Recently in Security Solutions Category

I always look forward to Infosecurity Europe week, which guarantees a great congregation of security luminaries and practitioners in London. I say "week" because there is so much going on around it. You run into many old friends, meet new colleagues and learn a lot about the latest products and services.

This year I attended the first day of Infosecurity and its accompanying receptions, though I spent longer at the nearby Counter Terrorist Expo at Olympia

What impressions did these events leave? Very different and varied I have to say. The Infosecurity conference agenda was lacklustre, though the exhibition was first class. It's been progressively changing from a conference into an exhibition, which is probably no bad thing for the exhibitors, though it could limit the attraction. Interestingly, many security managers I met said they were there for the exhibition, rather than the conference sessions. You just have to walk around to find experts on just about every aspect of security.

The added attraction is the raft of free lunches and receptions in nearby hostelries. This is the inevitable result of expensive but rather limited in-house dining facilities. It persuades many visitors to look outside for lunch or early evening drinks. But it creates a tremendous village environment for the whole area. Portcullis must be congratulated for breaking the mould and establishing a rival centre for security managers to congregate. Good for them for setting and maintaining this trend. Competition is always welcome in any field.  

The Counter Terrorist Expo at Olympia had a better conference agenda with sessions on just about every aspect of physical, personnel and electronic security. A key concern for many  was the security of the London Olympics. But the most interesting trend to note was the progressive shift of cyber security know-how into the defence and counter terrorist space. Let's face it we haven't seen anything yet until we experience the impact of true cyber warfare or cyber terrorism. They're not yet happening. We'd certainly notice it if they were.  

These events are quite different from their equivalents in other regions. In the Netherlands it's hard to find the conference. In contrast, in Hong Kong at the 21C Info-security event (at which I'll be giving the keynote address) the main focus is the conference, which will be very well attended. The Hong Kong event is also better themed with a greater focus on innovation and the need for revolutionary thinking.   

So what did I take away from this week? It was so rich that I can only point out a few highlights. The Counter Terrorist conference had the best agenda. There were great presentations on terrorist threats and sophisticated debates on electronic conflict and cyber warfare. These are faster moving issues, unlike traditional information security management which has been stuck in a rut for the past decade.  

The most interesting product on display at Olympia was the panic room in a box, At Earls Court it was Wave Systems' secure Facebook solution. Secure social media is a societal game changer if the vendors can get the marketing right. Communities will be able to hide their communications. But who will hold the keys? The answer of course is that it will depend on the pattern of the uptake rather than the desires of the various actors.Like many of the future trends in security, it's in the lap of the Gods.

A few weeks ago, along with some of the great and good, I attended the launch of the new Oxford University Cyber Security Centre. I wasn't expecting anything especially new but I have to say I was impressed by Professor Sadie Creese's initiative to embrace disruptive ideas and inject creativity by engaging with experts from other fields, ranging from ethics and law to hedge funds and astrophysics.

It's a great idea because the established security research community has failed to deliver much in the way of innovation over the last thirty years. And some of the better ideas have come from stealing ideas from other areas, such as Professor Stephanie Forrest's work at the University of New Mexico in taking ideas from nature. (Her work once inspired me to commission a fraud detection system based on a model of the human immune system.)

This has to be the way forward. I salute Sadie and her team. Oxford already have a fine reputation for Trusted Computing work, so there is a good basis for future success.

I was concerned to read a recent report of a study by SecurityMetrics, a vendor of merchant data security solutions, which claims that 71% percent of the merchants who took part were found to store unencrypted payment card data. This is direct violation of the mandatory Payment Card Industry Data Security Standard (PCI DSS). And it apparently reflects an increase of 8% on last year.

Who is at fault? That's not difficult to pinpoint, given that Visa estimates that its smallest business customers account for 95% of its breaches. Why are small businesses to blame? The answer is that no one has bothered to educate them. Who should have done this? Industry and government are both at fault.

