November 2007 Archives

Don't Forget Your Digital Wallet

| No Comments | No TrackBacks
| More

Digital cash wallets seems to be a long time coming. It must have been about fifteen years ago when I saw Bob Fletcher of NatWest Bank presenting the concept of the Mondex electronic money card to a highly amused I-4 audience of CISOs. (It was the corny cowboy music on the video that had them rolling in the aisles.) Unfortunately Mondex sank with little trace. But now the concept is being trialled again in London using Nokia phones modified to make travel payments through Oyster travel card technology. These mobile phones will double as a travel pass and a wallet for making small value payments.

From a security perspective it’s interesting to speculate on the opportunities and threats presented by portable digital wallets. What else can they be used for? Are they as reliable or as safer as cash? I have to admire the optimism of the O2 marketing people who claim that the mobile wallet is an idea whose time had come because mobile phones are already seen as many people’s most valuable possession. They point to research showing that more people are likely to go back home and get their phone if they leave it behind rather than return for their wallet. Perhaps so, but research also shows that a staggering 885,000 mobiles, worth around £342 million, are accidentally flushed down the lavatory each year.

Cock-up or Conspiracy?

| 1 Comment | No TrackBacks
| More

It’s interesting to discuss root causes of data breaches such as the recent HMRC breach with other security professionals. Most agree with my general suspicion that when something like this goes wrong it’s more likely to be down to a cock-up rather than a conspiracy. In fact the most popular theory is that the discs never got sent. Because we’ve all experienced that situation when the phone rings and someone tells you they haven’t received that package you promised to send a few weeks ago. “It’s in the post” is the natural reaction. And once you’ve painted yourself into a corner it’s not that easy to get out.

Of course this is all just speculation. But it’s remarkable to imagine that tiny human oversights can trigger major crises. That’s often the nature of organisational crises. They’re usually caused by long-standing, deep-seated flaws, but they can be triggered by unconnected, perhaps minor events that attract media attention to the flaw. The art of crisis management is to understand and tackle the underlying flaw not focus on the trigger. But it’s easier said than done. And of course, it’s also important to remember and respect the second rule of holes: if you’re in one stop digging.

Security is the New Rock And Roll

| No Comments | No TrackBacks
| More

I always felt there was potential for IT Security to become fashionable, especially with those Die Hard and James Bond connections. Of course the problem is the rather pedestrian types that IT Security attract, who are generally rather conservative or nerdish types. So it’s so refreshing to hear of one our community being described as the “rock star of security outreach”. I’m referring of course to the excellent Ian Cook of FIRST and other fame. I’d certainly endorse that. Though as a long-standing jazz fan, I’m not entirely sure it’s a compliment.

Innovation is Where You Least Expect It

| No Comments | No TrackBacks
| More

I take a close interest in Innovation. It’s vital to Security because the problem and solution spaces are constantly changing. It’s also a fascinating problem: a simple concept but one that organisations find very hard to grasp. In theory it all boils down to a basic skill possessed by all called creativity and a simple organisational process to collect and take foward ideas. It should be trivial to implement. But in practice, organisations struggle to make it happen.

So I was interested to catch up in New York with Howard Wright, former Head of Innovation for the Royal Mail Group and architect of its famous Innovation Lab. Howard has more experience of transforming business thinking than anyone else I know. He’s also run some excellent planning sessions for CISOs which have helped us all gain a better understanding of the future challenges we face. He also has an excellent blog on the subject.

At first sight you’d never expect to find innovation excellence in an old-fashioned, conservative business environment. But that’s where the business need is greatest. So it’s not really surprising to hear that he’s now working as Director of Futures Strategy for Pitney Bowes, an old-fashioned organisation that sells franking machines. Like Royal Mail, it needs to adapt its business products for the Information Age. And that also requires a new focus on security. So look to Pitney Bowes for the latest ideas in Innovation. As with many good things in life, best practices are often where you least expect to find them.

Knee-jerk Reactions Are Not the Answer

| 3 Comments | No TrackBacks
| More

Today’s newspapers are full of finger-pointing and spin about the HMRC data breach. And the blogisphere continues to churn out mixed commentary and advice, some sensible and some ill-advised. Of course it’s human nature to respond in an emotional or political way to a major incident affecting tens of millions of citizens. But what’s needed now is a calm, patient analysis of the root causes of the problem and a well-thought-through solution for the longer term.

There are clearly systemic failings in the governance of security in the public sector. Some are historic, a result of a long-standing focus on national security, rather than prevention of fraud and theft. The focus of the former is very narrow. The latter is pervasive, requiring a rapid scaling up of specialist advice across the entire government sector. That’s one reason why the public sector is behind industry in its implementation of contemporary security. It will take years to build the necessary knowledge, skills and awareness across central and local government organisations.

