David Lacey's IT Security Blog

For the last few days the media has been reporting alleged hacking attacks on US, UK and German government targets originating from China. It's to be expected of course as any new channel for covert information gathering will inevitably be exploited by zealous intelligence services. But what's really interesting about such attacks is not that they are happening, but their game-changing nature. In much the same way that communications interception transformed intelligence gathering in the last Century, so hacking and other new forms of electronic information gathering will progressively change the shape of espionage throughout the 21st Century.

Hacking presents a new dimension for intelligence gathering. It has very different characteristics from human and communications intelligence. It is cheaper, faster and easier, requiring no expensive interception platforms or networks of assets. It also offers a sharper and more immediate context for a targeted attack. But it is more intrusive than passive communications monitoring and therefore more likely to be detected and traced. And the window of opportunity for a particular exploit might also be relatively short lived. But it is very well suited to the the fast-changing competitive nature of the Information Age.

This is just the start of the new intelligence game, made possible by emerging technologies. Because we've only scratched the surface of the possibilities presented by large-scale data fusion and mining. Open and closed source, intelligence gathering will become increasingly powerful, competitive and volatile. That's the nature of the new business and political landscape. How should we respond? The answer is to go with the flow. Putting up barriers or isolating yourself from the rest of the global, networked community is not the answer. Because the real edge is in exploitation rather than possession of information. As I've often said, in the new world of electronic networking, openness, trust and risk management will increasingly beat secrecy, suspicion and caution.

I often sit back and reflect on whether we are really winning the war against malicious security threats. The answer of course is "Yes". Otherwise we'd already be in dire straits. But it's sometimes a case of one step forward and two steps back. And two stories in this weeks press suggest that we might have lost a few battles.

The first was the BBC story about the emerging commercial market in hacking kits (with full technical support) and boutique virus writing services producing malicious software to order. Of course there's nothing new in the capability on sale. It's always been available to those in the know. But commercialisation of powerful offensive software at affordable prices brings it within reach of any interested individual or organisation.

The second story was the announcement that the US Homeland Security Department has scrapped their ambitious $42 million anti-terrorism data-mining tool after investigators found it was tested with information about real people without the required privacy safeguards. No doubt many people will be pleased to see the abandonment of a programme that threatens the pricay of citizens. But this technology will not go away. It represents the future of intelligence gathering. We need more research, not less, into these technologies in order to minimise the risks to individuals.

So one step ahead for the offensive capabilities of our potential enemies, and one step back for the technology we will need to defend against their attacks. Let's hope we can swing the pendulum back the other way.

A new report commisoned by Garlick, a UK vendor of privacy management services, on the subject of UK Cybercrime, contains some interesting findings. Such surveys are essential reading for security professionals as they help to fill in pieces of the slowly forming but largely incomplete jigsaw of cybercrime activity in the UK.

Of course, as with any survey that might have been carried primarily for marketing purposes, it's necessary to take any estimated figures with a pinch of salt. Some are scaled up from previous surveys. For example the staggering figure of 1.93 million on-line (email) harrassment cases is estimated on the basis of an earlier survey which indicated that 8% of adults using the Internet were victims. But nevertheless, the survey indicates a massive, growing problem for cybercrime offences against the person. And it's interesting also to note that "cyber crimes are just as prevalent as traditional crimes. In 2006 the incidents of online financial fraud doubled the number of robberies taking place". Which suggests that UK law enforcement strategy might not have the balance right.

The report also points out that "computer misusers tend not to consider their actions as immoral". And interestingly, the experts have already coined a term for this lack of virtual moral consensus. It's called "toxic disinhibition". However not everything is neatly defined. The report also points out that "although the term ‘cybercrime’ is now in everyday use, the first problem encountered in measuring cybercrime is that there is no commonly-agreed definition of the term". And, unfortunately, that can undermine the credibility of any cybercrime survey that relies on figures from earlier studies.

Just published on the Computer Weekly Website are a couple of videos of interviews I conducted recently with leading Heads of Security from interesting organisations. They’re worth watching.

The first interview is with Sandra Barton-Nicol, Head of Risk Investigations for Betfair, the largest online betting exchange in the World. It’s interesting to hear Sandra’s perspective on risk. As she succinctly points out, “our business is gambling but we don’t gamble on risk”. The second interview is with John Meakin, Group Head of Information Security for Standard Chartered, a bank with a long history and an impressive global network. John is a highly experienced and award-winning CISO, having previously led security functions in Reuters, RBS, Swiss Bank Corporation and Dresdner. It’s interesting to hear his perspective on the challenges of managing security across a changing business landscape.

But for me, the really interesting aspect of these videos is that it’s a breakthrough in training and awareness. Security practitioners and students across the world can now gain access to the views of leading professionals, and hear it straight from the horse’s mouth.