It is well over a year ago since the Information Commissioner's Office published my research into the availability of advice on security for small/medium sized organisations. It was pretty damning, pointing out that most advice was unsuitable, incomplete or in the wrong place. Amongst other things it pointed to the absence of any advice on PCI DSS on the major educational sites.

The report was widely discussed and presented. Yet little seems to have been done. Where does one look? A quick glance at Get Safe Online turns up a blank on PCI DSS. A pointer from Get Safe Online to a Business Link site results in a server error on the first question. A pointer from Get Safe Online to Microsoft's Small Business Centre contains no mention of PCI DSS. A click to a Symantec guide results in an "access forbidden" message.

So who should take the lead in leading on advice to small companies? Given that the UK Government has such a high-profile investment in cyber security, I think they should start to roll up their sleeves.  

Lots of people, even my neighbours and relatives, are asking me what I think about the UK Government's new National Cybersecurity Strategy. It certainly attracted a fair bit of surprising degree of publicity, which is rather surprising given the limited scale of the investment and the lack of anything remotely controversial or unusual.

Of course any investment in cyber security has to be welcomed, so we have to congratulate the chaps at the Cabinet Office for negotiating their way around the cutbacks. But let's keep this in perspective: £650 million is not an insubstantial amount, but it's a drop in the ocean when spread over four years and shared across several departments.

One might also have expected a little more innovation in how to spend this money. A new strategy is a terrific opportunity to drive through change or create a new paradigm. And existing approaches to security are failing so we need fresh thinking and forward looking solutions.

Yet it's the same ideas that we've seen before: continue with the existing agenda; talk to the private sector; hold a summit; restructure a few organisations. The most innovative idea is to provide expertise to the private sector. This might help with the funding, but it's an approach was tried and abandoned by many big companies back in the nineties.

Strategies can be excellent vehicles for inspiring a community and focusing its efforts, but this one adopts a bit too much of a scattergun approach. Strategies don't need such detail. I recall hearing one Chairman announce to senior management that the new strategy was that "we're going to be bloody good at running this business".

The real danger, however, is that this strategy is seen as having solved the problem resulting in complacency or acting as a brake on new ideas and initiatives. A small step forward is not the answer to a problem that demands a great leap forward. 

This week's RSA conference in London was an unusual blend of predictability and surprise. As usual the networking, programme and event management was first class, which is the main attraction for me.

As expected, there was little new or interesting on show. As usual, the keynote speakers were mainly sponsor executives. But this year the messages and the mood were different. The general theme seemed to be that traditional security solutions are no longer effective.  

The conference started with a masterclass from Art Coviello on how to emerge from a massive data breach smelling of roses. Peppered with quotes like "What doesn't kill you makes you stronger" it was a superb piece of spin, reflecting a carefully constructed crisis response strategy. I even agreed with him that the future demanded greater exploitation of data mining and fusion.

Preceding that was a celebratory film about the cryptographers who invented public key algorithms. They are all heroes now despite the fact that they don't seem to have developed anything significant in the thirty five years since then, or the fact that we still can't get their inventions to work as intended.  

Following that was a good programme of panels and lectures. With six streams, you can only scratch the surface of what was on offer, but there was plenty for everyone.

The best learning point for me was from my own panel session on US and European data protection and encryption laws: the security community needs to engage urgently with the legal profession and the regulators to help promote efficient schemes for data breach reporting. The most impressive new product on display was the Visa CodeSure authentication chip card which ticks all the right boxes. The most useful give-away product was the Qualys spectacle cleaning cloth.

The conference ended on a flat note with a rambling rant from Tim Berners-Lee on what's wrong with e-Commerce and security. Most of it stated the obvious about the poor ergonomics and the lack of standardisation in today's security solutions. Tim clearly has a great vision but he lacks a cunning plan to overcome the obstacles to achieving it.

But we do need a few idealists to counterbalance my rather defeatist view that if security isn't painful then it probably isn't any good. This is not entirely true in theory but it generally turns out to be the case in practice. 

