December 2009 Archives

Standing at the Crossroads

| 2 Comments | No TrackBacks
| More

At the close of the first decade of the 21st Century I find myself writing my 500th blog posting for Computer Weekly. It's an appropriate occasion to look back at the last ten years and look ahead to what might unfold over the next decade. Here's my take.

The early years of the century saw events and changes that transformed the face of security. The dot-com boom encouraged security vendors to promise more than they could deliver, before they disappeared as quickly as they emerged. Enron propelled regulatory compliance to the top of the board agenda. 9/11 created a new management appreciation of business continuity. Basel II created an unprecedented appetite for risk management. These developments shaped the nature of corporate security for the first half of the decade, encouraging the growth of established processes and controls, rather than smart use of new technologies. The end result was a steady growth in security spending, but a lack of real innovation.

The second half of the decade has been dominated by high-profile data breaches, coinciding with the progressive criminalisation of cyber threats, and the unexpected shock of a credit crunch. These trends put confidentiality firmly on the map, but placed economic constraints on security solutions. In the government field the emergence of cyber warfare threats highlighted the need to safeguard critical national infrastructure, resulting in a longer term interest to develop a common solution space to safeguard national and industry interests. The result has been an unprecedented political interest in security, with an appetite for short term fixes, coupled with an increase in government funding for longer term research initiatives.

The next ten years will present a range of even more challenging problems, different from anything we've previously encountered. We face the threat of sophisticated threats from criminals and hostile intelligence agencies. We need to convince a new generation of socially networked employees to apply badly-crafted corporate policies. We must persuade cloud service providers, who aim to reduce costs, to spend more money on security. We need to build new security skills that incorporate sophisticated techniques from psychology and marketing. We also need to secure whole communities of business partners who might operate very different policies and practices. And, at the same time, we have to respond to an unprecedented wave of regulatory compliance that might eventually send our directors to jail for an oversight in personal data protection.

To meet these challenges we need to do two big things: firstly to build for the long term; and secondly to innovate. Yet we appear to have lost out ability to do either, at a time when we badly need it. Security managers have been far too busy paying attention to short-term compliance needs rather than creative solutions. Vendors have been focused for far too long on re-launching old products with new features and fresh marketing. And academia has also been far too preoccupied with developing silos of esoteric interest, where success is measured more by media fashion and attention that business success. At the same time, our professional development schemes have been focused on teaching old techniques rather than new skills. The barriers to entry for fresh ideas have never been greater. And we haven't even solved the problems presented in the last ten years. We need immediate action to redress the balance.

Security Forecasts for 2010

| No Comments | No TrackBacks
| More

What will 2010 hold for information security professionals? Will it be more of the same? Or will it herald major changes? Personally, I believe it will be a year of change. Amongst other things, I expect to see three major trends.

Rethinking security roles and skills will be a dominant theme, triggered by pressures on in-house security functions to demonstrate business value. The traditional, operational focus of many security managers has been eroded by progressive externalisation of the solution space. Many CISOs operate at a distance from the operational action. Technical skills are less relevant and policies more difficult to enforce. Security managers need to be more than a tick in the compliance box or a convenient whipping boy. At a time when there is political pressure to reduce headcounts, we need to go back to the drawing board and establish new roles, objectives and competences.

Data integrity will be a growing concern, though little will actually be done about it in 2010. The next year will be a year of awakening rather than solutions, an attempt to understand this long neglected, final frontier of information security. Several years ago when I raised this issue, I seemed to be a voice crying in the wilderness. Last year many professionals voiced their support. More recently, it's showed signs of becoming a hot topic. Give it a few years before we see any real action, as it's a long term fix. Start by examining the problem space and be prepared to be shocked by what you uncover.  

Supply chains will dominate the problem space. Whether it's the fear of technology suppliers planting back doors and Trojan horses in our information systems, or it's the threat of sub-contractors creating breaches or holding us to ransom, it's clear that we don't do enough to address the security of the supply chain. 2010 will be the year when we will be forced to get to grips with a problem space that's difficult, uncomfortable and expensive to address. Contractors are the soft underbelly of our information systems. And regulators are sharpening their knives.

Security Forecasts for 2009 - Right or Wrong?

| 1 Comment | No TrackBacks
| More

As we near the end of 2009 it's interesting to look back and see how accurate my January forecasts were. I predicted that: fraud would hit the roof; information warfare would get real; human factors would top the agenda; security would get outsourced; and brand management would embrace security.

These forecasts were surprisingly accurate, perhaps suggesting that this field is becoming more predictable. Certainly we've already experienced several major paradigm shifts in this decade, such as the adoption of cyber attacks by the criminal and military communities, the shock of a major data breach, the growth in regulatory compliance, and the emergence of cloud-based security services. So are there any more surprises in store, or will the future be essentially more of the same?

The answer is that 2009 was largely a period of consolidation for information security, but 2010 will be quite different, with some important, new shifts in both perception and practice. I shall cover these in my next posting.  

Obama makes the right choice

| 1 Comment | No TrackBacks
| More
I was pleased to see that President Barack Obama has picked Howard Schmidt to serve as National Cybersecurity Coordinator. As I've said before, Howard is the best choice as he has subject area knowledge and diplomatic skills, as well as international experience in both the public and private sectors.

