent updates have inflated that figure by ten times, square within the range projected by Ponemon. What the pundits overlooked was the fact that TJ Maxx was an exceptional case. The breaches studied by Ponemon were in the range of a few thousand to a quarter of a million. The TJ Maxx incident involved more than 45 million cases. But, as Ponemon point out, many of the costs associated with data breaches are not fixed ones. The larger the breach, the smaller the resulting per-record number.

So well done Larry for getting the projection right. And there’s a clear lesson for us analysts and pundits to be a little bit more cautious in translating research into reality.