The blog postings have been a little thin over the last fortnight as I’ve been holidaying in one of those chic designer hotels. You know. The ones that have Zen styling, Eastern spa treatments, candle-lit rooms, designer landscaping, etc.

Of course in practice such styling is entirely impractical: shelves at the wrong height; darkened rooms you can’t read in; sunken baths that take an hour to fill; Japanese gardens that are a maze to navigate. But we wouldn’t have it any other way. We’d gladly suffer this inconvenience in the interests of style and one-upmanship. Because it’s the “wow factor” and the exclusive features that sells products. Not simplicity and utility.

It’s the same with IT and Security. Organisations rarely go for cheap, functional products. We look for the brand name, the fancy features and the Gartner rating of “completeness of vision”. This in turn makes big vendors and start-up technology companies focus on unnecessary functionality, standards and architectural potential. Their inclination is to develop new product features that will attract new customers, rather than perfecting simple, tried-and-tested functions that might delight existing clients. Which is why, over the years, vendors have been able to sell us security systems for authentication, risk analysis and identity management that have been less than fit-for-purpose.

And in the end, do we get the products we deserve? Unfortunately, yes. Of course it’s no bad thing that security standards and features continue to evolve. But we’d just prefer them to be a little more relevant to our day-to-day business problems.

Average annual losses from security incidents have doubled according to the Computer Security Institute’s 12th Annual Computer Crime and Security Survey. Regardless of the accuracy of the individual figures collected - and these can be understated for a variety of reasons - it’s the trends that count. So this jump is highly significant, especially as previous CSI surveys have indicated a downward trend.

It’s also interesting to note that for the first time, financial fraud losses have overtaken the costs of virus attacks. In fact they are more than twice as high. The survey also indicates an increase for many organisations in the percentage of IT Budget spent on security, with a clear trend towards 3-5% of IT budget. Of course the relevance of this metric depends on what you actually mean by security. But again it’s the trend that counts and that trend is upwards.

However, despite all of the emphasis on the importance of the human factor in security, it’s sad to see that just under half of the organisations surveyed spent less than 1% of their IT Security budget on awareness training. Now whether this is because organisations don’t know how to address the problem or because they can’t find any products worth buying, it demonstrates a widespread inability to translate the current mantra into real world spending. And that might also be a major reason why the annual losses are increasing so fast.

I was interested to read Tom Ilube’s comments on the BBC Website about the failure of Northern Rock’s systems to cope with the recent exceptional demand. As one of the pioneers of online banking (he was Egg’s CIO) he should have a good perspective of what is achievable in designing systems that can respond to unanticipated peaks in demands. As Tom points out, building systems that can cope suddenly with a completely unexpected burst of perhaps 10 or 20 times their normal processing volume is notoriously difficult to do, but by no means impossible.

So what went wrong? Was it financial constraints, a lack of planning or perhaps a deliberate ploy to slow a potential run on the bank? In such cases I generally assume a cock-up rather than a conspiracy. Organisations are not good at planning for extreme circumstances. It’s outside their experience. But today’s business world is much more volatile and fast-moving, and the pace will continue to increase, because the faster the business cycle, the higher the revenues.

As Tom suggests, every bank chief executive should ask their IT director today "If we are hit by 10 times our normal customer volume tomorrow, what will happen to our online banking system?" And based on my experience of business continuity planning, I’d add a further demand. “Prove it”.

For the past few days I’ve been reading some strange reports coming out of a Gartner Security conference in London. Enough to make me wonder whether the speakers are on the same planet as the rest of us. I’d be highly interested to hear from anyone that attended this event. Surely it couldn’t have been as daft as the media coverage suggested?

The first story I spotted was a plea from John Pescatore, a Gartner analyst, for organisations to spend less on IT Security. I’m speechless. In my experience it’s extremely rare for an organisation to overspend on security. It can happen occasionally, for example following a major incident. It also used to happen in some arcane areas of Government many years ago. For example when millions of dollars were spent on unnecessary Tempest protection. But I have to say that these cases are exceptions and the general picture has been a widespread under-spend in most of the vital areas of security, including education, architecture, identity management, development, testing and certification audits.

The second story that caught my eye was a remarkable claim by Joanna Rutkowska, a security guru with several years experience, who thinks that “major software packages such as operating systems could be secured through code auditing and formal verification – but it may take as long as 50 years before this is possible”. A reassuring sentiment but as Keynes pointed out, in the long run we’re all dead. Yet there are many practical, sensible steps that can be taken today to secure systems by applying sensible principles and controls for architecture, coding, testing and maintenance. Formal verification is an interesting aspiration but a bit of a wild goose chase.

So ignore these claims. Spend more on security. And encourage your developers and vendors to develop secure systems. You shouldn't need a security guru to tell you that.

There are always plenty of businesses that have to be dragged kicking and screaming to the compliance killing floor. So it’s no surprise to read a survey by The Logic Group that suggests that only ten percent of organisations are fully compliant with the mandatory PCI security standard.

