David Lacey's IT Security Blog

Learning points from Advanced Persistent Threats

2013-04-16T21:32:01Z

I've been very busy this year as you might gather from my rather thin postings. It's a positive sign in fact as it reflects the mushrooming demands of a growing industry which has a long way further to grow.

One thing that is currently occupying my attention is the subject of APTs, which I'm currently researching for a new publication. It's an interesting and fast moving topic. Ten years ago nobody was interested in this level of threat. I was even accused of being a 'doomsayer' by ZDNet for warning about such risks. But what strikes me about APTs today is that nearly all of the published information about them is either factual analysis about how they work, or promotional claims about new technologies to make them go away.

What's lacking are the learning points from actual attacks. It's understandable given that most companies prefer to keep quiet about attacks. Yet this is the information we need. If we'd been warned earlier about the full facts of these attacks we might have done things differently.

We need to know things such as: What should we do differently? How can we discover an attack? What measures should be implemented to minimise future risks? This information is still hard to come by. Implementing ISO standards does not solve the problem. Committees, responsibilities and policies certainly don't deliver enough.

Going beyond today's best practices should be the focus of security researchers today. Too many are still trying to invent new ways of outdated controls to unsympathetic executive boards. I have occasional debates with Fred Piper on the subject of whether today's practices are better than nothing. I claim they're not because they're an expensive distraction. He says they still serve some use. But we both agree they're not good enough.

So I invite anybody who has a great new idea on how to reduce the risk of APTs to contribute it to my current research. You'll get full credit. We need your innovation. At the same time, I must encourage anyone who has experienced an APT attack to share their views on what they would do differently in the future. We need your experience.

User access control: Fundamental but forgotten

2013-03-14T09:40:06Z

User access control is a cornerstone of information security management. Everybody needs it and does it. Yet in practice it's poorly conceived, implemented and managed. It's one of those elephants in the room: a problem that is highly significant, but difficult to tackle so business is reluctant to acknowledge it. If it wasn't for compliance and internal audit the situation would be even worse.

A number of theoretical models have been developed over the years but they don't deliver in practice. We've got ACLs, Capabilities, MAC, DAC and RBAC, none of which work in a medium or large enterprise. There are several reasons for this.

Firstly, the models are too simple. Access control is too rich a subject to be determined by a single label or capability. Deciding whether a user can have access to an enterprise system is far from simple. It depends on who they are, what they are, how important they are, where they are, what they are doing, to whom they report, and what other access they might already possess. This requires unambiguous policy rules and reliable decision processes, supported by smart application front-ends, all of which are in short supply.

Secondly, we rarely have enough knowledge in one place to make this work. Neither systems owners nor administrators have perfect knowledge of who does what across the enterprise and what access they require, especially in an organisation that is continuously acquiring, divesting and restructuring business units.

Thirdly, we don't pay enough attention to administration. It's too often poorly resourced and equipped. Cost savings can easily be made by streamlining processes and implementing better tools but this requires enterprise-wide cooperation and it's rarely at the top of any business unit's agenda.

Fourthly, we are constrained by legacy systems and infrastructure which complicate the problem space and restrict the solution space. Ambitious visions quickly fade into the distance.

An inescapable fact is that we can't control a complex situation with simple controls. Today's access requirements are a sophisticated blend of numerous factors. Access rights depend on multiple user characteristics that can be surprisingly hard to define, measure and monitor.

The end result is that it doesn't get done properly. Instead we fudge it. We do the minimum we can to keep it going and rarely get around to developing the rich policies, knowledge base and streamlined processes needed to build a sustainable, effective access control system.

In fact it's much easier to close the back doors, through vulnerability management and penetration testing rather than to secure the front entrance. But compliance is catching up with the thousands of wrong profiles, toxic combinations and dead registrations. Sooner or later we will have to put aside the easy, quick wins and face up to the long-standing elephant in the room.

