January 2008 Archives

Howard Wright and others have asked me about the possibility of alternative solutions to storing confidential data on laptop hard drives. It’s a good question. We can’t eliminate losses and thefts so it makes sense to explore innovative ways of securing the data, especially if they offer other business benefits, such as lower costs or greater agility.

Of course the preferred solution is encryption of hard drives. That's now mandatory. But you shouldn’t attempt it until you have a bulletproof key management system in place. And you can’t install a PKI overnight. It requires planning, specialist advice, new policies and operational processes. So how about the use of thin client devices, perhaps supplemented by USB devices? It could be a quick practical fix.

There are quite a few thin client laptops emerging. Major vendors such as HP have introduced new models, and there are outlets such as Thin Client that specialize in the sale of thin client devices. With limited storage options, they don’t meet every need but are ideal for mobile devices predominantly used in wireless equipped locations. USB devices can be used to store data and applications to enable off-line working but then you’re back to the original problem of encrypting data or losing data on stolen or lost devices.

Well not quite. USB devices hold less data than hard drives (though they’re getter bigger) and they're much smaller, presenting a different risk profile. They’re likely to be carried around a lot more and they’re easier to mislay. But they’ll attract less theft and are unlikely to be left behind in vulnerable locations such as hotel rooms, unattended offices and car boots. They’re also less likely to be reported missing. So you might suffer unreported business damage but at least you won’t attract any embarrassing publicity.

Laptop theft is currently a hot topic with many organisations exploring new solutions, some quite innovative, in order to reduce the risk of an embarrassing data breach. I've been asked lots of questions on this topic in the last week. I'll be covering a few of them in this week's blog postings.

The first question is whether there is an acceptable rate of laptop loss. That's an interesting thought. We know that laptops continually go missing. They get left behind in taxi cabs and stolen from car boots and hotels. You cannot completely eliminate the risk. But the loss of even a single laptop containing unencrypted sensitive data can be damaging. In some cases it doesn't even have to be sensitive data to impact company reputation. So encryption is mandatory. But it's still important to reduce losses. So what is an acceptable rate?

The answer is that it varies according to the geographic location of offices, the amount of travel undertaken and the degree of public transport used by staff. A company with a single large campus set in leafy suburbs is likely to experience fewer losses than one with a head office split across several city centre locations. But in my experience no organisation should be losing more than a handful of laptops per thousand users per year. What do I mean by a handful? As many as you can hold in your hands. Single figures. So if you experience a rate higher than 1% a year, you should aim to raise your game. It's not that difficult. See my earlier posting on Ten Practical Steps to Prevent Laptop Theft.

The newspapers are full of coverage about the amazing case of Jerome Kerviel, the rogue trader at Societe Generale, alleged to have gambled $73 billion and cost the bank $7 billion. It’s a staggering loss, yet it’s a classic risk faced by all big banks. In fact some have suggested that there is no defence against this type of insider threat. Can that really be the case?

Yes and no. In theory it should have been easy. This was a man, like Nick Leeson, with knowledge of back office systems and their checks and controls. That is a clear risk. It’s claimed he didn’t take holidays and refused to allow colleagues to cover his desk. These are classic signs associated with insider fraud that should ring alarm bells.

Why was he not uncovered earlier? Because it’s not that easy in practice to challenge company staff. Most people don’t expect fraud. It’s outside their experience. They’re trusting and they respect other peoples’ privacy. It’s not nice to point suspicious fingers at colleagues. Managers defend their staff. And their initial reaction to a suspected fraud is to disbelieve accusations. It’s human nature. That’s why insider threats are hard to detect.

Earlier this week I was at an excellent CISO dinner at the Capital Club hosted by Dr Steve Moyle of Secerno. For those of you who haven’t come across Secerno, they’re one of Oxford University’s finest innovations. Steve is a real authority on database security and he’s developed an impressive solution to SQL injection and other database attacks. It’s very well regarded by companies that have looked at it.

One of the interesting conversations was whether security technology should block or alert on suspected intrusions. It's a difficult call. Intrusion prevention systems are heavily promoted as the contemporary successor to intrusion detection systems. But it’s clear that many large top companies have yet to take the plunge, preferring to think first before closing down access attempts.

In fact there is no absolute answer. It depends on the level of confidence you have in your security technology and its ability to differentiate users from attackers. And that’s a moving target, as business connectivity grows and new technology emerges. In today’s virtual business environment where many of your IT users are not company employees, it’s getting harder to tell the difference between the bad guys and the legitimate users. Blocking is always safer from a security perspective but mistakes can be damaging to business. Monitoring is a useful compensating control but it’s potentially resource-intensive and alerts can be overlooked at busy times. But generally it’s all down to the reliability of the security technology, which is why I was interested to hear that at least one early adopter of Secerno’s technology has plumped for full blocking of detected anomalies from day one.