Closer analysis of the figures, however, shows that retailers are well on their way to compliance. According to the survey, awareness levels are up to 100% from 85% last year and 45% the pervious year. And eight out of ten merchants have assessed the impact of the PCI standard on their business. It’s clearly a slow process and understandably so, as PCI DSS is a highly prescriptive and potentially expensive standard to meet. I could never envisage any streetwise retailer diving in and implementing all those measures without a careful scrutiny of the financial and operational impact and a good look sideways at what everyone else is doing.

Compliance is not an overnight activity. It requires a gap analysis, impact assessment, business case and a rectification programme. You can’t conjure new budgets and the necessary resources out of thin air. According to the Logic Group survey, three quarters of companies are committed to achieving PC compliance over the next 18 months. And of these more than 40% are already in the remediation stage.

There are always laggards, so it’s not surprising to that 6% admitted to not having yet started the journey. What will happen to them? That’s the really interesting question. It will be interesting to see what fines and sanctions will be applied.

Last week Symantec issued their latest Internet Security Threat Report. These six-monthly reports have become essential reading for all security practitioners. The latest 30 page report (it could do with a good précis) is packed with useful, though largely unsurprising, facts.

The report confirms that the security threat landscape is becoming characterized by attacks that are more professional and increasingly commercial. These attacks are often carried out in multiple stages, using a low-profile compromise to create a beachhead from which subsequent attacks can be launched. Multiple methods of attack are likely to be used and trusted entities will be exploited. Defending against such attacks is not easy. They are difficult to detect and even harder to stop. And in an age when zero-day vulnerabilities are a reality, it’s disturbing to read that some big vendors still have patch development times measured in hundreds of days.

The consequence of this trend is that organisations need to adopt a more intelligence-led approach to security. Identity valuable assets and critical services. Understand the enemy. Think like an attacker. And then implement specific controls to identify and deflect such attacks. It’s no longer good enough to apply a basic level of commodity-level security across your estate. That approach might have been effective in the past. But today’s attackers don’t just focus on soft targets. And the sophistication of their threat has now surpassed the defensive capabilities of most baseline security measures.

Bruce Schneier is a bright guy and a first-class writer but he does have the unfortunate habit of appearing to rubbish new security products, without any evidence that he’s actually looked at them. With most people this wouldn’t matter a jot, but Bruce is a highly influential blogger and thousands of people might be left with a negative opinion of the product.

So I was disappointed to read his recent posting on the press coverage of the EADS Ectocrypt encryption system. When he mentions snake-oil he might have had the media reporting in mind, but it reads to me as though the product itself is worthless. And Ectocrypt is not a worthless product, it’s a high-performance, award-winning encryption system, built to the highest NSA and CESG standards.

But unfortunately a large chunk of the blogosphere will now assume that it’s all hype. As Spiderman put it “with great power comes great responsibility”.

My last posting generated a few comments condemning vendors who exaggerate the capabilities of their security products. The security market is now fairly mature so it’s surprising that vendors are naïve enough to think that slick marketing is the way to boost their sales. Product spin is a complete turn off for security professionals. Encryption products, in particular, require careful marketing, because they are one of the hardest sells of all. And that’s not just because of the aversion of the security community to bad marketing campaigns. It’s also because there are fundamental difficulties in introducing new encryption systems. Here's why.

First there’s the business case. Encryption is usually expensive to buy, disruptive to implement and difficult to manage. And it adds little obvious direct business value. It’s one of those invisible assets that you only notice when it messes up your communications. Business managers and Boards won’t be excited by the prospect of having unbreakable security protection for their information. They’re more interested in the business benefits. And these are more likely to be a leap of faith rather than a certain bet.

Secondly there is the enormous gestation period between conception and market acceptance for a new encryption system. New algorithms have to be peer-reviewed, debated, tested and accepted by the international community before they can be productised. And new products have to be evaluated, certified and in many cases approved by government or regulatory authorities before many customers will even consider them.

Then there is the marketing of the product. If it’s revolutionary and offers competitive edge, then it probably won’t be suitable for communicating with the rest of the business world. If it simply meets the latest standard, then it will lack a unique selling point. If it’s claimed to be foolproof, nobody will believe it. If it makes false claims it will be discredited. And if it’s questioned by a leading guru, it’s dead in the water.

Finally there is the long sales cycle, as customers consider the numerous implications of rolling out a new encryption system. Will it satisfy the standards of the service manager? Does it require a refresh of the desktop? Will legacy applications or hardware (e.g. ATMs) need to be adapted? Does an engineer have to visit each user site? These requirements might take months, if not years to implement. And in the meantime, the venture capitalists that originally backed the product will be developing ulcers and considering pulling the plug on their investment with little prospect of an early sale to prove the concept.