Lessons from Software Development

2013-02-03T14:03:32Z

I've often pointed out that information security management has become far too slow, bureaucratic and process driven. It's because of the backward-looking culture created by governance, standards and compliance. Old fashioned quality management concepts such as Deming loops and Capability Maturity Models have much to answer for.

In much the same way that security needs to learn from safety thinking (which is at least 50 years ahead in terms of understanding the nature of incidents) or modern military doctrine (which recognises the importance of speed and empowerment), so it should also learn from software development (which long ago changed its methodologies to enable faster and more responsive results).

A good example is the Manifesto for Agile Software Development set out more than a decade ago. It succinctly states that:

"We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more"

Security professionals should note these points, because the key to effective security is not reams of policies and tick-lists, but empowerment, effective solutions, large-scale collaboration and agile response.

Big Data means Big Security

2013-01-26T15:56:13Z

You can't go through the day without reading something about Big Data. There are full page advertisements in newspapers, conferences devoted to the subject, and an array of new or rebadged products emerging every week.

Whether it's deployed for business purposes, IT operations or security monitoring, Big Data presents new security problems. Breaches are bigger. Usage is broader. And there are privacy concerns. These issues are not adequately addressed by existing corporate policies, so it's important for CISOs to start looking at fresh controls.

This week's Qualys CSO Interchange pulled together several dozen CISOs to debate the various issues. It's the start of a dialogue that needs to be led by users, rather than vendors, standards bodies or government authorities.

What conclusions were reached? The main one for me was the need for a voluntary Code of Practice for Big Data use. Better to try and get things under control rather than wait for governments and regulators to lay down the rules.

Who could write such a Code? CSO Interchange is as qualified as anyone else, so we've decided to have a stab. Watch this space for further developments.

Ditch the Triangle and use more technology

2013-01-20T17:39:39Z

Big Data might be the big thing this year, but it's just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. Forget the 'least privilege' principle. It's only Data Protection law that limits what they can access.

Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I'm speaking as a pioneer and highly experienced expert in process and human factors.

You may wonder where the Triangle originated. Contrary to popular opinion it was not invented by Bruce Schneier. I can't help you before 1990, which is when I first encountered it in Shell. At that time it was being used in operational research circles.

I first used it in 1991 to help balance the content of the Shell baseline security controls, the forerunner of BS7799 and ISO 27002. Back then we wanted to embed procedures to support ISO 9000 adoption. We also wanted to place more on user awareness. We sought in fact a perfect balance of controls for people, process and technology.

Today I'd ditch the Triangle. It's become an argument against excessive focus on technology. Yet that's what we now need. There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.

What's needed to correct the balance? The answer lies in the use of 'Big Data' analysis engines, scalable Cloud services and artificial life intelligence. These technologies are available now but our usage of them is still in its infancy. Ten years ago I experimented with data mining and computational immunology. They worked but it was a major challenge to maintain a positive business case. Funding dried up as the gloss wore off the digital revolution.

It's now time to get serious with technology and develop the automated solutions needed to meet today's challenges. Policy and education measures might get you through an audit but they won't stop an advanced persistent threat.

A poem for Christmas and New Year

2012-12-26T19:42:13Z

Every year Alan Stockey, a well known London banking security professional, sends me a Christmas poem with a security theme. It's a little late for Christmas Day, but then so is the snow.

Day Zero, Day Zero, Day Zero!

Network traffic outside is frightful

But the firewall's so insightful

Check the patches are all just so

Call CISO, Call CISO, Call CISO!

DDOS doesn't show signs of stoppin'

Hope the firewall keeps on blockin'

Websites have all gone slow

Day Zero, Day Zero, Day Zero!

When we finally see daylight

They've hit so many ports in the storm

Saving others from similar plight

There'll be others that you can now warn

But if the firewall's slowly dying

Not sure what you'll next be buying?

Just as long as you keep the code

Buy Escrow, Buy Escrow, Buy Escrow!

