June 2010 Archives

Reading between the lines

| 1 Comment
| More

"Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection... That's why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection."

So opens the latest research report from Symantec. It's one I find a little hard to accept because many claims simply don't ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.  

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don't have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses? 

Personal data in the Cloud

| 1 Comment
| More

No organisation should place any sensitive personal data in a cloud service without understanding the implications for regulatory compliance. It's easier said than done, however. The whole point of cloud computing is that you shouldn't have to worry where the data is held. Unfortunately, legal requirements demand otherwise.

The ideal solution is for Cloud computing vendors to deliver appropriate assurances to customers. But so far there's little indication of this. And working out what legislation applies in each country can be a difficult task for customers, especially as it's a moving target.  

One source that will help is Forrester Research's privacy 'heat map' which provides high level information on the data protection and privacy across a range of countries. It's a useful starting point for anyone contemplating offshore services. 

Information Security in Africa

| No Comments
| More

While our attention is focused on football in South Africa, it's worth taking note of other developments across the African continent, especially the growing threat presented by millions of networked, insecure PCs. The Internet has arrived in Africa, ahead of the security needed to make it safe. 

Fortunately this problem is receiving increasing visibility and attention. Countries such as Kenya are implementing legal and regulatory frameworks, and kicking off awareness campaigns. Security products and services are also becoming increasingly available. But security skills and experience are in short supply. It's a growing problem that is bound to have an impact on all Internet users in the future.

'The Global Threat from across the Seas' is the timely theme for a security day next month in London on HMS President. It's free to members and a modest £50 for non-members, and it promises to be an excellent day out.  

Securing emerging technologies

| No Comments
| More

A reference in a Team Cymru news alert drew my attention to an interesting media article about the security of smart meters, a fast-moving development which justifies a lot more scrutiny, public debate and policy. 

Smart grids offer huge potential, not only for efficiency improvements, but also for a degree of remote manipulation and misuse. Utilities claim the meters have been extensively security tested, yet many respected security experts point to underlying vulnerabilities. And there are clearly some major governance issues concerning privacy, economics and consumer rights.

New technologies always present such challenges, especially from a security perspective. Firstly, there are insufficient, forward-looking, mandatory standards. It's always been the case. Two decades ago, when mentioning my concerns about the security of networked SCADA systems to a colleague, he expressed surprise that any external connections were even permitted. I replied that new developments don't come with rules. Standards emerge long after the problems have surfaced.

Secondly, risk assessments are backward-looking. We haven't yet experienced a wave of highly publicised attacks on SCADA systems. Realistic assessments won't reflect long-term developments in the threat landscape, no matter how concerning they might seem. But security risks are constantly rising, often in step changes as new vulnerabilities or offensive techniques emerge.

Thirdly, industrial control systems tend to be designed with reliability or safety in mind, rather than security. Instrumentation systems might address all manner of failure conditions, but they rarely take account of calculated sabotage. I was once asked by a safety authority to design a security box that could guarantee that a hacker wouldn't get through more than once every one hundred years. That, of course, was to satisfy the demands of a safety calculation. Unfortunately, it's not the way attackers think or operate.  

Information Technology gains a Royal seal of approval

| No Comments
| More

The Sun came out last Thursday to celebrate the award of a Royal Charter to the Information Technologist's Company. It was a spectacular event: a formal service at St Paul's Cathedral followed by a procession of pikemen and musketeers, and topped by a Royal dinner at the Mansion House with the Lord Mayor of London. It's also a sign of the times. The IT industry underpins the success of the City, and rightly deserves a place at its top table.   

Understanding the hidden security risks in the Internet

| More

Last Friday I attended an excellent cyber security event sponsored by Neustar, who deliver some of the vital services that enable the Internet to function securely. I was particularly impressed by an eye-opening presentation by Rodney Joffe, Neustar's Chief Technologist, on DNS security. Ensuring business traffic is secure over the Internet demands a lot more than we might think. Enterprises are exposed to many underlying risks of espionage and modification of data in transit. Threats of IP hijacking are a real and present danger. All security managers should make it their business to understand the potential security risks associated with the Internet. We are entering a decade that is likely to be dominated by large-scale compromises of business information and services. 