A further constraint is operating within a political governance system designed to minimise central interference, other than through policy, targets, finance and selection of senior staff. Security requires strong, central monitoring and intervention to maintain standards. In Industry you can draw on the authority of the Executive Board or CEO to get things done. You can’t play this card as effectively in the public sector.

We need solutions that encourage security standards to be more effectively deployed and business units more accountable. The former requires investment in central security agencies to develop stronger direction, support and monitoring. The latter can only be addressed through mandatory accredited certification. Just making a Board member responsible is not good enough. It helps but it doesn’t fully close the loop.

What’s certainly not needed is an ill-advised knee-jerk reaction, such as the bizarre call by Ross Anderson at Cambridge University to scrap CESG and replace it with a “civilian agency staffed by competent people” to give better advice to ministers. They already are a civilian organisation and, like the newly formed CPNI, they need boosting not shooting.

No More Mr Nice Guy – Time for CISOs to Get Tough

| 1 Comment | No TrackBacks
| More

One of my predictions for 2007 was that this would be the year that CISOs would finally get tough with business units, tightening corporate firewall policies and closing down insecure connections. The context was the need to respond to zero day exploits that introduce numerous sources of risk across enterprise infrastructures.

It hasn’t quite happened in the way I imagined. But the need to get tough is becoming pressing following the run of high-profile, avoidable breaches of personal data.

Sometimes a CISO needs to be a perfect diplomat, building good business relationships with a reassuring bedside manner. At other times a CISO need to be hard and uncompromising. The pendulum is now swinging towards the latter. Forget your popularity. It’s time for all CISOs to crack the whip.

Personal Data Breaches Are Unforgivable

| 2 Comments | No TrackBacks
| More

This week I’m in New York on a short visit but my attention has been grabbed by events in the UK HM Revenue and Customs, i.e. the announcement of a loss of discs containing personal data on 25 million citizens.

Following on from so many high profile data breaches earlier this year it seems quite incredible that such a breach could occur. But such mistakes will happen from time to time in any organisation that does not maintain an aggressive campaign of user education, mandatory controls and regular auditing.

This is unlikely to be an isolated incident. It's well understood in the safety world that behind every major incident, there are likely to be on average 29 minor incidents, three hundred near misses and perhaps thousands of bad practices. A similar pattern can be expected for security incidents.

Unfortunately UK Government has been slow off the mark at catching up with the better practices of industry. In particular they have for too long resisted proven measures such as accredited certification, which is the only effective way of “closing the loop”, i.e. checking that corporate policies and standards are actually implemented in practice.

So it’s understandable and not really surprising to hear about a breach of this kind. But given the well publicized citizen concerns and learning points from previous breaches, it’s not forgivable. Action must be taken urgently to raise the bar on security standards for the public sector.

Security Culture and Social Engineering

| 2 Comments | No TrackBacks
| More

I was interested to read my fellow blogger Stuart King’s posting on Psychology and Security. In particular he raises the tricky question about what a member of staff should do when confronting a visitor. Should they be suspicious and ask intrusive questions? Or should they be helpful?

It’s not that easy in practice. In fact, the more you encourage a service-oriented culture, the more vulnerable you are likely to become to social engineering attacks. Professional attacks are exceptional. It’s not what staff expect to encounter. It catches them off-guard. Most people want to be helpful. And it can be career-limiting to provide a bad experience to a senior person or an important customer.

From time to time I’ve been involved in interviews of applicants for security manager posts. I’ve always found it interesting to ask what they would do if the CEO arrived without an office pass. Would they let them in or would they turn them away? Generally it’s one or the other and both answers are unsatisfactory, either from a security or business perspective. You’re damned if you do, and damned if you don’t. It’s rare to hear an imaginative compromise answer. Just once I heard one: “Sir, of course I recognize you and this time I will let you in, but next time you forget your pass I will turn you away”. I was impressed with this answer, though not everyone would be. Because there is no perfect solution.

At the end of the day it all depends what sort of security culture you prefer, and how much of a nice guy, control freak or bully you are. Do you like to make other people paranoid or servile? Do you like to punish people for getting things wrong? Or do you want to encourage positive characteristics such as openness, trust, forgiveness and empowerment? The choice is yours.

The Old Ones Are the Best

| No Comments | No TrackBacks
| More

It’s an interesting phenomenon that chip speed and memory size both keep increasing in leaps and bounds, yet laptop performance continues to get slower. It’s always been the case as far as I can recall. In the Seventies I was assured that program efficiency was no longer desirable as processor speed and storage would be plentiful in the future. I was advised badly, though the software vendors certainly took this on board because they’ve long been eating up more resource than they require.