From a performance perspective I'd suggest a concert pitch of F for ease of singing. Try to get a bit of a swing feel to avoid annoying the neighbours.

Predictions for 2013

2012-12-24T10:43:39Z

What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what specifically can we expect? Will it be more of same? Or could we see the dawn of a new era? The answer is likely to be a little of both. Here are my top five forecasts for 2013.

Attacks get nastier

Data breaches are bad enough, but at least they don't disrupt business operations. Long term data damage is much worse. I've been forecasting this as a future risk for the last decade. It will begin to hit home during 2013, with rapid growth in cyber extortion and vandalism, perhaps coupled with the emergence of real cyber terrorism. Expect much nastier attacks and watch out for the beginnings of organised protection rackets.

Big challenges from Big Data

Big Data is the latest technology in a long term trend of increasingly powerful user access, enabling new dimensions in data mining, fusion and navigation, as well as new opportunities for big data breaches. Only compliance and expensive licence fees stand in the way of a user free-for-all in data access. But it spells the end of the 'least privilege' principle.

Final death of corporate perimeters

Many enterprises, including big banks, still cling to the fig-leaf protection provided by private infrastructure. It's an illusion of course because Internet and email access provides a massive back door for attackers. BYOD is the final nail in the coffin for traditional corporate perimeter protection. The users have left the building, the applications are following and the enemy is already inside.

Security speeds up

Growth in the frequency and impact of attacks will at least persuade security managers to forget the achingly slow Deming cycle and respond to vulnerability alerts and incidents in real time. Patching will get faster, vulnerability scanning will become more frequent, and security staff will become more empowered.

SMEs discover security

In recent years I've researched and written extensively about the lack of interest and awareness in security in the small and medium enterprise sectors. The reality is that SMEs aren't concerned and nobody has bothered to educate them. They remain the soft underbelly of big business and critical national infrastructure. 2013 will see the start of a slow change in this sector, starting with small retailers, as compliance requirements gradually cascade down supply chains. It won't happen overnight but it will open up new markets for security vendors.

Forecasts for 2012

2012-12-20T08:58:39Z

It's the time of year when pundits express opinions on the year ahead. And naturally I have my own views. Before that, let's take a quick look at my forecasts for 2012. How well did I do?

Last December I made six predictions for 2012.

1. Space weather creates concern.
This risk didn't create the level of concern I anticipated. Levels of solar activity have been relatively low lately. Looks like another Y2K. I fell for both. The lesson from this is that professionals with well-researched data are just as likely as anyone else to overstate the risk.

2. Social networks get secure.
It's happening, though very slowly. An increasing number of people are encrypting social media messages. Technology such as scrambls makes it easy. The rest is up to users. Some care, many don't. That will change though it might a few years.

3. Big Data is the new black.
If the RSA Conference is anything to go by, then it's true. The technology is here and it's available in leading products such as QualysGuard. The know-how on how to exploit it however is thin on the ground. And we've yet to scratch the surface of what can be done.

4. The electronic Pearl Harbour strikes home.
I've been forecasting it for a decade and a half but it hasn't happened, at least not in the form I expected. But awareness is considerably higher. Ten years ago people thought it was a wild exaggeration. Now they buy it; we've gone from denial to acceptance. But the disasters are still waiting to happen.

5. Public clouds fail to hit the spot.
Cloud services still have a long way to go, partly because of security and business continuity concerns. There is now a much wider understanding of the risks and how to address them. Paradoxically, Cloud security services are a compelling purchase and a big success.

6. A new Global game - soft targets hit back.
If newspaper coverage is anything to go by then we are certainly into a new Great Game with angry reactions by those targeted or caught in the crossfire. This game is different as it's impossible to keep things secret in a networked society.

Not a bad set of forecasts, and at least they were reasonably interesting. Perhaps I'll have better luck next time.