Security in outsourcing - a work in progress

| 1 Comment
| More

Many thanks to everyone who attended my new book launch last week, kindly hosted by Commerzbank on behalf of ISSA-UK, and sponsored by BSI. Amongst other things the book sets out a security framework for managing outsourced services, a vital requirement for an emerging business landscape characterized by increasingly broader and deeper externalization of activities. It would be nice to see further work building on the foundations and principles of the book. Outsourcing demands a raft of specifications, codes of practice and new processes. There are many gaps in published guidance on outsourcing that have yet to be filled in. 

The forgotten art of crisis management

| No Comments
| More

The progressive worsening in BP's share price might in part reflect a continuing failure to address the finer points of strategic crisis management. Following on from the recent Toyota crisis, it leaves a worrying impression that many big international enterprises are not well equipped to manage large-scale incidents.

This is not a new problem of course. We've experienced many disasters before, and there are well established principles on how to go about crisis management. The snag is that they're not widely appreciated. Neither are they easy to execute. In fact very few senior executives, no matter how bright or well trained, seem to be able to translate expert advice into reality. 

Good crisis management is a rare skill. There are a few reasons for this. Partly it's because most executives are immersed in an organisation culture that is often itself a major contributing factor to the crisis, preventing them from seeing the wood for the trees. Partly it's because few executives are comfortable playing a dynamic, decision-making role that's completely different from their day job and prior experience. And partly it's because it's hard in practice to think clearly, objectively and strategically when you're under enormous pressure.

You can certainly spot some questionable decisions in BP's response: attempting to play down the size of the disaster; presenting a British image to an outraged US community; and offering up the CEO as a potential whipping boy. Lack of preparation or rehearsal for such events might also be a contributory factor, as there are press reports of factual errors in the published oil spill response plan.

As Dr Peter Sandman, a risk communications expert, once put it "The engine of risk response is outrage". An engineering response, not matter how elegant, will never suffice. Citizen rage needs to be directed to an appropriate target. President Obama clearly recognises this and is channelling it, along with his own rage, towards BP's British management.   

There are numerous learning points from this and other crises. My book "Managing the Human Factor in Information Security" contains a whole chapter on the subject of incidents and crisis management, setting out many of these points. It's a difficult art but one that needs to be studied and practised by a lot more senior executives.   

Security Innovation Grant

| No Comments
| More

The excellent Dragon Research Group at Team Cymru, a leading, not-for-profit Internet security enterprise, is seeking to award up to $10,000 for an innovative project in the area of information security. The aware includes a top mentor. Proposals may consist of software, hardware, training, facility or multimedia components. Naturally, the solution will be open source. And, unlike government research grants, you don't have to fill in a hundred-page application form. It's a great opportunity. 

Security and Resilience of Critical National Infrastructure

| No Comments
| More

This week I joined an expert panel (as a last minute replacement) at a CNI Expo conference at London Excel on the subject of security and resilience for the public and private sectors. 

The conference had an excellent format, with top security experts and government officials debating key issues on national security risks, rather than simply delivering long-winded presentations. It was reasonably well attended, though I was surprised that there were not more attendees from government security departments, who have a big stake in the issues discussed. With a new government in power, this is certainly the time to challenge or influence public policy.

I tried my best to be controversial. That's not difficult. Public sector information security is laden with legacy thinking and practices. Bureaucratic controls frameworks continue to tick the boxes for the policymakers, but they fail to connect with end users, small businesses and citizens. I've long argued that we need a revolution in priorities, skills and methods. Government is a good place to start. 

Interestingly, some security authorities often take the view that their standards are higher than the private sector. That might be true but expectations don't always translate into practice. Closing the loop is the weak link in public sector security.

Priorities are also an issue. The role of risk management was a key item on the conference agenda. It's increasingly used to shape the national security agenda and determine priorities. There are dangers here, as less visible threats can slip through the net. High-level heat maps look professional at first glance, but they are over-simplistic snapshots of the threat landscape, failing to capture the richness and volatility of the growing range of emerging hazards. 