This is the third in a series of commentaries on what's wrong with information security and what needs to be changed. My last postings discussed the need for changes in the perception and sponsorship of security, as well as the changes needed in standards. This one discusses the new solutions that are needed to safeguard our future interests.

Solutions are a combination of technology, skills and operational practices.  When it comes to information security, all of these are weak.

Few security technologies have emerged in the last 20 years. You can count them on one hand. It's also questionable whether current solutions will scale to meet the imminent 'data Tsunami' and the accelerating (exponential) volume of relationships created by networks.  

Security skills are thin on the ground, and in my view those in place are generally the wrong ones for the future. This subject will be dealt with in more depth in my next blog posting.

Operational practices are rooted in industrial age 'process' thinking, which places too much reliance on policies, procedures and audits. This is an inadequate basis for a dynamic subject area in a society that has long dispensed with the need to read operating instructions.    

Technology is the only hope for achieving future change, because it mandates the new security skills needed, and shapes future operating practices. The key requirements of new technologies are that they are affordable, agile and scalable. On top of that, they need to be relatively easy to implement and manage.

Fortunately, there are several emerging technologies that will fit that bill. 

Virtual infrastructure transforms both the problem and solution spaces. It results in new security exposures and attracts new threats, yet at the same time it removes many existing attack vectors (such as scanning platforms for vulnerabilities).

Virtualisation technologies can also present new opportunities at the client level, such as HP's concept of multiple identity personae operating in isolated environments. These solutions are highly promising as long as they underpinned by trusted computing architectures.  

Cloud based security services can leverage a much broader knowledge base, enabling small organisations to quickly identify and respond to new threats. As time goes by, these services will increasingly learn to exploit the greater knowledge and visibility of the user community, enabling scalable, improving solutions to be delivered to customers.         

Dashboard technology is also maturing, enabling a centralised, real time overview of events. The concept of a secure operations centre is a reality, and an increasingly essential capability for managing major incidents. In an increasingly volatile business environment, the future of all business management will be rooted in an efficient information centre and control environment.   

Data mining, fusion & visualisation technologies are powerful, proven tools to identify fraud and support security investigations. We have only scratched the surface of these emerging capabilities, but enterprises will progressively grasp the benefits of these technologies.

The operation of these new capabilities will drive the demand for new skills, better infrastructure and faster processes to manage information security. Within a decade these new capabilities will transform the solution space. The challenge will be to persuade governments, regulators and institutes to recognise the need for change.  

This week's ISSA-UK Chapter meeting addressed the subject of the Advanced Persistent Threat (APT). It was illuminating to hear four very different perspectives from a government expert, an engineer, a banker and a top US technologist.

Surprisingly, none of the speakers seemed to grasp the true nature of an APT. They described it as either a method of attack used by governments and criminals, an undetectable Trojan, or just another form of malware attack. In fact, an APT is exactly what it says: a threat that is both sophisticated and persistent. It's someone that's after your secrets: someone prepared to invest serious expertise, time and money to get them, and who will not go away, even after they've got them.

Each speaker recommended a different solution. The answer was either to share intelligence, install monitoring technology, educate your staff, or implement self-encrypting drives. These are all useful measures. But only the last one is guaranteed to eliminate  a major vulnerability that enables the type of deep-seated, covert attacks associated with APTs. The rest simply improve your odds of detection, which is not good enough, since an attacker only has to succeed once to succeed.  

One speaker claimed "There is no silver bullet technology solution". That might indeed be true. But there are several available security technologies that are highly effective, yet not commonly deployed. Perhaps the real exposure is that today's security community is too obsessed with compliance and established process, and takes insufficient interest in emerging security technologies.  

I've long been an enthusiastic supporter of self-encrypting drives (SEDs), a technology that offers substantially better performance and security than software-based encryption solutions. SEDs can even work out much cheaper to deploy, as a less powerful machine can be used to deliver the same level of laptop performance. Yet few organisations are deploying them. Why is this? Is it apathy, ignorance or some other reason?