Towards real -time security

2012-11-23T17:23:50Z

I've commented many times that cyber security management today is far too slow. It's the result of many factors: the treacle of standards and compliance; the need to gain business case approval for security investments; the influence of quality management concepts that promote long-term process improvement at the expense of short-term action.

This situation will not be changed by security managers, They are under mounting pressure to demonstrate compliance with established standards. Nor will it be fixed by security institutes who tend to have a substantial investment in traditional practices. The reality is that it will only be through the emergence of disruptive technologies that deliver a step change in the speed of incident detection and response.

Fortunately we are now seeing faster security services emerge, as vendors embrace the Cloud and explore the potential for managing big data. I've long been a fan of Qualys and their innovative products which transformed vulnerability assessment from an expensive, infrequent exercise to a fast, frequent and universally-available process.

A few weeks ago I was fortunate to get a briefing from Sourcefire on their latest technology (announced last week) and I was very pleased to see that their new products enable much faster and more reliable malware detection, transforming the detection process from a once-off perimeter check to an internal, always-on process.

It's the type of breakthrough we need to see more often. Security managers cannot counter emerging threats though people and processes. We also need real-time, pervasive protection though vigilant technology.

Computer says No

2012-10-29T10:14:27Z

A few postings ago, I mentioned the growing number of high-profile digital catastrophes reported in the media. And I wasn't referring to natural disasters such as fire and flood or deliberate attacks such as hacking. What I was really concerned about was the type of increasingly spectacular glitch caused by simple, human causes, such as inadequate software testing, fat finger mistakes, bad change management or poor data quality. These are the things we generally class as "cock-ups" rather than "conspiracies". They are the result of accidental rather than sinister actions.

One would hope, after all these years of designing and operating IT services, that we should be able to deliver services that are highly reliable. Unfortunately it's not always the case. In recent months we've seen failures of supposedly bullet-proof Cloud services and extended outages of major banking services. But that's just the tip of the iceberg. Behind every major incident are dozens of near misses, hundreds of minor incidents and thousands of bad practices.

Why is this continuing to happen? Several trends are behind this. Hardware might be a little more reliable (though not always) but systems and infrastructure are becoming increasingly complex and harder to integrate. Project deadlines are becoming shorter because of the continuous pressure from business management to move faster and faster. There's also relentless pressure to cut costs resulting in greater demands on resources and constantly changing supply chains. Add to this the usual elephants in the room that nobody wants to tackle such as data quality (for which there no standards) and intrinsically insecure legacy assets, and it's a wonder our systems manage to stay up as much as they do.

Yet this is a world moving to Cloud Computing, where we might reasonably expect better than 'five nines' service availability to keep out businesses running. A major issue is that business continuity planning is difficult and expensive for users of Cloud services. They will have few, if any, alternative sources of identical services. And switching is far from easy. Try asking a Cloud service provider how to plan for a major outage and you'll be lucky to get a sensible answer that even acknowledges the problem.

So what can be done? Here are a few ideas. Firstly, accept that no service is invincible: they are all vulnerable to deliberate and accident incidents. Increasing centralisation of service delivery and a growing reliance on monoculture (use of identical components and practices) is also raising the stakes by increasing the global impact of a failure. The bigger and more widespread they are the harder they will fall. And credits for missed service levels are no substitute for lost business and damaged reputation.

Secondly, treat outages and security events like safety incidents. Monitor the minor incidents and conduct a root cause analysis for near misses and common sources of failure. There's no such thing as an isolated incident. Examine your own operations and dig into your service provider's history. Many well-known service providers fall well short of customer expectations.

Thirdly, draw up a 'catastrophe plan'. And I don't just mean a disaster plan, which generally involves recovering from a fire or flood. I mean a full-blown catastrophe plan based on a "worst of the worst" complete or extended loss of service or data. It will demand imaginative thinking and preparation, for example ideas to speed up the recreation of databases from scratch, alternative sources of essential management information, and proactive plans to reassure customers that everything is being done to protect their interests.

