September 2009 Archives

Last week's IDC IT Security Conference 2009 in London offered free attendance for the first 100 guests, so it's not surprising that there was a full house of security managers. As with many of these events, the presentations were primarily talks by sponsors, or case studies showcasing products. Now that's fine if we get to hear about new ideas for solving emerging solutions. But this year's crop of products does seem rather lackluster. 

The most illuminating talk was from Josh Pennell on cloud computing security attacks, a fascinating and fast-moving area, which justifies a lot more attention by users and vendors. The most entertaining presentation was from an exuberant Dr James Lyne on malware trends. Most of the rest were rather superficial discussions of long-standing challenges, such as de-perimeterisation, data leakage prevention and the difficulty of demonstrating return on investment. Managing the human factor was also a recurring theme. As Eric Domage, IDC's French research manager quaintly put it 'The user is king ... of nightmare'. I couldn't disgaree with that. 

It's clear that we all agree on the list of problems. But where are the answers? Unfortunately, there were few suggestions of solutions. Even ISF, with their relatively generous research funds, could contribute little more than vague responses to unproductive questions such as 'Is AV dead?' and 'Is DLP a fashion?' As one of my colleagues put it afterwards 'I felt like a drowning man listening to someone describing water'.   

This article from the Scotsman newspaper illustrates an inevitable and worrying trend: the targeting of smaller enterprises by professional criminals.

Most small and medium enterprises lack the security capability and secure posture that we expect to find in larger organisations. Yet many handle sensitive customer information. This situation is not surprising. But neither it is acceptable.

Small and medium enterprises are the soft underbelly of large companies and government bodies. We need to do a lot more to bring this sector up to speed. 

If your boss or your colleagues still don't get the importance of social networks, then it's worth directing them to Erik Qualman's compelling social media revolution YouTube video. Security has to evolve to understand and exploit this tremendously powerful communications channel.

By the way, I picked up this link from Ian Cook's excellent Team Cymru Security news service, an excellent service as long as you don't mind receiving several dozen informative emails a day. 

Every now and then we have to persuade our executive to think the unthinkable. But too much scaremongering can be counterproductive. You can read a few of my thoughts on the hazards of preparing for worst case scenarios on this Infosecurity Europe blog posting.

Yesterday I was in Brussels, speaking at the Western Europe regional final of the Global Security Challenge. For anyone that takes an interest in new security technologies, this is a must-see initiative, highlighting and supporting the very best of today's emerging products.

I was highly impressed by the quality of the finalists. In fact it was hard for the judges to pick winners as there were so many impressive products on display. Each finalist demonstrated a unique capability, reflecting a potential step change in the state of the art. These technologies included a scanning device that detects explosives in bottles; a sophisticated facial recognition and search system; an innovative solution for fingerprinting electronic devices; a new approach to document leakage prevention; a more effective non-lethal weapon; and a range of high-strength, lightweight materials that can better protect people and buildings from close-range explosive blasts.

These products reflect the emergence of security technology as a game-changing catalyst, one that has a real impact on everyday business and law enforcement. I came away with a much high level of optimism that behind the scenes there is a rich pipeline of new science awaiting commercial exploitation. Creating new solutions is perhaps not so difficult as we sometimes imagine. The real challenge is to implement slicker development and procurement cycles that can get these technologies out of the research labs and into actual use.

The recent two hour outage of Google's Gmail, affecting the majority of its 150 million users reflects the growing risks associated with the inevitable drift towards centralised system management.

At least Google was honest enough to issue an apology explaining that the incident was caused by an engineer's miscalculation and that they were investigating ways to ensure it did not happen again. (Mind you it's not the first of these incidents.)  That's a big improvement over O2 whose service was down for many customers during most of Saturday without any explanation.

Expect more of these crashes. Information technology is spectacularly vulnerable to tiny errors and we are building massive single point failure scenarios based on cloud computing, centralised management and technology monoculture. In response, we must all raise our game in business continuity and crisis response.