David Lacey's IT Security Blog

Back in 1999 I predicted that the “Electronic Pearl Harbour” would probably not happen until around 2006. That prediction, which led some elements of the computer media to accuse me of being a “doomsayer”, was based on a considered analysis of emerging trends which indicated that by around about now the global security risk profile would have climbed to a dangerously high level. Many people advised me I was wrong and that instead we are likely to experience just more of the same, i.e. lots of small incidents that are more of an irritation than a serious threat. But that ignores the potential power of global networks, which can leverage positive feedback loops to deliver immensely powerful attacks, as well as the raft of systemic flaws that are building in our infrastructure, through continued bad practice and a herd-like mentality to standardize on a single choice of platform.

So here we are in 2007 facing a serious terrorist threat, a criminal underworld that routinely exploits IT vulnerabilities, and a sophisticated espionage threat from more than a hundred intelligence services. On top of that we have a physical infrastructure that is incapable of preventing staff from walking off with tens of millions of sensitive records, and an electronic infrastructure riddled with vulnerabilities that require prohibitive amounts of resource to repair. And the scale of the potential impacts from security incidents grows larger every day. Already this year we’ve had major incidents in industry and Government of unprecedented impact. We’ve also witnessed attack vectors of unprecedented sophistication. It strikes me that we’re all sailing like a ship of fools towards an electronic catastrophe. Time for a wake-up call.

A Computer Weekly survey indicates that organisations are more concerned about the impact of social networking on employee productivity than on security or reputation damage. As usual they are missing the bigger picture, which is the potential for fraud, social engineering, data leakage and, more importantly, the progressive transfer of influence over policy and decision making from corporate centres to networked staff. You might think that’s power to the people but it’s really power to well-organised minority interest groups. Social networking is also fiendishly difficult to police. It represents a step change in the erosion of barriers between business and personal lifestyles. That's much, much harder to measure and manage than employee productivity.

I’ve been surprised by the number of people who believe that the root cause of breaches such as the recent HMRC data breach is culture. In my view these incidents are the result of a failure of governance. Policies and standards don’t implement themselves. You have to communicate them clearly and check that they’re being followed. If not (which is a given) then you have to lobby firmly to persuade managers to allocate the time, resource and money to close the gaps.

There are many reasons, other than culture, why people don’t implement corporate policies. In practice it’s very rare to find an employee that has taken the trouble to read them. And even rarer to find one that understands them. Published policies and guidance rarely achieve more than 20% penetration without an aggressive implementation programme. And they will progressively slip in any organisation that doesn’t maintain an ongoing education programme and a six-monthly review of the actual practices inside the organisation.

Visibility, testing, monitoring and audit are vital inputs to all security functions. They tell you what’s really happening on the ground. And they're straightforward processes, not difficult to implement. Corporate policy can be a powerful argument to persuade people to implement security. But if you don’t follow it up then it’s no more than a tick in the box for an Ivory Tower bureaucrat.

After nine months of research, Demos, an influential “think tank” originally founded my journalists from Marxist Today, has delivered a report on the societal issues associated with personal identity information, called “FYI: The New Politics of Personal Information”. It’s a useful read as it comes from a research group with a track record of influencing public policy. It’s also a good, simple primer on the subject, perhaps useful as a “Janet and John” introduction to the subject for your senior management.

But don’t hold your breath in anticipation of groundbreaking, imaginative recommendations. That’s something that think tanks (an archaic concept from the 50s) rarely deliver. In fact there’s nothing new here. The report vaguely recommends (a month too late for potential victims of the HMRC data breach) that people should take measures to look after their personal data, that Government should develop a more coherent strategy, and that the rights of individuals should be strengthened. And of course that they should sponsor a lot more research by think tanks into the subject. All fairly obvious and safe conclusions. There is one interesting idea about banks offering some form of no claims insurance for customers who successfully protect their personal information, but this sounds like something that would be better left to the banks to decide.

Yet there is so much that can be done now, starting with, for example, mandatory encryption of personal information and ISO accredited security certification for any organisation that deals with large-scale personal identity information. And stiff penalties for any organisation that fails to achieve this. But perhaps that’s all a bit too straightforward for a public policy think tank.

Returning from a trip up North yesterday I ran into security colleague and fellow blogger Jonathan Care. He posted a nice comment about my appearance :-) on his excellent blog. An excellent start to the week.

Bruce Schneier paints a rather downbeat picture of the future in a discussion with Marcus Ranum on Security in Ten Years. Fortunately they are wrong. When looking a decade ahead, you cannot simply extrapolate today’s trends, nor consider them in isolation. By 2017, many changes in perception and practice will have taken place. It won’t be just a case of more of the same.

Go back twenty five years and imagine what a law enforcement expert would have projected for the future of crime in New York. It would have been grim. But many things in life, such as average GDP per person, continue to improve, and their impact over a decade can be transformational. Relative certainties for 2020, identified in recent long-range research projects, are that the World economy will be substantially larger, that energy supplies will still be sufficient, and that people will be healthier, wealthier and live longer.