In the bleak mid winter

| No Comments | No TrackBacks
| More

Each year at this time, former JP Morgan security veteran Alan Stockey crafts an irreverent festive poem with a contemporary theme. This year he's elected to Green.

In the bleak mid winter
Climate's changed, no snow!
Copenhagen discord
And all their hot air blows
Glaciers melting lower and lower
Lower and lower and lower
No more frosty snowmen, without
Kyoto

Oceans levels rising
Icebergs up the Thames
Wettest month on record
Floods and feet of rain
In the bleak mid winter
Reindeer pulled his sleigh
Thanks to carbon offset
Now he's got a plane

Data centre's roasting
From weight of all those Blades
recycling discs and records
T'is the season we get Slade (again)
In the bleak mid winter
Three wise men tracked a star
Good job it wasn't Eco
It wouldn't have shone far!

Ozone layer thinning
Methane takes its place
McDonalds off the menu
Could be our saving grace
In the bleak mid winter
Light bulbs all gone green
Christmas trees synthetic,
And house displays obscene

Yet what can I give up?
Lazy as I am
If I were a banker
I could give a damn!
Appliances on standby
Might turn off quick start
But after eating curry
I think I'll hold the fart   :~(

Root causes of vulnerable systems

| No Comments | No TrackBacks
| More

It seems staggering to read that militants in Iraq were able to intercept live video feeds from aircraft and Predator drones using a $26 software package. And this problem is reported to be difficult to fix. How can this happen in a world in which ordinary consumers have sophisticated encryption at their fingertips?

We don't know exactly what happened in this case. But there are several common factors that contribute to such situations. Cost constraints, ignorance and gaps in standards, testing or accreditation processes are obvious candidates. A further factor is insufficient foresight in anticipating future developments. 

Costs should not be an issue for such expensive hardware. After all, we all have strong encryption in our mobile phones. But lack of foresight might be a major contributing factor. Systems are often rushed into operation with little or no attention to the longer term consequences. A further issue is ignorance. This system was designed a decade ago, when security threats were not well understood by engineers. That's why, for example, we find weak security in older SCADA systems. These developments were below the radar and responsibility of IT security managers.

The learning point is that security policies, standards and compliance processes need to extend beyond the traditional scope of business information systems. They also have to anticipate emerging and future threats. In today's business world, decision making takes place through mobile devices (fortunately protected by encryption). Tomorrow, it might be left in the hands of embedded devices. Security needs to switch its focus to safeguarding dynamic flows of information, wherever they go. It should not just concentrate on the protection of old-fashioned, static databases.

Cloud computing security developments

| 1 Comment | No TrackBacks
| More

Last week's excellent ISSA-UK Chapter meeting, kindly hosted by KPMG, highlighted two interesting security developments in cloud computing.

The first was that this is a rapidly developing subject area. At the start of 2009, very little analysis on the risks and solutions could be found. Now we have several guidelines and can listen to a raft of articulate presentations on the subject. 

The second is that some security thinking on this subject is misconceived: recommending that clients undertake rigorous due diligence, audits and real-time monitoring. That approach would bring vendor services to a halt and lead to a massive duplication of effort.

The whole point of cloud services is to deliver a standardized, uninterrupted service. Vendors should be persuaded to provide the highest level of independent assurances to clients. That's where our attention should now focus: on agreeing the nature of the standards, assurances and ongoing information feeds that we need.

SSL vulnerabilities

| No Comments | No TrackBacks
| More

Bruce Schneier's advice on the recently announced SSL vulnerability is sensible, but it raises the bigger issue that we're too slow in responding to flaws in critical, embedded systems. Experience has shown that it takes years, if not decades, to eradicate implementations of outdated cryptographic systems. The real learning point is that we need to step up our contingency planning in this increasingly critical area. Just what would you do if SSL/TLS was thoroughly compromised?    

Law suits and data breaches

| 1 Comment | No TrackBacks
| More

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It's interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was "actual or imminent, not conjectural or hypothetical." That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

Information security skills for the future

| 1 Comment | No TrackBacks
| More

What are the skills we should be looking to teach the information security professionals of the future? It's a good and timely question given the current proliferation of training courses and the growth in professional development schemes.

I've been disappointed with much of the accepted wisdom drawn from analysis of member surveys by professional institutes. They tend to have employed the wrong approach. We need some original, logical and lateral thinking. Inspired by this thought, I've drawn up a list of my seven top skills for the future information security profession. They are:

1. An understanding of psychology to plan interventions that can might actually have an impact on the behaviour of staff.

2. Social networking skills to influence and harness the support of large numbers of users and customers over social networks.

3. Skills in marketing communications to design compelling, effective awareness campaigns and materials.

4. Strong commercial management skills to specify and manage security across business partnerships and outsourced supply chains.

5. Sophisticated crisis management skills to safeguard the organisation's intellectual assets (not just the data) in the likely event of a major security breach.

6. Digital forensic skills to detect and prove when an intruder has infiltrated or modified the organisation's intellectual assets.

7. A sound knowledge of legal and regulatory requirements and issues.  

You can read more about my thoughts on how to go about forecasting future trends and skills on my latest Infosecurity Advisor blog posting.     

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

Archives

 

-- Advertisement --