David Lacey's IT Security Blog

The Information Commissioner's Office has just published a detailed Guide to Data Protection. It's an excellent, well presented piece of work, though at 175 pages it's not likely to be read from cover to cover. But as a useful, free reference document, I'd advise every security professional to download a copy.

Most managers require a broader view of the compliance space than a perspective on just one aspect of compliance or on the requirements in a single jurisdiction. Building up a library of references to many pieces of legislation however takes a fair bit of time, so any up-to-date compilations are very welcome. That's why I was also pleased to see the publication of Stewart Room's long awaited bible: Butterworth's Data Security Law & Practice. Stewart's book is expensive, but you get a lot for your money.

Stewart is also an evangelistic doomsayer, who for some time has been pointing out that we're currently experiencing a 'bear market' in regulatory compliance in data protection. And he's not wrong about that. Today's compliance regime is mild compared to what's waiting in the wings. It's time for all of us to start raising our game in data loss prevention.

Elsevier are holding their first conference on human factors in information security in London on 22nd-24th February 2010. What's interesting is that it combines academic excellence and practical business experience. Very few conferences on this subject have been held, and they have generally been designed primarily for academic researchers. It's encouraging that the UK is hosting this conference as it sits somewhere between the US and Continental Europe in it's appetite for the subject. Hopefully it will set the scene for further conferences on this important subject.  

Congratulations to Graham Cluley of Sophos who won the Computer Weekly 2009 best blog award. Congratulations to Computer weekly also for unselfishly excluding their own bloggers from the competition. In the topsy turvy world of the blogosphere it clearly pays not to blow your own trumpet. 

Larry Ponemon, founder of the Ponemon Institute, has published a paper on 'Cyber Security Mega Trends', i.e. what senior level IT executives believe to be the biggest cyber security threats to US federal organizations. It's a useful read, not so much to predict the future - which can't be done through a market survey - but to understand the thinking and priorities of government IT executives.

I often find that the solution to a problem is not too far away from the problem itself. So it's interesting to note that all of threats mentioned can actually form the basis of potential security solutions:

• Cloud computing offers better security services because the cloud service provider gains a superior perspective of events.
• Virtualization technology can be used to prevent intrusions by rapidly rotating targeted servers to prevent an attack from succeeding. 
• Mobility ensures a more effective crisis response and can provide useful intelligence on the location and activities of people.
• Cyber crime and cyber terrorism provide justification to build larger security budgets and empires.
• Open source enables greater cooperation, review and bug-fixing for security products.
• Data breach notification means that enterprises are compelled to fix security exposures before the breaches occur.
• Unstructured data encourages the development of management tools that provide better intelligence through a richer analysis of data content.  
• Outsourcing motivates us to establish better inventories, standards and compliance processes. 
• Web 2.0 provides the social networking capability we need to harness the power of employees and customers to serve as a virtual security function.

As I often say, it's not difficult to turn a series of threats into a set of opportunities.

You can find an interesting posting of mine on innovation in security, inspired by the Global Security Challenge on Infosecurity Adviser, the news site of Infosecurity Europe. My point is that there's plenty of innovation around but it doesn't always make it into everyday use. We need a lot more investment and support to help make that happen.    

Regular readers of this blog will know that I've been forecasting for some time that data integrity will be the next big thing. That's nothing new. But what's really interesting is that many of my fellow security professionals are now starting to say the same thing. Data integrity was certainly one of the hottest issues raised at last week's Infosecurity Europe Advisory Panel. I've previously commented that it might take five years for people to respond to this challenge. Hopefully, awareness of the problem space might start to take off during 2010.

Data integrity is the third and arguably the most significant phase of information security. It's the final frontier to be tackled in contemporary information security, which is based on the three pillars of confidentiality, integrity and availability: a long-standing fusion of three distinct objectives that collectively map out a solution space that still contains many gaps. It's understandable that people tend to notice the availability and confidentiality aspects of security well before they spot the integrity issue. But the integrity challenge is quietly building up into a dangerous exposure. Bad data undermines business confidence, and in extreme cases it can permanently reduce the value of business services.