It’s also likely that we will have addressed the root causes of today’s security problems, and become more accustomed to many of the fundamental changes to business and society introduced by the information age. Technology of course will become increasingly complex and remain spectacularly vulnerable. But it’s also highly resilient, and can quickly bounce back. The trick is to accept and address the weaknesses of modern technology, and to harness the technology itself to help solve these problems. Faster, complex and more pervasive technology presents bigger risks but it also offers more powerful security solutions.

We’re approaching that time of the year when pundits and their sponsors like to look back on how things went, and what the coming year might promise. For me, an enthusiastic futurist and a serial forecaster, it’s a fascinating time. So I was pleased to respond to a Computer Weekly request for ideas on the CIO agenda for 2008.

In my view the dominant issue for 2008 will be Security which will stand out as a surefire case for increased spending in a tough year of belt-tightening. It will be driven by fear, as Boards grasp the uncomfortable fact that they simply don’t have sufficient control or assurance of their management of sensitive personal data. Human factors will be an obvious focus, because it’s fashionable and it’s the area with the weakest impact that attracts the lowest security spend.

Compliance will continue to be the safest area for vendors to focus on. Imaginative business cases with payback periods of more than a year are likely to be consigned to the back burner. Unless of course you can persuade your Management Board that it’s a strategic business investment. Few IT investments hit that spot. But there’s increasing evidence that IT professionals are becoming more business-aligned. So perhaps we can anticipate some long-overdue innovation from those highly-paid CIO appointments.

Social networking, or Web 2.0 if you prefer, might be the card to play to engage the more innovative Board. But personally I’ve yet to encounter an organisation that has got to grips with the issues and the imaginative solutions needed to deliver business value. So I’ll stick with the old, and very sensible, adage of not implementing a point zero version until the service pack appears. Social networking presents huge risks. If you don’t know what you’re doing, sit back and wait for the dust to clear.

Fellow blogger Philip Virgo mentioned to me today that he was developing a new security process model. It got me thinking about the principles of model development. Regardless of their purpose, the art of model development is a subject close to my heart. I’ve spent much of my career creating them for many various purposes. I’ve also studied the tips of the trade of master craftsmen, such as Matthew West, Shell’s brilliant information architect, and Richard Pawson, inventor of “expressive systems” a revolutionary technique for developing agile information systems. These skills don’t seem to be taught at universities or on IT training courses. Why not? That’s why so many operational models are clunky and sub-optimal if not downright inefficient.

So how do you design a good model? Well for me the first lesson is to accept that models are a means to an end, not an end. Focus on the objective and use, not the model itself. Each model represents an abstraction of reality, designed for a particular purpose and audience. They will not be as effective when applied in a different context. There are also distinct types of model. Process models are generally based on verbs, and data models on nouns. In practice you need both, especially if you’re designing an information system. But you have to be careful about how you mix them. Agile systems can be built on flexible user interfaces based on the “nouns first, verbs second rule” principle of object oriented system design.

Structure is crucial because it facilitates navigation and enables substitution of components, which might require revision at varying times. Fast-changing content needs to be isolated to endure longevity. Smart designers employ four dimensional principles, taking account of the known past and potential future possibilities for the evolution of an entity or process. But even the smartest designer can miss the political consequences of design decisions. In my experience, the top level representation of any model is dictated by political, cosmetic and navigation considerations (in that order). It doesn’t matter how purist the top level design is from a modeling perspective. Its effectiveness will be determined by the lower level content and structure. But success is determined by acceptance and use. Because, as for many things in life first impressions count for a lot.

Alan Stockey, a fellow security professional, kindly sent me a copy of his 2007 Christmas poem. It follows on from previous classics such as "Twas the night before audit”, "Regulator's coming to town" and "Oh what fun it is to decommission and not pay". This year’s features the Grinch, a character who, with a heart two sizes too small, might not be completely out of place in a contemporary crisis team…

The Grinch who stole crisis!

He HADN'T stopped Crisis from coming!
IT CAME!
Somehow or other, it came just the same!
And the Grinch, with his visage, eyes wide, fire-aglow,
Stood puzzling and puzzling: 'How could it be so?”
It came without testing! It came with a bang!
'It came without call-trees, pandemic or plans!'
And he puzzled three hours, `till his puzzler was sore.
Then the Grinch thought of something he hadn't before!
'Maybe Crisis,' he thought, makes our heroes plan more.
'Maybe Crisis...perhaps...should be welcomed - encore!'
And what happened then...?
Well...in Cities they say
That the Grinch's small plan
Grew three sizes that day!
And that minute his scorecard turned Green – what a score!
He attended all micro-drills, failovers and more
And he brought back the desktops & Home-working with glee!
And he...
...HE HIMSELF...!
The Grinch led C.M.T!

AS 2007

Looking back over 2007, it strikes me that it’s been a significant year for raised security awareness. There can’t be a single executive director who has not been shaken by the media headlines and the surprising political and financial impact generated by the security lapses at TJ Maxx and HMRC. Such incidents could happen to anyone at anytime, because we simply don’t have the assurances in place to guarantee that personal customer data is fully protected throughout our business processes.