So it’s always a pleasure to revisit a simple design from the past and see it pitted against today’s technology. I’m referring of course to the tests of the re-built Colossus at Bletchley Park, currently being used to crack intercepted enciphered radio messages in competition with modern PC technology. Of course it's a publicity stunt, but it also demonstrates an important learning point, as well as highlighting an impressive piece of engineering by Tony Sale, an early pioneer of the use of technology for intelligence purposes.

The point to note is that an efficient, purpose-built design will for many decades outperform the latest general-purpose technology. It’s because vendors build in huge amounts of inefficiency, in their chip designs, operating systems, protocols, database systems and applications. There are many reasons for this: financial constraints, design by committee, need to maximise features, as well as plain old incompetency. The learning point for security is not to underestimate the potential power of purpose-built code-breaking or monitoring technology. Colossus might be an exceptional piece of engineering. But as they say, exceptio probat regulam in casibus non exceptis.

Human Factors Dominate Today’s Security Problem Space

| 1 Comment | No TrackBacks
| More

Earlier this week I gave the closing keynote address at Kable’s Information Security in the Public Sector conference in London. The subject, requested by Kable, was “Creating a Security Conscious Culture”. It’s another indication of the growing importance of human factors in today’s security and IT problem space. And it’s not just in user education. The key obstacles and enablers to aligning security with business goals, or in joining up Government IT, are politics, perception and relationship management.

A year or two ago there was much less interest in human factors. Today it’s the most requested topic for advice, research or presentations. The UK Technology Programme is investing millions of pounds in research in this area. Leading universities are building more human factors content into their courses. And sales of security education services are at an all time high. I’m already booked to give presentations on the subject next year in UK and USA.

Will this trend continue? Yes, it has a long way to go. The major obstacle at present is the shortfall of budget and resources assigned to the subject. It can take years for such vital enablers to catch up with the latest challenges. But there is a compelling business case because it reduces incidents and, more importantly, their associated costs. If your organisation is not spending at least 10% of its security budget on security awareness and behaviour change, then it's probably got the balance wrong.

Security is the Foundation of Internet Governance

| No Comments | No TrackBacks
| More

This week sees the second meeting, in Rio de Janeiro, of the Internet Governance Forum, an organisation established by the United Nations to debate public policy issues associated with the Internet. The obvious question is why we need any governance, other than the technical standards needed to enable everyone to communicate.

The answer to me seems clear. Outright anarchy is as undesirable as central UN control. Hopefully we can steer a course through these two extremes with a light but firm touch on the rudder, based on a solid foundation of consistent legislation, security and law enforcement. Public policy provides a vision but good security is the real enabler of electronic governance.

De-perimeterised Cartoon

| No Comments | No TrackBacks
| More

I couldn’t resist a smile at Bruce Schneier’s blog posting of a New Yorker cartoon, with a de-perimeterisation theme. I've always liked New Yorker cartoons, especially the dog ones, and you can buy the rights to use them in presentations at a reasonable price. They’re also a nice company to deal with, as I found out last year when I tried to order some goods online but was blocked by their anti-fraud measures. I sent an email of complaint, and was impressed to receive an apologetic telephone message from their Director of Sales offering to take my order in person. It just goes to show that good service can go hand in hand with good taste.

The Future is Mobile but will it be Secure?

| 4 Comments | No TrackBacks
| More

The past week has seen three developments likely to fuel future growth in the use of mobile devices. The first is Apple’s UK i-Phone launch, which might not be the most advanced device in terms of functionality but certainly represents a step forward in usability. The second is Google’s announcement of their new open platform for mobile devices, which is likely to accelerate the longer term growth of mobile applications and features. The third is the start of manufacturing of Nicholas Negroponte’s one laptop per child machine which introduces mobile computing, and programming skills, to previously inaccessible regions of the world.

Fast forward a few years and we can expect wireless, mobile operation to be the norm for most people, at both work and play. There’s nothing surprising about this, except for the fact that few organisations have given this channel sufficient security attention. Many security managers were caught off guard by the unexpectedly rapid uptake of wireless LANs and Blackberrys. And, until recently, few organisations had even considered encrypting laptop data. Traditional corporate perimeters don’t safeguard mobile business operations. We need new solutions, new practices and new user behaviour. And time is running out to put them in place.

When it comes to Communications, Smarter beats Dumber

| 2 Comments | No TrackBacks
| More

Yesterday Andrew Yeomans of Dresdner put a risk management challenge to me and fellow blogger Stuart King. The issue arose from a discussion about Get Safe Online, the educational site aimed at citizens and SMEs. Andrew favours the idea of such training but feels that the information given is too detailed and contains too much jargon. He asks “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”

It’s an interesting and an important problem, but it’s the wrong question. You need context to assess risks and priorities properly. One size doesn’t fit all. There’s a huge difference in user practices, the value of their data and the security of their environment. And it’s further complicated by the increasing number of alternative security solutions and the growing range of platforms of varying vintage out in the field. So let’s rephrase the challenge to “How can we simplify the security advice to PC users?” Now that’s easier to answer.

