David Lacey's IT Security Blog

Lecturing yesterday on the MSc course at Royal Holloway University of London reminded me of the importance of professional training for Information Security staff. As the late George van Eps, a jazz guitarist, once put it: “Luck won’t do it, and ignorance can’t”. Unfortunately there’s nowhere near enough professional training around. And the capacity of our university courses is very limited. So we are heading for problems in the future, unless we change our ways.

Information Security is a rich, complex subject, getting bigger by the day. Most of the leading professionals I know were self-taught. You could get away with a couple of decades ago, because there was no established body of knowledge, very little in the way of professional training and few specialist areas. Today, the scope of the subject is huge, encompassing many niche areas, each worthy of an individual course in themselves.

So what should we be doing to improve the situation? In my view the answer is to put more people through MSc or Post-Graduate Diploma courses. That’s the level of study required to do the job today. I did this at Royal Mail Group and it works. I put all my Information Security staff through Royal Holloway training and it transformed the quality of the in-house function. There is no substitute. Certification bodies, personal development scemes and professional societies are the icing on the cake. None of them can make a real difference without the underpinning professional education.

Looking back over 2006 I have to say that although it’s been largely more-of-the-same for many IT Security practitioners, there's undoubtedly been a significant shift in the perception of other stakeholders, whether business, IT or citizens. Partly it’s been due to increased compliance demands forcing many organisations to manage their operational risks. But largely it’s down to the increasing experience by everyday people of the importance of vulnerability management and the hazards of the Internet.

From my own perspective, with around two and a half decades of professional experience, I’m impressed with the degree of knowledge and professionalism that you can find in large organisations today, as well as the size of their budgets and headcounts. Back in the 80s there were only a handful of full-time practitioners, and no established body of knowledge on the subject. Practitioners were self-taught and operated independently. Throughout the 90s we saw increased networking and knowledge sharing, and the emergence of early security technologies. But few organisations had effective enterprise management systems. And many had yet to establish a professional function. The dotcom boom made some aspects of IT Security fashionable, and we briefly saw some rather ordinary security companies achieve staggering, though temporary, growth in market capitalisation. But this market was driven by investors’ greed, not real customer demand, so the boom was short-lived.

For me 2006 has been a watershed year for security process maturity, professionalism and technology. We’ve seen the birth of a new Institute – The IISP - though it has an awful long way to go to prove it can deliver anything useful. And for the first time, it seems that the majority of large organisations actually have a functioning management system, and a good professional relationship with other corporate functions. I’ve also seen an impressive range of specialised technologies emerge from start-up companies. These technologies will take a few years to be absorbed into the corporate tool box, but when they do they will provide unprecedented visibility and control of security across the enterprise.

So 2006 has been a good year for IT Security. The only thing we missed was the Electronic Pearl Harbour incident to wake us all up. Back in 1999 I forecast this was unlikely to strike until 2006. It didn’t happen. But it might well be on the Horizon as we enter the New Year.

Friday’s excellent White Hat Ball demonstrated that security professionals can deliver value to the Community, by raising a substantial amount of money for the Childline Charity. It was great to see so many user organisations taking tables for their teams. Five years ago, you would have had to look very hard to spot a CISO at any of the London Charity Balls. What a contrast! Congratulations to all of the organisers for a great job done, and special thanks to the highly professional Merrill Lynch team for inviting me to join them.

Stuart King's posting on the importance of process reminded me of the important issue of software development standards. I believe it's time for a big change, for a fresh approach. Because our legacy standards are no longer fit for purpose.

Back in the 80's the US Department of Defense established the Software Engineering Institute (SEI) at Carnegie Mellon University to address the issue of software quality. The SEI built on some emerging concepts from Total Quality Management to develop the first Capability Maturity Model (CMM) - a major breakthrough. Wonderful stuff, except that it was developed to solve the problems of large-scale Defense programmes. And in such environments, implementing and certifying development processes against several hundred pages of controls was no problem at all.

Fast-forward to 2007 and much of the critical software we depend on is developed by small start-up companies with no more than a dozen programmers operating in a highly informal environment. Does the Carnegie Mellon model fit this environment? Absolutely not. It remains a useful benchmark for any organisation that seeks to off-shore their software development. But it does not fit the shrink-wrapped package world, operating out of a Silicon Valley garage or a backstreet Soho office.

