June 2011 Archives

This week's ISSA-UK Chapter meeting addressed the subject of the Advanced Persistent Threat (APT). It was illuminating to hear four very different perspectives from a government expert, an engineer, a banker and a top US technologist.

Surprisingly, none of the speakers seemed to grasp the true nature of an APT. They described it as either a method of attack used by governments and criminals, an undetectable Trojan, or just another form of malware attack. In fact, an APT is exactly what it says: a threat that is both sophisticated and persistent. It's someone that's after your secrets: someone prepared to invest serious expertise, time and money to get them, and who will not go away, even after they've got them.

Each speaker recommended a different solution. The answer was either to share intelligence, install monitoring technology, educate your staff, or implement self-encrypting drives. These are all useful measures. But only the last one is guaranteed to eliminate  a major vulnerability that enables the type of deep-seated, covert attacks associated with APTs. The rest simply improve your odds of detection, which is not good enough, since an attacker only has to succeed once to succeed.  

One speaker claimed "There is no silver bullet technology solution". That might indeed be true. But there are several available security technologies that are highly effective, yet not commonly deployed. Perhaps the real exposure is that today's security community is too obsessed with compliance and established process, and takes insufficient interest in emerging security technologies.  

I've long been an enthusiastic supporter of self-encrypting drives (SEDs), a technology that offers substantially better performance and security than software-based encryption solutions. SEDs can even work out much cheaper to deploy, as a less powerful machine can be used to deliver the same level of laptop performance. Yet few organisations are deploying them. Why is this? Is it apathy, ignorance or some other reason?

The Ponemon Institute have just published a survey of IT Practitioners on their perceptions about SEDs. Unsurprisingly, it shows that compliance is the main driver for adoption of encryption solutions. More interestingly, it reports that most practitioners have a high regard for SEDs and their capabilities. The barriers to adoption appear to be perceptions about cost, and uncertainty about the options available and their ease of implementation. Another issue seems to be the division of responsibilities and decision-making in the procurement process.

This sounds about right. I recall meeting a security manager at a recent conference. I asked him if he had encryption on his enterprise laptop. "Of course" he replied "though it's currently switched off". I asked him if he'd considered SEDs. "No" he responded "but it sounds like a good idea". He didn't, of course, pick the solution.

Ponemon predict that, as understanding grows, there will be greater adoption of SEDs. That of course assumes that enterprises take more interest in the quality of their security solutions, rather than just aiming for the easiest route to ticking the compliance box.    

By the way, for those who'd like to know more about SEDs, Bob Thibadeau, the inventor, is in London later this week and will be speaking at the ISSA-UK Chapter meeting on Thursday.   

Regardless of who got access to what (if anything) in the recent reported cyber attack against Lockheed Martin, this incident contains valuable lessons for everyone. Here are some key principles to remember. I appreciate that these considerations are far from easy when you're wrestling with budget cuts, unconvinced management, and hostile investment appraisal functions. But they are vital to your future survival.  

Firstly, if you have big secrets to protect then you need more than one level of strong protection. That's because any security system can break down (for various reasons) and you can't afford to be without protection. A second layer of weak protection is not sufficient. If you can't achieve this, then consider taking your valuable assets off the corporate network (if you possibly can). This might sound extravagant but it's nothing new. I recall going through the same arguments thirty years ago.  

Secondly, don't aim to do what everyone else does. Don't follow established "best practices". They are not enough to combat today's threats. Organizations that are good at identity management are few and far between. Most are littered with vulnerable authentication systems, insecure platforms, and ineffective provisioning processes. Do what is needed. Don't follow the herd.         

Thirdly, try to be imaginative. Don't be afraid to use controls that others ignore. For example, device authentication, based on trusted platform modules, is a powerful layer of control that is relatively easy to implement and manage, yet rarely exploited. Don't be restricted to traditional solutions or perfectionist requirements. It's better to combine several less-than-perfect solutions than aim for an ideal, single layer of security.   

Fourthly, if there is any suspicion that your authorisation system might have been compromised, then address it immediately. It's your first and most important line of defence, not just another control. If it's breached treat it as a company crisis. Keeping your fingers crossed is not an option.

Finally, think about having a catastrophe plan for major failures with massive business impact. This is more than a conventional business continuity plan. It's a worst case situation. It's not about recovering from random outages. It's about smart solutions for extreme situations: large scale losses, so-called "Black Swan" events. This is a new science, or perhaps art.  

As we enter the Information Age, we will face increasing levels of volatility and leveraged impact. It's the inevitable consequence of the power of networks and the accelerating nature of business. You can't manage security today with industrial age tools such as quality management systems. The speed of defence has to keep up with the pace of attack. Unfortunately, however, we are all a long way from achieving this.