How should Management Boards respond to this problem? The natural reaction is to call in the auditors. They’ll advise you to budget for an expensive, end-to-end review of all customer-facing processes. And they won’t be wrong. There is no easy fix. The situation justifies a major overhaul of responsibilities, procedures and controls. The obvious response is to first establish an effective risk management process, to provide the logic and the supporting evidence to justify a selective response, which is easier, cheaper and more manageable.

The problem is that it places far many minor security vulnerabilities on the back burner, which might bite back with a vengeance in the future. Deep rooted security weaknesses are like a cancer. They won’t go away and, unchecked, will eventually undermine their host. The real solution is to take decisive action to identify and eliminate the deep-rooted causes of security weaknesses. We need transformation, not quick fixes.

One learning point from the recent HMRC data breach is the need to de-classify security guidance. As noted by the Guardian and The Register, some Government security manuals tend to be protected data themselves. This restricts their distribution. Most of Industry de-classified their security policies and standards and placed them on their Intranets more than a decade ago. Security by obscurity no longer works when ordinary members of staff have the capability of compromising large quantities of sensitive company or customer data.

Cisco’s recently published annual security report is not what you’d expect from a vendor of leading edge technology products. If you’re looking for a state-of-the-art analysis of emerging security technology, you’ll be disappointed. The report opens with an analysis of 21st Century trends but presents recommendations based on elementary security principles from decades long past. In fact there’s more focus on physical security, natural disasters and people than there is on technology. To me it’s further evidence of the current evangelistic, back-to-basics trend.

And that trend is not unexpected. There are three underpinning drivers. Firstly, it’s a consequence of a new focus on human factors arising from the growing empowerment and vulnerability of IT users. Secondly, it’s a necessary correction for security budgets which have failed in recent years to allocate sufficient resources to people-focused controls. But thirdly, it’s also a sad reflection on the continued lack of initiative and imagination to develop effective new technical measures to counter the increasingly sophisticated portfolio of threats.

The latter point is a concern that should not be overlooked. We need 21st Century solutions to counter emerging threats. You can’t simply dust down old solutions. Security education is an essential line of defence but users and customers are human. They will never be completely reliable, and they simply can’t address invisible or high-bandwidth threats that might be lurking in the infrastructure. We need new thinking and solutions, not old platitudes, from our leading vendors.

Many of my friends and colleagues express disbelief at the continuing saga of Government data breaches. It’s because they expect professional organisations to be on the ball when it comes to protecting sensitive data. If only they knew the truth! The situation is much worse than the public realise.

Today the media reports that nine UK National Health Service trusts have admitted to losing patient records. It’s just the tip of the iceberg. The fact is that information security has been given insufficient attention for the last three decades. Breaches happen all the time. We only find out about them if they hit the press.

Few organisations have effective incident reporting systems, and many types of breach, such as espionage and information broking are secret and invisible. Statistics provide a crude indication of what’s really going on. If you’ve been hit by a large, publicised breach, it’s likely that there are dozens of minor breaches, hundreds of near misses and thousands of bad practices lurking behind the bad news.

You can only assess the true status of security controls by carrying out a comprehensive audit. We need more of these. Keeping your fingers crossed has been a good bet in the past because breaches haven’t been widely reported. But the World is changing. A networked society can quickly establish what’s really going on. As they say in the Good Book, seek and you will find.

It’s always a useful learning exercise to look back on earlier perspectives of security. This time last year I set out a Top 10 Security Trends for 2007. The list included some obvious trends such as security threats getting nastier, databases being the new target and compliance getting tougher. It also contained hot topics such as true de-perimeterisation remaining beyond reach, social computing making an impact on everyday business and security professionalism making slow progress. And I took a stab at a few higher risk predictions such as CISOs getting tough, technology taking centre stage and security vendors uniting. Finally I suggested that the electronic Pearl Harbour is probably just around the corner and that we could certainly do with a not-too-damaging wake-up call.

How did I do? Well the electronic Pearl Harbour didn’t strike though we did come close with events such as the Storm worm, the Far Eastern espionage attacks and the large-scale data breaches at TJ Maxx and HMRC. Most of my high risk bets also failed to materialise. CISOs didn’t get tougher. In fact more of them went native, supporting rather than challenging their business managers. I was also disappointed with the lack of imaginative new technology solutions on display, especially considering the increased amount of security research and VC funding for security products that’s been taking place across the world.

In defence I can claim that my first six predictions were spot on, so at least I achieved an above average return. And I still stand by most of my forecasts. The problem with predictions is always in the timing. Anything less than two years out is always a difficult forecast. Business cases, hype curves and development delays slow down the adoption of emerging trends. In the end the true art of predicting future generally comes down to estimating time lags rather than spotting the general trends.

In keeping with tradition, it’s time to dust off the crystal ball and look ahead to the key trends we can expect to encounter during the next year. Here are my Top 10 predictions for 2008.