In addition we now have to accommodate the new science of security vulnerability management. No code should be cut today without meeting tough security standards to remove exposures to buffer-overflow and other nasty vulnerabilities. Microsoft has set the standard in this direction and they should rightly be applauded. But not everyone else gets it. And even then, we have a big hill to climb in order to update our System Development Lifecycle (SDC) methodologies and train our designers and programmers in how to develop security architectures and cut secure code.

So we need a new approach. We need a new software development standard that's lightweight enough to be adopted by small technology companies, but captures all the essential new security practices. Any ideas on how we get there?

I never know whether to believe IT vendors when they tell me that they're serious about security. After all, as Mandy Rice-Davies famously put it: "Well they would say that wouldn't they". So I was very pleased when Microsoft recruited ex-FBI Special Agent Ed Gibson in a high profile security role. Because I know that Ed wouldn't work for an organisation he didn't believe in. When Ed speaks - as he did rather eloquently at this week's NISC8 Conference - you can tell it comes from the heart. It's not company-speak and he doesn't pull his punches. And that's the best way to manage PR in today's highly-connected Web 2.0 World. Smart companies listen to - rather than gag - their employees. And that way, as Mandy Rice-Davies also put it, they may one day be able to look back on their life as "one long descent into respectability".

I'm a very keen supporter of research and innovation. Without it, I believe we will face serious problems in the future, as many of our traditional physical and procedural controls will be largely irrelevant in a highly-networked, fully-automated business environment. We need fresh thinking, new approaches and innovative solutions. The problem is that traditional research and development models are not a good fit for today's fast-changing, short-term business world. The old pipeline process that took an idea from theoretical research, through applied research to implementation broke down a long time ago. We need better, more dynamic approaches to help bridge the gap between business problems and academic solutions. The excellent MIT Media Lab does this by regularly introducing visiting business executives to blue sky researchers, in the serendipitous hope that a spark of left-field scientific thinking will generate a breakthrough solution for a thorny business problem. But it costs a lot to join one of their consortia. And even more to ship your executives over to Boston for tours of the Lab.

UK organizations have provided much of the thought leadership for modern Information Security Management. We have the advantage of a well-connected user community and more than our fair share of top CISOs. But we need stronger links between Industry, Government and Academia. So it's great to see DTI bringing together security managers and researchers through their Cyber-Security Knowledge Transfer Network. It's free and it has already introduced many business managers to a new world of academic research. By participating in their programme, I've already discovered many new hot-spots of academic excellence in areas such as network security, artificial intelligence, secure coding and behavioral analysis. And a lot of it is directly relevant to many of my current activities. Whether you're a security manager, a product developer, a researcher or a venture capitalist, it's well worth getting involved. So make a date in your diary for 12th June to attend the Cyber-Security KTN Conference in London. It's free and I guarantee that it will give you a fresh perspective on how to develop solutions to your security problems.

I’m always fascinated but saddened to read about cases where wealthy people pay large sums of money to buy intelligence from shady information brokers. The recent case of two police officers, caught bugging phones and hacking into computers is a classic case. As is so often the case, it seems that most clients are domestic, i.e. husbands spying on wives or vice versa. You rarely see blue chip companies engaging in such practices. Of course, we have seen one recent example of dirty tricks within a top technology organisation. But that’s the exception. Most respectable companies will avoid engaging in illegal information gathering activities at all costs because the risks are too great and it's always possible that some company staff will object or blow the whistle.

That’s not to say that organisations shouldn’t engage in healthy competitive intelligence gathering, which is a fundamental business requirement in a fast-moving competitive environment. But it’s vital to draw a clear line around the limits of acceptable activity and to avoid crossing it at all times. Because it’s increasingly hard to keep secrets in today’s world of free-flowing, open communications. And if you’re caught it’s hugely damaging to corporate reputation and staff morale.

Over the last week, I’ve been interviewing a few selected security managers for a forthcoming Computer Weekly special. It’s been an interesting experience, and I was highly impressed with what I heard. Today’s security managers are far more sophisticated than they used to be. They have a better understanding of the business landscape and the emerging challenges. They also have a more realistic appreciation of the limitations of the resources at their disposal and how to get the best out of them. And they are more articulate when explaining complex security issues to directors and business colleagues.