So what is best practice in this area? In my view it depends on whether you’ve experienced a serious attack. If you have you'll be under management pressure to close down potential attack vectors. If it’s a DDOS attack you’ll certainly have an IPS system in place, ready for action in the event of a future incident But the action is now moving to database security. That’s the new target for identity theft and it requires new thinking and technology. CISOs have to get to grips with database security. It’s an area long overdue for attention. And one where the stakes can be very high if you don't strike the right balance between business demands and prudent security.

After all the shocks and finger-pointing following the HMRC breach it’s disturbing to hear that a laptop with unencrypted, sensitive MOD data could be stolen from the boot of a parked car. The data of course should have been encrypted. But that’s not enough, because every lost laptop has a business impact.

All organisations experience laptop losses, so security managers should aim to minimise the risk. Experience shows that proactive efforts make a substantial difference. I've covered this issue before but it's worth repeating and expanding the advice. Here are some practical tips.

1. Ensure your IT Helpdesk reports cases of stolen laptops to a security manager.

2. Conduct an immediate damage assessment for every laptop that goes missing.

3. Establish where and how laptops are being lost. Is it from particular offices, models of cars or hotels?

4. Get professional advice from the local police on how best to avoid theft. For example are some car boots more at risk than others? Are there local hot spots for vehicle thefts?

5. Review your policies to ensure you have major sources of loss covered.

6. Send out warnings and advice to all executives at risk. Tailor this information as far as possible to take account of local threats and vulnerabilities.

7. Take special measures for business units and functions that handle sensitive information.

8. Monitor incidents and report them regularly to senior management. Advertise this fact to business managers.

9. Send out regular reminders to executives, especially at high risk times for thefts and losses such as the lead up to Christmas.

10. Benchmark your performance against other similar organisations. If you’re experiencing more losses, find out why and take further remedial action.

Persistency helps. Keep hammering away at the problem and it will progressively reduce. With good policy, advice and constant reminders you can reduce the level of losses to zero. That should be your target.

A glimpse of the new Apple MacBook Air reinforces the growing gulf in desirability and performance between the latest consumer-oriented technology and the outdated laptops issued to business executives. At the same time Nicholas Negroponte’s One Laptop per Child initiative is dragging down the cost of basic laptop technology well below the traditional price point that industry is used to paying. Of course we all know that the cost to manufacture a laptop drops by a half every eighteen months or so. But for years we’ve been blinded by the continuing bloating of operating systems and applications to meet the modern equivalent of Parkinson’s Law, i.e. that laptop software expands to fill the available memory.

So it’s time to take a good look at where all this is leading. We struggle more each day to adapt our rigid desktop architecture to meet the requirements of a rapidly evolving business world in which business partnerships, supply chains and customer requirements demand frequent changes to desktop systems and connectivity of external client devices. Why not take the plunge and begin the journey to a brave new World in which users can select and connect their own clients? It’s a natural evolution. After all, most organisations have ceased selecting, purchasing and maintaining company cars for their staff. Isn’t this the same?

Well not quite. It’s all technically possible these days, but such a radical change will have a massive impact on enterprise architecture, security, procurement and maintenance. Not to mention the shock to organisation culture, service level agreements and outsourcing contracts (which can run for up to ten years). It’s certainly not a trivial exercise. Which is all the more reason to start planning now. Because consumerisation is an inevitable trend that’s coming everyone's way.

One of the inevitable trends of the Information Age is the progressive convergence of network services. It’s dangerous but unstoppable. Over the last two decades many people have asked me if networks will proliferate or combine. The answer is simple. As they say in Highlander, "there can only be one". That’s because of the leverage of network effects, which deliver increasing power to any network that enables collaborative operations.

So I’ve been keeping a watchful eye on the slow but relenting progress of IP convergence. It hasn’t had the sensational press coverage I anticipated but it presents major challenges. And by all accounts we’re not prepared. You’d think that after the experience of the security risks we’ve experienced from the introduction of wireless networks that the vendor community would be making a major effort to develop secure protocols and architectures. Not so.

The risks are creeping up on organisations. VOIP experimentation is only the start. It strikes me that this technology drives a coach and horses through firewall policies, introduces software developed with insufficient attention to vulnerability management (when did you last patch your phone?), exposes corporate networks to a new raft of potential access points, and creates a single point exposure of epic proportions. But I don’t see a lot of vendor or corporate action to develop new security architectures to meet the challenge.

