David Lacey's IT Security Blog

One of the least researched, but most important subject areas for the future of business is the field of computer forensics. It's a huge area and a massive challenge for all organisations that rely on digital transactions.

In the past, long standing business partners would either trust each other, accept the facts of a printed audit trail, or simply succumb to the whims of a more important customer. Unfortunately, none of these options will work in the new business world of volatile business relationships with numerous, anonymous partners operating across complex supply chains.  

Modern business practice demands accurate, independent and assured verification of transactions. That means that executives at all levels in an organisation need to be streetwise about the validity, vulnerability and availability of audit trails and digital evidence. Given the current capability of hackers and fraudsters to deploy anti-forensic techniques, that's a very tough call.
 
The starting point is to educate all business executives in the fundamentals of the subject area. It's a difficult task but, fortunately, the briefing material is improving. I've been especially impressed with Peter Sommer's excellent "Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence", produced for the UK Information Assurance Advisory Council", an Institute which many years ago I helped to found and direct.

Not many company directors will have the patience to read and digest this guideline. But they should. Evidence of transactions underpins all modern business. In fact, amongst other things, an understanding of the validity of digital transactions will increasingly separate the real business men from the young apprentice boys. 

Lately I've had some interesting email exchanges with colleagues in Australia about press reports of increasing levels of citizen surveillance in the UK. This steady erosion of personal privacy is disturbing. But it is a natural and inevitable consequence of the rapid growth in networking and information processing capability. And the threat to privacy is not just from intelligence collecting platforms and CCTV cameras installed by local authorities. It's also from citizens with camera phones and Internet access.

This year we'll see attempts by governments to implement the most ambitious schemes yet for monitoring of Internet communications. There will, hopefully, be increasing public debate about the need for such schemes. But, in general, most attempts to hold back the growing tide of electronic surveillance systems are doomed to failure. There are simply too many requirements, opportunities, capabilities and stakeholders. Neo-Luddites might win the odd battle, but they'll never win the overall war. 

That's not to say, of course, that we shouldn't challenge ill-conceived public policy, dangerous precedents and bad practices. A strong privacy lobby is essential to clip the wings of government excesses. But our main focus needs to shift more towards better information governance, because that's an area that has been widely neglected. Too many systems are designed without adequate controls, too many databases are full of incorrect data, and too many users lack the training and incentives to behave correctly. 

We all know that a good slice of the population is corrupt, misguided or just plain clumsy, so simply demanding perfect behaviour from systems adminstrators and users will never be enough. Instead, we need to establish much better controls, education and incentives. But, in practice, this is far from easy. There's a surprising lack of knowledge in how to go about it, as well as a growing shortage of professional skills. And the business case is not compelling, with most benefits being long-term, uncertain and unmeasurable.    

The solution is not to be found in ambitious visions, strategies or policies, which can be helpful, but by themselves achieve very little. Our objective, instead, should be to build the knowledge base, methods and technologies needed to achieve real results. There are far too many gaps in this area. My book "Managing the Human Factor in Information Security" which has just gone to print explains how we can tackle some of these challenges. But it's only the start in constructing the new body of knowledge we need to manage the transition from securing corporate infrastructure from outsiders to protecting personal information from insiders.

It's always interesting to observe the reaction of the media and cryptographic community to announcements that an algorithm has been broken. It says a lot about our perspective on security countermeasures. Too often, we regard them as either perfect or ineffective, when the truth is that they all have varying degrees of effectiveness, and these can change over time, due to new threats, vulnerabilities or occasional breakdowns. 

A classic example is the recent claim that MD5 had been broken as an exclusive hash function, resulting in the possibility that it might be possible to forge some types of SSL certificate. Many media reports, like this one in The Register, suggest a sensational blunder. But the reality is that SSL certificates represent only one layer of security for authenticating sources, and the expertise and computing power required to achieve a successful attack are neither trivial nor widely available.