Security has come a long way in the last two decades. Back in the eighties it was a backwater for aging operations managers, or auditors trying to escape the accountancy profession. In contrast modern security managers have to straddle the technical and the business dimensions of the problem and solution spaces. And they must be able to master the human factor, whether it's tackling staff, criminals or hard-nosed business managers. It’s a major challenge. A top CISO needs all the qualities of a CIO but with state-of-the-art know-how about current vulnerabilities and emerging threats. And many are rising to the challenge. I've seen far more successes than failures in recent years.

Where will it all end? Will we ever see security on the Board? Probably not, because at very senior levels it’s hard to justify operating within such a narrow specialism. One thing is certain however. Top security practitioners will continue to require a greater set of skills and knowledge than many other parts of IT and business. That's why the top jobs continue to attract such high salary packages.

I always felt there was potential for IT Security to become fashionable, especially with those Die Hard and James Bond connections. Of course the problem is the rather pedestrian types that IT Security attract, who are generally rather conservative or nerdish types. So it’s so refreshing to hear of one our community being described as the “rock star of security outreach”. I’m referring of course to the excellent Ian Cook of FIRST and other fame. I’d certainly endorse that. Though as a long-standing jazz fan, I’m not entirely sure it’s a compliment.

What’s in a phrase? Not a lot if you’re gossiping casually, though style, fashion or taste might perhaps shape your choice of words. But words mean a lot if you’re aspiring to operate in a professional manner, because precise definitions are the basis of the body of knowledge that underpins any professional practice.

So perhaps it’s about we cleaned up our choice of terminology. I was reminded of this today when a professional body asked me for my views on the term “ethical hacking”. It’s one of those phrases that’s crept into usage to describe what I’d call "penetration testing", though I’m not entirely if that’s an accurate description for the activity of live testing of systems or infrastructure to identify security vulnerabilities. But ethical hacking is definitely a misnomer. Firstly, because it has a different objective from hacking, i.e. it’s intended to detect security vulnerabilities, not achieve a penetration of a system. And secondly, because it’s a straightforward business requirement and has little to do with ethics.

There are lots of security glossaries around. Microsoft has one but it doesn’t include the word testing (bit worrying that). SANS has one that includes penetration testing but describes it as merely testing the external perimeter security. The IETF has a better definition for penetration testing, but falls down when it comes to “hacker” by describing it as "someone who figures things out and makes something cool happen”. Arghhh!

I was surprised to read that a 16 year old teenager has achieved a qualification in ethical hacking. It’s clearly a great achievement for him. No doubt he will have a great future ahead of him. But how can such a thing be possible? Penetration testing requires a lot more than technical knowledge. It calls for a high level of integrity, a good appreciation of business risks and a sound understanding of the economics of security solutions. Let's hope that organisations look for more than paper qualifications when hiring contractors to test their systems. And let's hope that security professionals stop using that dreadful term, which has little to do with ethics or hacking.

I’m pleased that my fellow blogger, Stuart King, takes pride in his new qualification as one of the first full members of the Institute of Information Security Professionals (IISP). It’s certainly a good thing to encourage security practitioners to aim for professional recognition. And as a founding director I have a soft spot for the Institute.

But I do worry about the continuing focus on qualifications rather than education. In my view we’re not tackling the real problem. Qualifications don’t make people better at their jobs. The key requirement is training. And there’s simply not enough of that.

Security professionals should be encouraged to attain an MSc or post graduate diploma. That’s the minimum standard appropriate to the work, and the target I set for Royal Mail Group practitioners. Obtaining qualifications on the basis of experience is a less demanding route. It might solve a management problem but it doesn’t improve the quality of the work.

For the last few days as I've been over in Orlando speaking at MIS Training Institute's excellent Infosec World. It's one of the most comprehensive conferences in terms of subject area coverage, with 11 simultaneous streams of in-depth presentations. And the feedback from delegates is always good. So it provides an interesting perspective of the state-of-the-art of the US security community and an indication of the challenges facing security professionals.

In the UK we're used to looking to the USA for an idea of what's coming next. But in the information security world the opposite has often been the case in recent years as US companies adopt UK innovations such as ISO standards, ITIL management processes and de-perimeterisation strategies.

