March 2011 Archives

Is this as good as it gets?

| 1 Comment | No TrackBacks
| More

Every single day we hear new reports about large organizations being thoroughly penetrated by sophisticated attacks. Just when we thought it could not get any worse, it does. This is not just bad luck, and these attacks are not simply isolated incidents. It is, in fact, a phenomenon to be expected; the result of years of neglect in addressing the root causes of security breaches.

Put bluntly, our current approach to information security is not fit for purpose. It hasn't been for years, though we continue to congratulate our efforts with bullish presentations and glittering award ceremonies. But the fact is that a growing wave of regularly compliance has well and truly drowned what little inspiration might have existed to create new solutions. The result is that organized crime and intelligence agencies are free to steal whatever they want from our databases.  

Let's face it our so-called best practices are no more than bureaucratic collections of ancient (often flawed) rituals. They might satisfy our auditors and regulators, but they don't address the growing gaps in our defences. This is to be expected to some extent, as standards and compliance processes are intrinsically backward-looking. It takes many years to identify, document, agree, implement and certify a set of controls.

Security today demands forward-looking horizon scanning and real-time assurance mechanisms. And it needs to be executed across an increasingly externalised infrastructure. The users have left the building, the apps are following. Securing the in-house LANs and servers is not the answer. And we are a long way from agreeing the new problem space.

Designing strategies, writing policies and conducting audits will not fix these problems. We have to break free from the treacle of compliance and build brand new solutions. The key question is who will lead this revolution? So far no one appears to have come forward. Not industry, not the governments, not the institutes and not the universities. Even the vendors are short on solutions. (Many have only just discovered ISO 27001.)

The security community has a long journey ahead. It would be useful to have a direction, a leader and a budget to solve it.     

RSA hack is a timely reminder of the need for richer authentication

| No Comments | No TrackBacks
| More

Last week's admission by RSA that they had been the victim of a sophisticated espionage hack that could reduce the effectiveness of its authentication SecurID product, reminds us of the danger of placing too much reliance on a single authentication mechanism.

Given the relentless and sophisticated nature of today's advanced persistent threat attacks, organizations with secrets to protect require richer authentication processes, based not only on "what you know and have", but also "where and what you're coming from".

One overlooked feature that is relative easy to implement is device authentication, ensuring that only known devices to connect to sensitive assets. Security managers have been surprisingly slow to catch on to this countermeasure, despite the fact that's it's been successfully used to deter threats to mobile phones and set top boxes.     

Virtually every professional grade laptop is fitted with a trusted platform module (TPM) that enables strong, automatic authentication of connected devices. CISOs should take a look at this option. It's easy to implement and provides a vital layer of protection from any attackers that might steal your passwords and hack your tokens.    

A security standard for small and medium sized enterprises

| No Comments | No TrackBacks
| More

I'm delighted to announce the launch of the first information security standard for small and medium sized enterprises (SMEs, or SMBs as they're known in the USA). SMEs represent 99.9% of the businesses in the UK, so it's an important breakthrough in securing our critical infrastructure and supply chains.

The standard is published by the UK Chapter of the Information Systems Security Association (ISSA). It has been under development for a year by a working group of around 30 experienced security practitioners. The initiative was inspired by a 2010 research report on SME security advice for the UK Information Commissioner's Office.

The name of the standard and working group is "5173" chosen by former ISSA UK President Geoff Harris, as it resembles the letters "SME".   

The standard is a much more compelling, relevant and simpler guide to security for small organisations than existing standards such as ISO 27001. The working group aims to develop further guidance material over the coming years. We hope that practitioners across the world will adopt the standard, though we recognise that other countries and industry sectors will wish to develop their own implementation guidance, as this will vary across jurisdictions and sectors.

The standard is a free document and a draft one. Over the coming months, ISSA UK is encouraging everyone to take a look at the standard and provide feedback to SMEsecurity@issa-uk.org  ISSA UK will publish the findings in the summer.

Countering APT attacks

| No Comments | No TrackBacks
| More

Leaked emails from the hacking of HBGary, a top US security investigator, provide further insight into the techniques and targets associated with advanced persistent threat (APT) attacks (a euphemism for sophisticated espionage attacks).  

An article in Bloomberg, claims that some of Dupont's computers were implanted with spyware during a business trip to China, where the PC's were stored in a hotel safe. The response to this threat should be to install self-encrypting drives on laptops, which are more resistant to "'evil maid' attacks. Other types of attack, such as phishing attacks, require a comprehensive package of security measures, including executive education, specialist exercises/tests and continuous network monitoring.

The important point to grasp is that these measures are above and beyond the requirements of ISO 27001, so if you have trade secrets or highly profitable products, then you will need to raise your game above traditional 'best industry practice' levels to resist these attacks. These are persistent attacks, which are coming your way, and they won't stop.   

Space Weather: The Next Y2K

| No Comments | No TrackBacks
| More

A few weeks ago the press carried stories of a future "Global Katrina" costing the world economy $2,000 billion, caused by intense solar storms that are due in a year or two. Hardly anyone batted an eyelid. The press buried it in their inside pages. Yet this is a serious problem, researched and reported by respectable scientists.

Perhaps the memory of Y2K and Swine Flu scares makes us suspicious of doom laden warnings. If so, then we will have an uphill struggle convincing managers that this is a real phenomenon that requires a fair bit of preparation.   

This problem is cause by "space weather" which can affect communications and electricity supplies. Solar storms are forecast to reach a peak in a year or two, the likes of which we haven't seen for a long, long time, well before the Internet, GPS, mobile phones and modern power grids. They weren't around back in 1859 when the last really big solar storm hit, but it did take out telegraph services.  

Lloyds have recently published a 360 Risk Insight report on the subject. It's essential reading for anyone working in security, business continuity or risk management. 

Expect a fair bit of disruption to critical services. When will it happen? We don't know for sure. That's what makes it different from Y2K. But there are similarities. We need to examine our supply chains and identify critical services that might be affected and develop appropriate contingency plans.

Yes, it's another Y2K job, though it has yet to appear on the risk registers and heat maps of most enterprises. But watch out for the coming bandwagon. I'm already booked to speak at a conference on the subject later this month.  

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

Archives

 

-- Advertisement --