Am I being paranoid? Or just plain realistic? Time will tell. In the meantime, guidance on what to do is thin but slowly emerging. The latest paper on the subject, which has just come to my attention through the excellent FIRST Newsroom, is a SANS paper. An excellent overview of many of the issues, but we need a lot more guidance on this subject.

We’ve seen breaches committed by security companies in the past, so it’s disappointing but not surprising to read that Computer Associates has suffered a breach to its website, which redirected unsuspecting visitors to a Chinese domain that downloads malware to visitors’ PCs. It’s a major embarrassment for a company that specializes in advising enterprises on how to secure their infrastructures.

How did it happen? According to press reports, it happened in the press section of their Website, which is outsourced to a hosting company. This type of breach shouldn’t happen. One would hope that professional hosting companies would naturally maintain good security practice to safeguard their customers’ services. Unfortunately they don’t all do this. That’s why it’s vital for user organisations to ensure that their contractors and sub-contractors continue to maintain security standards, through contractual requirements and frequent vulnerability scanning.

Hopefully CA has learnt a lesson and will now take all necessary steps to secure their infrastructure. That’s the positive side of breaches. They encourage organisations to put their house in order.

What’s in a phrase? Not a lot if you’re gossiping casually, though style, fashion or taste might perhaps shape your choice of words. But words mean a lot if you’re aspiring to operate in a professional manner, because precise definitions are the basis of the body of knowledge that underpins any professional practice.

So perhaps it’s about we cleaned up our choice of terminology. I was reminded of this today when a professional body asked me for my views on the term “ethical hacking”. It’s one of those phrases that’s crept into usage to describe what I’d call "penetration testing", though I’m not entirely if that’s an accurate description for the activity of live testing of systems or infrastructure to identify security vulnerabilities. But ethical hacking is definitely a misnomer. Firstly, because it has a different objective from hacking, i.e. it’s intended to detect security vulnerabilities, not achieve a penetration of a system. And secondly, because it’s a straightforward business requirement and has little to do with ethics.

There are lots of security glossaries around. Microsoft has one but it doesn’t include the word testing (bit worrying that). SANS has one that includes penetration testing but describes it as merely testing the external perimeter security. The IETF has a better definition for penetration testing, but falls down when it comes to “hacker” by describing it as "someone who figures things out and makes something cool happen”. Arghhh!

I’m always nervous about connecting safety-critical systems to other networks. I’ve seen far too many unnecessary security exposures introduced to SCADA systems by engineers who should have known better. Fortunately SCADA systems are supervisory systems and are one layer removed from the systems that directly control industrial process. But they still have an impact on safety, so connections have to be strictly controlled. Firewalls are a start, but software security measures are not foolproof. They are a calculated risk. As is every design decision for a safety-critical system. And unfortunately the risk profile of a software control tends to increase with time, as new vulnerabilities and attack vectors come to light.

I was therefore more than a little surprised to read that Boeing’s new 787 Dreamliner passenger jet allows a network connection between the passenger’s in-flight Internet access network and the plane’s control, navigation and communication systems. It’s hard to imagine any functional or business requirements that might justify this. No doubt the designers will have carried out all the necessary safety-critical calculations to ensure the system has adequate safeguards against failures and accidents. That’s a major challenge given the nature of software which generally requires more than the estimated lifetime of the Universe to test the full input/output space or to traverse every permutation of path. But the real risks are from deliberate security threats, which don’t fit the neat safety calculations used by engineers. A qualitative assessment is needed, and that’s a leap of faith against the background of a changing threat landscape.

I was once asked by a safety authority to design a security control that would guarantee that a hacker would not access the system more than once every hundred years. Impossible of course, but it illustrates the challenge of designing effective safety-critical security controls. None are perfect and there's a high degree of uncertainty, so it’s generally better to be safe rather than sorry and say no to unnecessary network connections.

Privacy International, a long-standing privacy advocacy group, has just released their 2007 International Privacy Ranking, including a rather black-looking map of the World indicating the state of privacy assessed for each nation. It’s a useful analysis for anyone interested in the subject.

The analysis indicates an overall worsening of privacy protection across the Globe, reflecting an increase in surveillance and a declining performance of privacy safeguards. This is no surprise given the mushrooming growth in the capture and accessibility of information of all types.

Greece, Romania and Canada come out quite well, with the US is rated as the worst in the democratic world, with the UK lowest in Europe, rated alongside Russia and Singapore. The survey also rates the UK as a world-leader in surveillance schemes. I guess we have to be good at something.