However the traditional gap between US and UK security emphasis - the former having a stronger technology focus and the latter more process-oriented - has largely disappeared. Programmes such as Infosec World now have a strong emphasis on softer management issues such as leadership, business alignment and human factors. It's an encouraging trend and one that's set to continue for a long time.

I've always had a soft spot for Bletchley Park (BP). It's an important piece of history and it needs to be preserved, and not just the physical site but also the spirit of innovation and creativity that lead to the birth of the computer and the science of cryptology.

One would imagine that such an important site would naturally attract support from security agencies and technology vendors. Not so. I spent several years trying to raise funds from industry and it's a hard slog. Charitable donations tend to go to children's charities such as NSPCC and Rainbow Trust. Government security agencies aren't tasked to spend taxpayers' money on charitable donations. And there isn't an obvious business case for companies to invest in BP, though there are great benefits in partnering with such a distinguished site.

BP has done remarkably well to survive on little more than visitor fees and the odd bit of sponsorship. It needs and deserves a lot more. The brand is priceless and the cause worthy. Smart security vendors should be queuing up to associate themselves with such an important and popular institution.

So when I read in The Register that the Park needs £1 million for repairs, I had no hesitation in penning this appeal. Spread the word. Get your wallets out. Bletchley Park needs your help. There is great kudos and satisfaction in being associated with BP.

Let me know if you'd like to help but are stuck for ideas. I'm sure we can dream up an imaginative business case to match your aspirations.

An article on this subject in the Boston Globe caught my eye. It lists computer security specialists as one of five categories of recession-resistant careers, alongside teaching, energy/environmental services, food services and health services.

It's certainly correct. Cyber security is hers to stay and set to grow much bigger. What the article doesn't tell you is that the focus of demand is constantly shifting, most recently to the softer side, where experienced risk managers with good relationship management skills are in huge demand. Eventually the pendulum will swing back to demand more technical expertise.

Security is a huge umbrella covering a vast array of skills and knowledge. We have a long way to go to develop the career development plans to ensure that future security directors have the range of skills and experience needed to manage a multi-disciplinary team. The starting point is to appreciate the valuable contribution that each person makes. We will always need a mix of hard and soft skills to deliver effective security programmes. 

Unfortunately the tendency is for many staff to jump on the bandwagon and rebrand their skills to suit the market demand. That's a waste. We can't and shouldn't aim to turn our top technical experts into smooth risk managers. Instead we should find reward mechanisms that value all areas of expertise.       

The arguments continue about the recent court order by the Massachusetts Bay Transportation Authority to prevent MIT researchers from revealing flaws in the security of its e-ticketing system. It makes me wonder about the motivations behind contemporary research.

The real debate should not be about freedom of speech. It should be about why university research is wasted on attempts to find flaws in other people's operational systems, rather than developing useful security solutions. We all know that no system is foolproof. They all rely to some extent on security by obscurity. And you can't fix deep-seated flaws overnight. It's bad enough having a community of criminals looking to exploit ways to circumvent them. We could do without universities helping them.

Congratulations to JP Rangaswami, Managing Director of BT Design, and his team for sleeping rough in London on Friday night, one of the coldest nights of the year. And, of course, to all the other IT professionals who slept out in Byte Night's annual charity sleep-out.     

Confused of Calcutta, JP's excellent blog, is one of the most entertaining and thought-provoking blogs. And, if you check it out, you're probably still in time to contribute to his fundraising target.   

Each weekend I dig out the latest copy of the SANS @RISK vulnerability alert newsletter from my junk e-mail tray. Clearly Microsoft Outlook judges it to be a bit suspect. But most if it seems harmless, though it can carry some bizarre features.

Today's lead article was one of those, announcing: "We're getting our arms around the "Coolest jobs in Information Security" both to educate students who are considering jobs in security and to help people who want to see where they might take their careers.  We've even identified the "Top Guns".

It seems that you qualify as a Top Gun if you decide to call yourself a "security maven", a "vulnerability researcher" or a "security architect" (which bizarrely they equate with a "perimeter protection designer"). These guys at SANS are clearly a very sad bunch to come up with such nonsense. I expect it reflects their own aspirations.

The only cool jobs these days are those with index linked, final salary pensions in the civil service. But no doubt those opportunities will be short-lived.  