Fourthly, make your own personal contingency plans. Make sure you can work offline. Carry a decent amount of cash. Top up your petrol tank. And keep a torch, maps and compass in your briefcase. Because, like it or not, we are entering an information age in which business and life will become increasingly volatile, and major crises will become more commonplace.

Reflections on RSA Europe 2012

2012-10-13T22:59:42Z

For those of you who couldn't make RSA's latest thrash in London I can report that there were, as expected, no real surprises. It's a shame as cyber security is booming at a time when emerging technology promises possibilities to transform the solution space in ways that should blow the minds of traditional practitioners.

Unfortunately such a change demands original thinking, smart investment and a buccaneering appetite for risk taking that is sadly lacking in both the public and private sectors. I know from personal experience that if you develop novel ideas for creative product development they are unlikely to gain much traction in a blinkered research and business environment that prefers to focus and build on established practices and cash cows. (I've been forced myself to abandon projects to build solutions based on models of the human immune system and imaginative analysis of network data through lack of UK Government funding.)

The end result is that new products tend to be little more than incremental improvements of long established solutions. In the past thirty years I've encountered as many new breakthroughs as you can count on one hand. There is always however a new fashion or spin to place on new releases or product variations each year.

If last year's trend was BYOD, then this season's buzz phrase is Big Data. This particular one is very significant as it really does herald something new, though its inspiration is no more than a reflection of contemporary business trends in data mining coupled with the existence of growing audit logs, rather than the outcome of any serious problem-solving analysis.

Take Splunk for example who were promoting their latest Big Data security solution. Splunk is clearly a leading engine for data miners and I'm a big fan, but the security application looks like it's been put together by a firewall administrator rather than an experienced data miner. I met more than one colleague who told me their company was investing in the tool for business applications though not for security. But watch this space. Solutions will evolve beyond all expectations.

Several other products on display exhibited that not-quite-thought-through-or-finished-off quality, such as technologies that lacked a hardware root-of-trust or other products that were clearly designed by ad hoc security folk rather than subject matter experts. But there were some interesting products on display. I liked for example the concepts behind Bromium, an imaginative virtualisation-based solution, and Mykonos, a honey-trap technology that encapsulates the new spirit of deception that will progressively underpin security in the new information age.

All new products need improvement of course and the RSA Conference is a good opportunity to delivering essential feedback because it's attended by leading users as well as senior vendor executives and their research and marketing teams. The development of new products is often locked in an inevitable conflict between the road map drawn up by the CTO and the conflicting demands of early customers. RSA Conference provides a useful forum for helping to settle the arguments.

And this year's conference proved to be an excellent environment for networking. The new layout of the exhibition area - with smaller stands and more seating - encouraged visitors to relax and interact with their colleagues between sessions rather than stand in a corner checking their email and missed calls. On one day for example I sat down with a venture capital colleague to have lunch and we were immediately immersed in a facilitated debate on social media. We both enjoyed it.

I thought the new layout was a move in the right direction: more customer engagement and discussion about the relative merits of the technologies on display, and less direct product promotion. Let's face it if you want to buy a product, you're much more likely to be influenced by the opinions of another user you've met rather than the pitch of a salesman on a stand. Too many conferences waste energy on big stands, free gifts, loud music and tacky promotions, rather than creating a calm environment to engage people and discuss how to use and improve products.

What of the presentations themselves? The track sessions were too numerous to cover. There were some good debates but nothing really new, and they left me with an impression that many speakers spend more effort on the presentation title than the actual content.

The keynote addresses were generally lacklustre, clichéd and short of new ideas or compelling rhetoric. We need more than abstract pronouncements on the wonders of Cloud Services, Big Data and Intelligence-led Security. Philippe Courtot of Qualys always comes across as the most visionary and authoritative vendor but this year he gave us nothing new. MIsha Gleny had a fascinating tale to tell of hackers, criminals and spies, though I was left with the impression that he was largely reading from his book.