The Ponemon Institute have just published a survey of IT Practitioners on their perceptions about SEDs. Unsurprisingly, it shows that compliance is the main driver for adoption of encryption solutions. More interestingly, it reports that most practitioners have a high regard for SEDs and their capabilities. The barriers to adoption appear to be perceptions about cost, and uncertainty about the options available and their ease of implementation. Another issue seems to be the division of responsibilities and decision-making in the procurement process.

This sounds about right. I recall meeting a security manager at a recent conference. I asked him if he had encryption on his enterprise laptop. "Of course" he replied "though it's currently switched off". I asked him if he'd considered SEDs. "No" he responded "but it sounds like a good idea". He didn't, of course, pick the solution.

Ponemon predict that, as understanding grows, there will be greater adoption of SEDs. That of course assumes that enterprises take more interest in the quality of their security solutions, rather than just aiming for the easiest route to ticking the compliance box.    

By the way, for those who'd like to know more about SEDs, Bob Thibadeau, the inventor, is in London later this week and will be speaking at the ISSA-UK Chapter meeting on Thursday.   

One of the most important principles to observe in information security management is the KISS principle. Users will only accept solutions that are fast, cheap and simple. Security is a "grudge purchase". Most people aim to avoid it, or minimise the time, money or resources required. It's not surprising. Security restricts what people can do. It makes information systems more complex. And much of the time it irritates users. As Professor Fred Piper once reminded me, if a security system isn't a pain to use, then it's probably not secure. That's one reason why we don't have perfect security, and why we tend to end up with a bunch of less-than-fully-secure solutions.      

At the same time however, we need more enabling science to help us build better future security solutions. So any advance in theory or applied research is welcome, regardless of its current cost, complexity or feasibility. It's a pleasure therefore to see that the Jericho Forum has finally published its "Identity" Commandments. These fourteen principles represent an impressive step forward in the theory and potential future practice of identity management.

The problem is that these principles will be undecipherable and irrelevant to most IT managers. This is not new. The history of identity management is littered with broken dreams, failed theories and flawed products. Role-based access, digital certificates, smart cards and single-sign-on all proved to be disappointments. I know of no identity management programme that delivered on its original vision.

After three decades of sophisticated research and development, the vast majority of organizations have yet to progress beyond simple solutions such as passwords and Secure ID cards. There's an important learning point here for security managers who wish strengthen their identity management systems. New solutions must be as simple as possible and build on proven solutions rather than experimental ideas.

It's important also to think beyond traditional approaches. If that appears to contract the previous point, then ask yourself why GSM phones and satellite set-top boxes manage to deter fraud without the need for any passwords. The answer is that they exploit device authentication mechanisms. This is an example of a simple solution that most CISOs tend to overlook, despite the fact that virtually all professional laptops and servers now come equipped with unique authentication codes embedded in tamper-proof chips.

We might not be able to predict with certainty what the next big thing in security will be, but one thing we can be sure about is that it will be something that's simple, cheap and fast. 

Last week's admission by RSA that they had been the victim of a sophisticated espionage hack that could reduce the effectiveness of its authentication SecurID product, reminds us of the danger of placing too much reliance on a single authentication mechanism.

Given the relentless and sophisticated nature of today's advanced persistent threat attacks, organizations with secrets to protect require richer authentication processes, based not only on "what you know and have", but also "where and what you're coming from".

One overlooked feature that is relative easy to implement is device authentication, ensuring that only known devices to connect to sensitive assets. Security managers have been surprisingly slow to catch on to this countermeasure, despite the fact that's it's been successfully used to deter threats to mobile phones and set top boxes.     

Virtually every professional grade laptop is fitted with a trusted platform module (TPM) that enables strong, automatic authentication of connected devices. CISOs should take a look at this option. It's easy to implement and provides a vital layer of protection from any attackers that might steal your passwords and hack your tokens.