No countermeasure is perfect. Most can be expected to expire, wear out or fail at some point. That's why defence-in-depth will always be the preferred model for security.

Many people tell me that the real problem they face in getting public or private sector organizations to address information security is the lack of understanding and interest at the top. That's important because the security culture of an organization is strongly influenced by the tone and direction set by the leadership.

But it's really just a matter of time. Information security continues to grow in importance and profile. Eventually most leaders will appreciate the subject and grasp the nettle.

And the situation can change faster than we expect. Take the US leadership for example. I was delighted to read that John Thompson, CEO of Symantec, is one of two shortlisted candidates to become the next US Commerce Secretary. It would be refreshing to have a security-aware politician in the President's cabinet, and to have a Commerce Secretary that appreciates the importance of security in the technology supply chain. John is a smart business man and a superb diplomat. He certainly gets my vote.

How honest are people? It's a good question and an important one as we head into a socially networked world offering greater empowerment and information access to both our staff and customers. The answer though is far from clear cut. Two recent stories in the UK media demonstrate a wide variance in customer honesty.

The first was the trusting shopkeeper in Yorkshire who decided to leave an unattended store open to customers on Boxing Day. He made a fine profit. The second was the ATM machine in the Welsh border town that paid out double the money it should have, attracting a queue of a hundred customers. Why the difference?

The answer is that few people are completely honest. In fact this starts early in life: all children will cheat from time to time. But behaviour is influenced by many different factors, including risk assessment, loyalty, peer pressure, personal circumstances, environmental factors, and, of course, the likely consequences.

Measures of honesty are hard to come by. There are a few interesting statistics quoted in Freakonomics, based on the records of a Washington bagel supplier who relied on customers placing the money for their order in a collection box. He generally got a return of around 90% though it varied according to the company he dealt with.

When carrying out risk assessments, I generally apply a rule of thumb passed on to me some thirty years ago by an experienced security professional. He advised me that, out of every four people, one is likely to be an out-an-out crook, another honest to the point of stupidity, and the others will apply a risk assessment as to what they can get away with. I call this "the rule of four", though a statistician might view it as no more than the expression of a bell curve.

The problem in practice, of course, is that, like many things in life, it's not evenly distributed. You'll find a different mix in a church than a prison. But it's a healthy starting assumption when designing any system of controls.

If you're interested in this subject, you can read more in my book "Managing the Human Factor in Information Security". It should be in the shops in the next few weeks. Also check out the promotional video, just released on Youtube.

The Royal Society of Chemistry has recently published the top five solutions to the Italian Job challenge prize, which aimed to find a solution to the cliff-hanging ending of the film. More than two thousand entries were received, ranging from the simple to the sublime. Some were highly technical, based on computer-aided graphics, nuclear physics and chemistry. Others were highly imaginative, and a few were simple, practical solutions.

The learning point is that your can solve a difficult problem in many different ways with varying degrees of simplicity and practicality. Security designers should take note of that. Simple is always best. There is even a Jericho Forum principle based on that concept. Yet many of the protocols developed for networking security have been unnecessarily complex.

But designing simple solutions is not as straightforward as most people imagine. Management controls, for example, need to have the same number of states as the system they're aiming to control. One answer is to scale up the number of states using processors, networks and storage. The other approach is to restrict the number of states in the system you're aiming to control, through, limits, standards or classifications. Unless you do this the system you're managing will be out of control.

Simple controls can't control complex situations. But there's certainly a lot more that can be done to shave off redundant layers from over-complex solutions.

Today is a special day for me as it marks the official publication of my book "Managing the Human Factor in Information Security". I received a box full of copies a few days ago. Ever since then, my friends have been admiring the shiny blue and grey cover and the fine white paper. It's a beautiful book, even if I say so myself. Interestingly, Amazon are already selling used copies at premium prices, even though none have yet been shipped. I guess that's a good way of making money out of books that have larger advance orders than the initial stock.