So why is data integrity such an issue? Firstly, much of our data is already bad but we don't advertise that fact. We keep it quiet. In many databases, it's not unusual to find that up to half the records contain errors of one sort or another. That's due to a combination of factors, ranging from transcription errors in call centres to the inevitable temptation to re-use old data outside of its original context. On top of that we have a range of network effects that distort incoming data through Chinese whispers, rumour, spin or good old fear, uncertainty and doubt. There's a tendency to believe anything that you hear from several different sources. In large networks, that can be deadly. But the most disturbing concern is the threat of an unauthorised intruder deliberately changing data to cause harm, whether for financial gain, spite or sabotage.

The starting point in addressing this relatively new problem space is to recognise that we need standards to assure customers, citizens and other stakeholders of the quality of the information in our databases. It's quite outrageous that none exist for services that can have a major impact on people's lives. A single percentage of error in a national database can represent a population the size of a major city. That demands scrutiny. Once we can see the size of the current exposure, there's no doubt that society and the media will demand action. But until that happens we're sitting on a ticking time-bomb that's just waiting to explode.

The National Journal has an interesting article on cyberwar, pointing out some of the opportunities and hazards associated with this new form of conflict. It's very different from anything we've seen before and it demands very careful consideration to avoid attacks damaging valuable business assets. It's also a very sneaky form of conflict. As I've often said, it's more the art of illusion than the science of sabotage.

It's also far too easy to trigger covert attacks. Minor, local conflicts can quickly escalate and cause global impact. In cyberspace, as John Suler points out in his online book The Psychology of Cyberspace, people can be tempted to go much further than they might in the physical world, exploring dark subjects, taking risks and becoming unusually hostile.

Cyberspace is a surprisingly dangerous medium in which to conduct warfare. Let's hope that future cyber warriors are alert to the dangers. 

The Global Security Challenge finals which took place at London Business School last week were a revelation to anyone who believes that security innovation is dead. There's certainly little imagination and innovation to be seen in the products emerging from big vendors and research establishments. But many breakthroughs are initially developed by clever individuals or small start-up companies.

So it's no surprise to find an impressive range of unique and imaginative new security solutions in the Global Security Challenge finals, which is specifically aimed at small enterprises. Many were game-changing developments, such as a technology that can detect liquid explosives in suitcases, a new form of lightweight body armor that can survive point-blank grenade attacks, and a video camera that takes such high resolution pictures that you don't need an optical zoom capability. The cyber security finalists were also impressive, including two technologies that offer a step change in real-time vulnerability management, using very different approaches. (I'll cover these in a later posting.)

So if this initiative is delivering the new security solutions we need, what else is needed? The answer is a lot more of the same. We need more attention and support for the SME and start-up sectors. Many of the finalists in the Global Security Challenge have less than half a dozen staff and exist primarily on research awards and prizes. Yet they have also managed to develop complete products and gain real customers. We need more pump-priming investment to stimulate these sectors.

Last week I was fortunate to have been presenting at a MIS Training CISO Executive Summit in Muscat. The Sultanate of Oman has long been my favourite business and holiday location. It's also a place where managers understand the importance of the human factor in business and security.

In the past, the people perspective has been low on the management agenda of Western organisations. The only time an executive board pays attention to staff is when they need a headcount reduction. But the business world has changed. Networks are empowering people to unprecedented levels of influence. We need to educate and listen to employees, customers and citizens, because the focus of decision making has shifted from the corporate centre to the front-line workforce. Managers, staff and customers are the engine of intellectual property generation, as well as the thin red line that safeguards these assets.

This is why I was highly impressed with The Sultanate of Oman's new information security awareness programme. It's a government sponsored, nationwide initiative, and it's tailored to the local culture. Madison Avenue executives might not be especially impressed with the simplicity of their images and messages. But they would be wrong. What counts for success is a good understanding, empathy and a resonance with the target audience.

From that perspective, Oman has set the bar for an initiative that other countries must also meet. There might be a wave of technology coming from the West. But there is also a wave of best practices in citizen education building from the East.

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...