Like many of you, I receive a raft of professional direct email churned out by Techtarget's team of spin merchants. Normally I accept it all in the healthy spirit of direct mail. It's sometimes useful, and the rest is easy to delete. But I do expect it to be of a reasonable quality. Unfortunately, standards seem to be slipping. Today's SearchStorage email, entitled "Backups for dummies" commenced with the classic line that "Backups have been squeesed from all sides". 

Of course I accept that none of us are perfect, and we all make mistakes. But if quality control has slipped to the level of not even bothering to checking the opening line of the email, then it conveys a general impression of lack of attention to quality and detail. In an increasingly busy business world, that's not good enough to compete for attention. So fix it, Techtarget, if you are aiming to survive the current recession.

Over the last three days and nights I've been absorbing the delights of the RSA conference in London. Fortunately the sun shone on this year's event. It's just as well as the London docklands setting can be such a drab, soulless place. But the event was brilliantly organised by Lynda Lynch. Everything ran like clockwork, apart from the inevitable transport delays we tend to expect when commuting to docklands. And the programme was excellent: well balanced and full of interesting, quality presentations. All the people I spoke to found the conference was good value.

I'll be reporting in later postings on some of the developments that caught my eye.  But the highlight for me was a chance to play with the impressive showcase of vintage Enigma and Hagelin cipher machines from Bletchley Park, kindly lent out by John Alexander a leading authority and collector, and presented with the expert help of Victoria Worpole from Bletchley Park's Education Department. I'd truly love to own some of these beautifully engineered machines. They don't come cheap but I expect they'd prove to be excellent investments, and that's a rare thing today. 

Andrew Yeomans drew my attention to Michael L. Dickey's assessment of the security experts' response in Network World's recent feature on Security Myths. I'm pleased to say that Andrew and I came out on top, which perhaps demonstrates that security practitioners have a better perspective than security analysts. 

Friday's BBC "Click" technology program contained a demonstration of a 20,000 strong botnet. Was this legal? Was it ethical? And was it a sensible idea? These are important questions that need to be debated and addressed. 

It raises the issue of corporate ethics, especially the need for clear direction on what constitutes acceptable business practice. In a business world where many IT staff are familiar with hacking techniques, and controversial techniques such as penetration testing, customer profiling and employee monitoring are everyday business requirements, we need to draw a clear line to avoid overstepping the mark. Security has always had a dark side. Let's hope it stays that way.

Last week's British Computer Society Information Security Conference reopened a debate about the use of the term "Ethical Hacking". A year ago, the BCS Security Forum issued a statement discouraging the use of the term. I contributed to that judgment and I support it. But not everyone agrees of course. Professor Lachlan Mackinnon, for example, who was also speaking last week, runs a course with this title at a Scottish university. He describes the BCS judgment as "bollocks". It's an understandable reaction from someone with an existing stake in the term. Does he have a point?

Lachlan argues that the term is an established one, used by respected researchers, and that the content of his course includes both ethics and hacking. That's a fair comment. Ethics and hacker techniques are useful components of any security course. And ethical hacking is a widely used term. Practitioners like it because it's glamorous-sounding and headline-grabbing. It's also a "sticky" phrase, one that might come across as understandable, plausible and compelling to an ordinary business manager. But adopting a fashionable term and a teaching a selection of contemporary practices is not always appropriate in an information security profession that's relatively immature, littered with bad practices and developed by self-taught individuals.

The reality is that ethics are rarely spelled out in customer specifications for security testing exercises, except in the context of having to operate within the constraints of the law and the organization's codes of conduct. And that applies to all business activities, not just security tests. I strongly support the teaching of ethics to students. But it's important to recognize that a course of ethics does not make people honest or capable of keeping secrets. For that we have to rely on vetting, contracts and supervision. And if we're really serious about security we should also ensure that our programmers and system administrators operate to high ethical standards of behavior. Ethics are for everyone, not just for security testers.

The hacking association is also dangerous. It suggests that testers should assume the mindset and techniques of hackers. You can argue that the term is misrepresented by the media and simply refers to an enthusiastic programmer. Donn Parker used to promote that line, suggesting that we should use the term "cracker" for the bad guys. But few people see it that way. To the vast majority of people, hackers are the criminals that break into computers for selfish reasons. And as any psychologist will tell you, labels and perceived roles play a significant part in shaping behavior. If you use a dark sounding label you will inevitably attract a fair share of dark types and encourage a certain amount of dark behavior. You can certainly sense this from the war-stories recounted by so-called ethical hackers. They conjure up an image of spies, dirty tricks and creative anarchy, rather than of a disciplined, low profile business service.