Putting the book together has taught me a lot about life, people and publishing. I've researched many subjects that I hadn't previously delved into. I collected numerous ideas, tips and suggestion from friends, and I fused it all with my own experiences into a new set of principles and conclusions. I also found myself reading newspaper and magazine articles with new eyes, picking up nuances that I might otherwise have missed. In fact, writing a book is a powerful learning process that I'd recommend to everybody. 

I also learned a lot about the difficulties of getting the bugs out of a large body of text. I'm a bit of a perfectionist myself, so I tend to check everything I write. Yet even after carefully checking the manuscript, subjecting it to three independent reviews and having it professionally proof-checked, I still uncovered hundreds of flaws in the final proofs, and a few in the corrected proofs. Given the ever-accelerating nature of the business world and the consequential growing expense from delays in carrying out multiple checks, this means that we are heading for a world increasingly characterised by inaccurate information.   

Encouragingly, the book was printed a week ahead of schedule. This seems to be a rare achievement. When I told Fred Piper last year that we were aiming for an end-of-January publication date, his reaction was "Wanna bet?" That's because he'd been involved in lots of books and none were published on time. Bruce Schneier also admits to being very late in completing the manuscript to his book "Secrets and Lies". Given the busy nature of modern executives and academics, perhaps this points to world also characterised by late and incomplete information.

In fact, data quality will be one of the largest business problems of the next decade. And that means not only ensuring that the data is accurate, but also that we deliver the right information, at the right place, at the right time. Addressing this problem will be one of my priorities for this year. 

The most interesting aspect of the recently reported data breach at Heartland Payment Systems is the relatively light press coverage. The full scale of the breach has yet to be established, but it has been suggested that it might run into tens of millions of credit and debit transaction details, making it one of the largest data breaches reported so far. 

Specialist publications such as SC Magazine covered the story, as did security bloggers such as Brian Krebs and Stuart King, but there has been surprisingly little mainstream media attention, given that such stories certainly appeal to the press. That might of course be attributed to the timing, coinciding with coverage of the new US Presidency and the worsening state of the global economy. Burying bad news is a classic tactic for minimising reputation damage.

Even better is to apologise and offer compensation to your customers. The TJX Group have certainly got this right, rewarding customers with a special sale offering a one-day "Customer Appreciation" sale in its US and Canadian outlets to express appreciation for their customers' continuing loyalty. Saying sorry with a January sale is a smart business move.   

Good management of the aftermath of breaches enables crisis-hit organisations to come out on top. That's important given that the sophistication of modern attacks continues to outstrip the capabilities of traditional countermeasures and compliance requirements. There are many more breaches yet to come. All organisations with sensitive or critical data need to ensure that they are well equipped to manage a potential crisis. It's vital to long term business survival.   

Last night I attended the launch party for Karen Lawrence Öqvist's excellent book "Virtual Shadows: Your Privacy in the Information Society". This book is a recommended read: a well-written, up-to-date and balanced overview of the key trends and issues associated with privacy in the new information society.

Most interesting is Karen's perspective of a "transparent society", in which our behaviour is open to all, and no-one has a monopoly on other people's secrets. Whether we like it or not, this seems to be the best hope for a socially-networked community that is progressively sleepwalking into a lifestyle characterised by non-stop, pervasive surveillance.   

Yesterday I was fortunate to attend Martin Smith's Security Awareness Special Interest Group. It was a sell-out event at BT Centre in London with close to a couple of hundred attendees from across the public and private sectors. Martin has done a tremendous job in recent years in organising security awareness services for large organisations, especially in the banking and communications sectors. Ten years ago, few companies were interested in this area. Now it's become one of the hottest topics in security. It's great to see such a high level of interest. But it's also clear that we have a long way to go to get it right.

All security managers wish to raise their game substantially in this area. Unfortunately, few of their organisations are ready to listen. The spirit might be strong but the budget is weak. The exception, of course, is the select group of organisations who've been hit by a large data breach, where the knee-jerk response is an expensive, short-term change programme. Ideally, such efforts should be more evenly distributed. No enterprise is an island. Large organisations rely on dozens of tiers of business partners and contractors, not to mention the cooperation of millions of customers. Education is a community issue. We're all in it together. 