Start by asking questions to establish the context for the advice. This will help prioritise and filter down the recommended controls. Then it becomes easy. For example, if you do your banking online, then up-to-date advice on phishing would be a high priority. And if you let your family share your business laptop then you’ll probably need “the works”. But if you just use a PC for email to family and friends, then switching on your firewall and installing a good AV package is probably all you need. Building intelligence into systems is always a smarter move than dumbing them down

Keeping up with Regulatory Compliance

| No Comments | No TrackBacks
| More

I’m often asked how best to keep up with the compliance bandwagon. It’s not easy. You can subscribe to the expensive IT research services offered by the likes of Gartner or Forrester, but much of the coverage can be rather selective, according to what happens to catch the analyst’s attention. And if you’re working in compliance you need more immediate, more comprehensive feeds that that.

So I’m always on the lookout for up-to-date, reasonably-priced sources of authoritative advice on compliance practices. Today I was fortunate to meet up with Ryan Rubin, an ex Jericho Forum enthusiast, now working for protiviti, a company that specialises in compliance. He pointed me towards their excellent knowledgeleader web site, which covers just about everything you want to know about the subject. And it can be accessed on a 30 day free trial, so you have nothing to lose by trying it out. It looks good and there’s a business interest in the follow-through, and hence an incentive to publish useful information at introductory prices. I have no commercial interest in the company, but I wish them well with their Web site. It fills a gap and it's very much the shape of things to come.

The Long and Growing Arm of the Law

| No Comments | No TrackBacks
| More

It’s not easy to ensure your business meets all the relevant legal and regulatory compliance requirements. There are just too many of them for an average business manager to take in. It’s difficult enough to spot remote legislation such as Californian Law SB 1386 which requires companies to notify them of incidents affecting Californian citizens (who might be employees or customers). But a recent development now suggests the compliance net might be even wider than this.

Michael Geist, an Internet law professor, explains the problem in a disturbing story on the BBC Web site about the International Music Score Library Project, a Canadian Web site which had built up a collection of musical scores for which the copyright had expired in Canada. After two years of operation the site had become the largest public domain music score library on the Internet. But it was closed down a few weeks ago following a legal demand from an Austrian music publisher to block European users from adding new scores for which copyright had not expired in Europe (which has a longer copyright term than Canada). If this legal demand is correct, it means that the longest copyright term in the World automatically applies to all publishing sites. It has serious implications for online businesses, as it suggests they may have comply with the laws of every country that can access their sites, resulting in a possible showstopper for e-commerce and a bonanza for aging rock stars and intellectual property lawyers.

In Search of the Holy Grail of Security Risk Management

| No Comments | No TrackBacks
| More

IBM’s latest press release caught my eye. It sounds great, announcing a major investment in new security services, products and research breakthroughs to help business effectively manage operational and IT risk. I was particularly interested in the announcement about a collaborative research initiative with academia, called Security Risk Management (SRM), to align security controls with critical business processes and their risk management objectives. In particular, it aims to enable assessments of Business Value at Risk, a useful metric to present to business managers and Boards. It sounds like a great ambition.

The bit that worries me is the concept of a product that sets out to perform critical assessments across the enterprise, in a “more precise, automated and objective manner”. Nice in theory. But will it work in practice? Highly unlikely, in my experience. Even if we actually had sufficient base data to underpin such calculations, there would be too many contextual dimensions that are simply not measurable. Also, the value of information and the levels of risk change constantly, generally without warning or announcement. The model would always be out-of-date. Further, automated calculations have an unfortunate tendency to spill out bizarre results, requiring significant manual adjustments. And, most importantly, people are responsible for processes and assets – you can’t cut them out of the loop. It’s their call, not the computer’s, to assess the risks to their operations.

Fear of Cybercrime on the Rise

| No Comments | No TrackBacks
| More

My eyebrows were raised by a story in Computer Weekly claiming that cybertheft is the UK’s “most feared crime”, even outranking burglary, assault and robbery. It just doesn’t ring true. Perhaps some interpretation is needed? Looking closer, the research is commissioned by a security vendor, so perhaps there’s been a little selective reporting. The sample is “regular Internet users”, so it’s not completely representative of the UK public. Reading further, the phrase “most feared” becomes “most vulnerable” which is perhaps more understandable. And the proportion of users voting this way is 43%, which is high, but not overwhelming. But rather strangely, Liverpool is the city most afraid of cybertheft with 93% citing it as a concern, followed by Glasgow with 92% and Cardiff third with 91%. Why these places? Could it be down to reports in the local press? Or might it be that Northern City dwellers are so hardened to other forms of crime, that cybercrime is actually scarier than being mugged? Now that would be alarming.

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

Archives

 

-- Advertisement --