Jimmy Wales was the undoubted star of the show, and came across as a jolly nice chap with healthy, balanced views. I offered my congratulations on his new marital status but he reacted as though I'd taken the wind out of his own announcement. In fact for the first half of his talk, the lack of any mention of his celebrity-studded wedding seemed to be the elephant in room. But Jimmy's important closing point was to remind us that the biggest threat to Freedom of Speech is well-meaning but misguided legislation. Even in a world of fast changing risks, some things never change.

RSA Conference Europe 2012

2012-10-07T20:13:21Z

This Tuesday marks the start of RSA Europe 2012. It's a leading brand and a major event. US vendors will be there in force, as will the cream of the European security community. The formula has been long established: keynotes by paying sponsors plus the odd guest or two; large scale technical programme with multiple strands; exhibition of products from leading vendors.

This year we have Jimmy Swales closing the conference, fresh from his celebrity-studded wedding. I believe there is also a German rock musician on one of the panels, though I'm not well up myself on that genre. All in all it's a compelling event that cannot be ignored. Anyone who is anyone - and can afford the fee - will be there. Media coverage will be guaranteed, in spite of the rather lacklustre capabilities of the PR community.

So what does it all achieve? Firstly, like or not, it reflects, communicates and reinforces the mood of the time. If Cloud, Big Data or BYOD are this year's flavours then everyone will be compelled to believe it. Secondly it brings together a high concentration of security authorities - for better or worse, as perspectives are quite different on each side of the Atlantic. But most importantly it is the best opportunity for individuals from the UK and European community to influence the big vendor beasts from the USA.

So let's get in there. I will certainly be promoting my latest views on products, techniques and directions. I would encourage you all to follow suit. Because in my view there is far too little imagination, diversity and criticism in the field of information security management. And this is a good shop window to promote innovation.

Media Trends in Cyber Security

2012-09-05T20:54:01Z

I'm now back blogging after an extended break of several weeks. Unsurprisingly, nothing much has changed in the world of cyber security, except for the media coverage, which has grown in quantity, scope and sophistication.

This trend is clear from the number of daily emails churned out by specialist briefing services, such as Team Cymru's excellent Dragon News Bytes, which seems to have at least doubled in size over the past year. It's also quite apparent that the subjects addressed are now much more sophisticated, encompassing cryptic threats such as State-sponsored espionage, as well as abstract risks such as intellectual property rights. Such coverage would have been unthinkable a decade ago.

But it's not unexpected. In fact it's quite predictable, as press, politicians and pundits gradually catch up with long lasting, subtle trends that are becoming increasingly apparent to a much wider audience. Esoteric subjects such as espionage, operating system vulnerabilities and cryptography are now regularly discussed in newspaper columns. The Internet probably publishes more classified government secrets than can be found in any intelligence agency synopsis.

So what are the trends that are currently catching the imagination of the media? Here's three to kick off with.

Firstly there have been a number of high-profile catastrophes. For the purposes of this posting, by "catastrophe" I don't mean regular disasters such as fires or floods - though they can cause massive damage. And I don't mean "hacking" which is both unrelenting and damaging. What I'm really getting at are the digital glitches caused by inadequate software testing or bad change management. The sort of things we generally consider "cock-ups" rather than "conspiracies, if you get my meaning.

Secondly there's the gradual realisation by military observers that cyber warfare is very, very important, though few people have any idea what it's really about. Let me rephrase that: I mean lots of people can easily articulate the problem space, but few people understand the underlying root causes or the changes needed to correct them. Hardly a day goes by without a government agency or lobbyist calling for more research and development, regardless of the thin results that have emerged from previous decades of academic and industry studies.