A further problem is a widespread failure to learn from the safety field about how to prevent and respond to incidents. Security is many decades behind the safety field in understanding how to manage risks. The typical response to a security incident is to select an appropriate neck for the chopping block. That approach breeds a damaging blame culture which discourages teamwork, risk-taking and reporting, as well as failing to address the root causes of the incident. In fact, most incidents are not caused by a single person or action. They are the result of a large number of bad practices, encompassing policy, training, system design, supervision and everyday unsafe acts. And it's often the best performing staff who make the most mistakes because they will work harder, faster and longer than their lazier, risk-averse colleagues. Aviation safety focuses on eliminating bad practices and root cause analysis of near-misses and incidents. Planes don't just fall out of the sky in the same way that data regularly goes missing.

A third issue is the lack of psychology applied to the solution space. Security managers talk about winning hearts and minds, but they have yet to identify many positive motivators. Punishments are the easy way out. They are easier to identify and quicker to implement. But they're much less effective in a modern empowered organisation. Negative incentives only work when you're constantly watching your staff, and most will not apply to contractors.

A fourth issue is the lack of sophistication and stickiness in the design of educational material. Best-practice leaflets in the security field are not great, they're just better than most other people's amateur efforts. Designing compelling methods for communicating messages and influencing attitudes and behaviour is a rich science that's rarely applied properly. The last time I saw this done properly this was in the early nineties at Shell where we drew of the experience of behavioural psychologists and ex-Saatchi creative teams.

Martin Smith also hits the nail on the head when he says that the true size of your security department is the extent of your enterprise. So far we have failed to recognise and exploit such network effects. The security community need to look outwards and learn how to do this, to steal ideas and methods from other functions and sectors that have succeeded in creating large scale behaviour change. Marketing, for example, is a good field to draw on. Criminology is another. As I've often said, these days we can learn more about security from a psychologist than a technologist. 

ISACA, the Information Systems Audit and Control Association, has just launched a guide designed to provide IT security chiefs with an independent framework to help manage their information security more effectively. My heart generally sinks when I dip into an ISACA publication, as they're often composed of hundreds of pages of control descriptions, neatly arranged in sparse tables. In fact, I was pleasantly surprised that the introductory guide, An Introduction to the Business Model for Information Security, is actually concise, simple and readable. We need more like this.  

But lurking beneath the surface of this simple business guide is a growing portfolio of more detailed documentation that attempts to build the basis of an all-encompassing framework for joining up enterprise governance, risk management and compliance. It's a folly, however, to imagine that such a broad, nebulous spectrum of activity can be catalogued and codified into a single, digestible framework. The problem and solution spaces are too rich, complex and volatile to enable this to be done without dumbing down the subject areas, swamping the reader and stifling innovation.

It looks tempting of course when you compare existing standards. They all look surprisingly similar. But then most modern guidelines follow a similar structure, though they are often created as different means to diverse ends. Each source of guidance reflects its pedigree to some extent. ISO security standards were developed by security managers aiming to harmonise accepted practices. COBIT was designed by auditors seeking to catalogue controls. ITIL was created by central government advisers to promote a more professional approach to IT management. Such guidelines are generally best used for their original purpose.

Maturity frameworks are also increasingly fashionable. They were originally conceived by academics to help improve the quality of large-scale software developments. As such, they are often far too detailed to be used for more modest programmes, though the concept is compelling and helpful in structuring targets and actions.

Much contemporary security guidance tends to polarise into either an over-simplified set of golden rules that fail to explain the subject, or a detailed architectural framework that is unwieldy and impossible to maintain. The best answer lies somewhere in-between. We need concise but complete, tailored guidance on individual problem areas. Few guides are effective if they are less than five pages or more than a hundred. They need to be small enough to digest, but big enough to be significant.