Security priorities are too often driven by knee-jerk responses to major incidents rather than smart analysis of the factors that might help to prevent them in the first place. Understandably, there's too much focus on known problems rather than future ones. I tend to share the view of the expert from Chatham House, who argued for more attention to less visible future threats, such as a shortage of energy. 

I'd go further and suggest that future cyber security risks are more likely to be based on modification and manipulation of data, rather than espionage or denial of service. That's something very low on our agenda. I'd also argue for more focus on safeguarding flows of information, including transactions and relationships, rather than static stocks of historical data.     

Of course it's easy for outsiders like me to be critical. It's hard to innovate when you're at the centre of public policy, constrained by politics, media coverage and a serious lack of resources. But this is the time to be creative, forward-looking and bold. National security needs a boost and a change. So let's start with a heated debate. 

The SME security problem reflects a deeper fundamental flaw

| More

Over the past six months I've been looking at the security requirements of small and medium enterprises. I've had some fascinating conversations with numerous security experts, many of whom have varying theories on how the problem should been tackled.

Some believe that the answer lies in adapting the security standards used by bigger companies. The standards community seems to be keen on this approach. They think the answer might be to rewrite existing standards in simpler English. That would be an improvement. But it won't solve the problem. Even cut down versions of the ISO 27000 standards are inappropriate, containing too many irrelevant requirements for small and micro companies, who don't have policy portfolios, committees and internal audit functions.

Other practitioners view SMEs as an immature version of a bigger company. They think the answer lies in some form of maturity framework. The problem with this idea is that not all SMEs aspire to grow into a big company. Many are quite content earning a living as a small, profitable enterprise. Pointing out the benefits of achieving a higher level of maturity won't cut any ice.   

Most security managers in big companies have concluded that, left to their own devices, SMEs are a hopeless cause. They must therefore be compelled by the threat of losing business or being sued for a breach of contract. These security managers regard SMEs as a major security liability, rather than a useful, cost-saving business opportunity. That's a serious drag on business, which needs to exploit the benefits of smarter, cheaper niche services in order to stay competitive.

Whatever your view, one thing is crystal clear to me, which is that our traditional approaches to selecting countermeasures are flawed. If they only work for large organisations, then they are not fit for purpose for any organisation. Large enterprises themselves are formed of numerous small business units and functions. If security solutions don't work for small units, they're not effective for big enterprises.

It's instructive to take a step back and examine how we go about determining security controls, and why we do it that way. In the early days of information security, controls were implemented only by a small set of enthusiastic computer managers with direct experience of specific risks. They relied on a careful eye and a large degree of imagination. The problem with such a free form approach, however, was that it produced inconsistent results. The next generation of security managers aspired to identify risk assessment methods that might enable an inexperienced practitioner to select an optimal set of countermeasures. Unfortunately, this approach was also flawed because we simply don't have the psychic ability to predict risks, which have an annoying habit of constantly changing.

One answer to this dilemma was to agree a common set of baseline controls based on established best practice, which prompted a wave of international standards designed by large organisations to address an internal controls requirement. Unfortunately these standards were not designed with sufficient attention to the needs of SMEs or the massive growth in external services. They also fail to address emerging risks.

In practice, security countermeasures are only implemented if there is a clear and present danger (as demonstrated by a major incident), a mandatory requirement (legal or compliance) or if it forms part of a wider system specification. Talk of security as a business enabler is fine for impressing the board but the reality is that such claims rarely translate into a concrete, long term business case.

SMEs, contractors and small business units aim to spend the minimum possible amount on security. It is a grudge purpose. That means that we need to emphasise the highest priorities and communicate the most compelling business drivers, not swamp them with hundreds of good practices to choose from.    

We therefore need to go back to square one and design a more suitable portfolio of solutions, for a broader set of organisations and circumstances. Over the last three decades, the security problem space has grown progressively richer, dynamic and complex, while the recommended solution space has largely stood still. It's time for a rethink of the fundamentals of information security. 

About Archives

This page contains links to all the archived content.

Find recent content on the main index.



-- Advertisement --