And thirdly there's the growing speculation that China is becoming a little too dominant in the cyber security field. Whether it's the absolute control of the routing technology or the perceived level of offensive capability, many people seem concerned. This is rather interesting, as the cyber battle space appears (at least to me) to be a relatively level playing field, characterised by a handful of bright individuals drawing on a relatively similar set of tools and techniques. It's certainly not an arms race of the kind we have experienced in the nuclear space. Nevertheless there are lots of reporters and TV producers exploring this area and even a few conferences dedicated exclusively to this subject. (Who can justify attending those?)

Over the next few blogs I'll explore some of these trends and suggest what the longer term implications - as opposed to the short term media interest - might be. Many people in business focused roles might wonder what on earth the relevance might be to their everyday programmes, but, believe me, press coverage and the resultant citizen perception have vastly more influence on employee behaviour than industrial strength awareness campaigns.

One size should not fit all

2012-07-22T21:09:30Z

I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security governance style and control requirements, but how similar they are in security initiatives and solutions.

I find it remarkable to find small companies aspiring to implement management systems, scorecards and maturity frameworks, as I do to find very large organisations wanting to standardise on a common set of enterprise policies, standards and governance processes. Security standards have become decoupled from requirements. It is a dangerous drift towards a monoculture of identical but unsuitable security countermeasures.

Where is the appetite for innovation and diversity? The answer is that it's been killed off by a professional development mindset that is reluctant to challenge the accepted wisdom of an established compliance regime. Real security is career-limiting. Best practices are far safer.

This situation cannot continue. We need to encourage and empower our security managers to think, judge and develop solutions that are more in tune with real business. But a single business will find it hard to break the mould. And government, regulators, trainers and standards bodies are even more constrained. The future has to lie with academia and journalists, who are free to research, criticise and encourage new ideas.

If you're a university or research establishment, then I would encourage you take on this challenge. It's an important one, because in my opinion every single aspect of information security management (bar none) is inappropriate, and in need of substantial improvement. We must throw away the past and invent new solutions from first principles.

The starting point is to nail down those principles. What are they? There is a gap here. Watch this space for more on this topic.

Personal Continuity Planning

2012-07-08T11:31:25Z

We have computers to thank for teaching us the importance of business continuity planning. The real objective might be to keep the business running rather than prop up the technology, but the approach and plans largely grew out of computer fallback planning. That's why the manuals tend to be so thick. Business continuity planning is a simple process spoilt by consultants copying manuals from other clients.

But today's computer systems failures have a much wider impact than business processes. The consequences ripple down the supply chain affecting large numbers of customers who have grown to depend on just-in-time supplies of money, goods and transport. The problem is that unlike enterprises, consumers don't do contingency planning. It's understandable of course, given that nobody has encouraged them to do it.

Security and contingency planning are similar in that nobody bothers to do them unless forced to by compelling legislation or after experiencing a life-changing incident. Even with the highest levels of education, people won't pay attention unless the perceived consequences of not doing so are personal, immediate and certain. And they're not or rather they haven't been in the past.

In the last few months however we've seen some compelling incentives for UK citizens. Major UK banks have failed to work as expected, in one case for a couple of weeks. Floods have disrupted travel. Immigration queues have caused travellers to miss connections. And the forthcoming Olympic Games threaten to bring parts of London to a standstill.

How should a citizen react? The answer is by anticipating disaster and preparing practical continuity plans. It's nothing new, it's just rarely practised. I have one neighbour for example with a relatively sophisticated disaster plan. We've been briefed in detail on how to respond to virtually any major disaster affecting their property, whether fire, flood, earthquake or theft. But this is a rare exception.

Today, every citizen should be prepared for extended bank outages, petrol shortages, power outages, travel disruptions and other major disasters. Fifty years ago many people worried about nuclear war. Today we need to worry about how to survive when ATMs and transport fail.

Earlier this year I published the first ever book (as far as I know) on business continuity planning for small and medium businesses. With this year's hindsight, I'd admit that I probably didn't go far enough. We now need citizen continuity plans. Because information systems and process control systems are far from foolproof and given the pressures placed by management on IT development and operations staff, they are likely to stay that way for a long, long time.