In the real business world, vulnerability management has no need for drama, subterfuge and security theatre, except as a last resort demonstration to business management. It does of course require what Bruce Schneier would call a "security mindset". But the execution has to be disciplined and controlled. Scanning, probing and penetration tests can all too easily hit the wrong target or bring down critical operational systems. I've seen it happen. They also introduce a new exposure from the demonstration of security vulnerabilities that cannot be rectified, for technical, financial or operational reasons. The presentation and handling of sensitive results should be managed in an exceptionally low profile manner.

And the remedial work needs to be addressed as part of the same discipline. It's no good building a profession that merely presents a long list of exposures to a business unit strapped for skills, resources and cash. The discipline should set out to solve problems, not just highlight them. Practitioners often claim to uncover flaws that clients decline or fail to fix. That translates to a failure to address the underlying business problem. We need to discourage the temptation to carry out the easy task of finding a weakness and then moving on to a new target. We need to deploy our most creative experts on the resolution of security problems. From that perspective "ethical hacking" reflects a means rather than an end, and would be better replaced with a phrase such as "vulnerability management" which demands a more complete governance cycle included the actual resolution of flaws. 

(ISC)2, the leading information security certification body, have just published the findings of a survey of the information security job market. Their results indicate that the outlook for profession remains healthy, with new jobs coming onto the market and fewer expected budget cuts. In fact, the findings showed that managers are struggling to fill positions because of skill shortages and excessive salary demands from former banking sector staff.

These findings come as no surprise. The market for information security professionals is one that continues to grow to meet the demands of an expanding problem space. Being primarily driven by incidents and compliance, this growth is neither steady nor smooth. And skills shortages are inevitable in a subject area that's new, complex and constantly changing. Investment in education and training has also been is short supply for far too long. Companies today rarely invest in staff training, so individuals must manage their own professional development.

All these trends indicate that the market for information security skills and services is likely to be an inefficient one for many years to come. But that's not all bad. As a successful, self-made millionaire once pointed out to me, there's money to be made in inefficient markets.

One of the things that strike me as imbalanced about information security is the relatively low proportion of women entering the profession. It might be the traditional image of security as an "old boy" network that discourages this. Or possibly the perception that it's a profession for technology geeks who like to meddle with firewalls and cryptography. But given that the future of security is likely to require an increasing use of psychology and communications skills, perhaps we should now be aiming to change the perceived image in order to attract a more balanced cross-section of practitioners. 

I shall certainly be doing my best to achieve this at W-Tech in London on Wednesday, which is expected to attract more than a thousand women with an interest in IT. I'll be speaking on how to manage the human element in information security. In my view the most important future security skill is the ability to persuade large numbers of people to do something that they wouldn't otherwise do. And that's certainly not a skill for which men have a monopoly. 

I was interested to read that Microsoft has overtaken Google to top the latest UK consumer survey of leading brands. The three criteria used were quality, reliability and distinction. These are not qualities normally associated with computer software, especially commodity items such as browsers and operating systems. And several years ago you would not have expected Microsoft to win any form of popularity contest. Does this indicate that Microsoft's drive to improve their security and integrity has paid off? 

I was disturbed to read about Adam Laurie's claim that he successfully cloned and changed the data on a UK Identity Card. I was also concerned to read the Home Office response that "This story is rubbish".

It's sad that neither side can articulate a respectable account of the claimed weakness and why or not this might present a problem. Publishing a sensational account in a national newspaper is certainly not a professional way of managing a potential security weakness. But neither is a simple four-word denial from the Home Office.

All technologies, standards and implementations have weaknesses. The science of security management trick is to apply defence-in-depth controls to mitigate the associated risks. Without an insight into these controls, it's impossible to tell if a system is adequately secure. Personally, I would be astounded if the system was as wide open as Adam Laurie suggests, given the considerable expertise available to the Home Office.  

One trend this story does reflect is the inevitable growth in FUD, spin and disinformation that is an intrinsic feature of an information society. It's just unfortunate to see this happening within the information security profession.