Recently in Security Solutions Category

Ten answers to cyber security

| 1 Comment | No TrackBacks
| More

My last posting was perhaps a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten answers.

  1. Invest more public money into imaginative new approaches to malware detection.
  2. Ditch standardized, tick-box, compliance processes. Give freedom to security managers to implement innovative solutions.
  3. Place more emphasis on technical solutions and less on bureaucratic governance processes, which have become excessively bloated.  
  4. Empower CISOs to overrule business objections on grounds of cost or delay.
  5. Massively speed up the implementation processes for security solutions, from years to days.
  6. Escape from the pervasive security "monoculture" of identical controls which makes it easy for attackers. Security by obscurity is no bad thing.
  7. Design security systems to counter projected future threats, not just today's.   
  8. Recognize Ross Ashby's Law and harness the scalability of technology and networks to leverage security.
  9. Expect users to make mistakes. Take account of this when designing systems. 
  10. Manage crises as opportunities to gain free publicity and drive through change. Smart companies can emerge stronger.     

Ten top experts and ten steps backwards

| 1 Comment | No TrackBacks
| More

I was fascinated to see that the latest issue of Forbes magazine has a feature on cyber security. It sets out what must be fixed according to ten top experts. Have they got it right? 

The answer sadly is a resounding "no". But just how bad can that be? Unfortunately it's pretty dire. On this evidence the problem lies with the experts, not the practitioners. It's unfortunate because many executive boards don't listen to their security managers, but they do pay attention to media pundits.

So what did the top ten experts suggest? 

Not a lot that makes sense to real practitioners. Every one of them "muttered something about there being no silver bullets". In my view that's a negative attitude because we would all like to find a silver bullet and there's absolutely no reason why they should not exist. Such reasoning reflects a lack of imagination and a disdain for smart solutions. 

I expected more from Brian Krebs, an investigative journalist, who could only say that "it requires a mindset shift. I'd like to see more users place far less reliance on automated tools". Not good advice in my view. In a fast moving, dynamic environment, we need more technology and automation.

Scott Charney,a Microsoft VP, suggested that the answer was for "companies to be transparent about how they handle data" and "to have robust corporate programs to protect privacy". Such statements are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.     

Cisco's Chris Young suggests that the problem is increased by the so-called "Internet of Things" which demands a "threat-centric approach to security". Personally I thought we'd already been doing that for thirty years or more.   

Chad Sweet, a CEO of a security and risk advisory firm, suggested that we need "cyber audits" to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.

Edith Ramirez, a chairwoman at the FTC thinks the answer is encryption. Perhaps she has yet to experience the down side of this magic bullet, which many of us have found to create as many problems as it solves.  

Heather Adkins, a Google security manager, sees the problem as a technical one associated with 60s and 70s vintage systems. (Gosh. What was wrong with them?)  She thinks the answer is to reduce the attack surface, which is a great idea if you are actually in a position to do that. Unfortunately many business trends are going in the opposite direction.

Daniel Suarez, a sci-fi writer (Whoa!) suggests the answer is to scrap the Internet and build an Apollo-like, secure network for critical infrastructure. He's right but it's an impossible dream.  

Peter Singer, an author, thinks it's all about human incentives. The answer is to adopt a mantra of "keep calm and carry on". This is very pragmatic of course, but ultimately rather too defeatist.  

Christopher Soghoian, a technologist, suggests that the problem is politics and the need to have a forceful agency that makes everyone patch vulnerabilities. Dream on.

Joe Sullivan, CSO at Facebook, suggests the answer is to have a security infrastructure that keeps up with the billions of people coming online. That seems like good advice, so let's look to Facebook for a secure environment.    

Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions, and journalists. If our pundits cannot see the solutions we are doomed to wait many years before the real issues are recognised and the real solutions developed. 

No progress on the conference front

| 1 Comment | No TrackBacks
| More

It's remarkable that in the face of the most sophisticated espionage threats, the most capable cyber-criminals, and the most severe compliance requirements ever experienced, the cyber security community cannot muster a single, new idea.   

Certainly the conference circuit has lost the plot. It cannot even think dream up an innovative slogan. The theme at this year's RSA Conference was sharing and learning. Compelling stuff! The theme of Infosecurity Europe was business enablement. Old ideas that fail to deliver in practice.

Walking through Infosecurity Europe was a dull experience: no buzz, lacklustre sessions, no new ideas, and no gee whizz technologies. The only visible change this year was the size of the stands which looked to be a metre higher.

Real security is dead. Speeches, products, training and university courses are building on a failed legacy of ISO standards, risk assessment and compliance. We need to kill this monoculture and replace tick-box security with creative problem solving. More importantly we need to persuade executive boards to trusted and empower CISOs to take hard decisions, rather than pretending they are there to enable business operations.

But we are a long way from achieving such these aspirations because they are not recognised or supported by the cyber security community. 

Enhanced by Zemanta

Testing can be fun

| No Comments | No TrackBacks
| More
It's interesting how many people are attracted to penetration testing, thinking it's more interesting and fun than conventional product testing, They're wrong. Scanning platforms for vulnerabilities is dull and boring. In contrast, smashing up physical products is fun, challenging and satisfying. Check out BSI's Kitemark testing lab which tests everything from fire extinguishers to condoms. Now that's what I call testing.
Enhanced by Zemanta

Research does not guarantee innovation

| 1 Comment | No TrackBacks
| More

Earlier this week I attended the excellent Stevenson Science lecture at Royal Holloway University on "The Birth of Machine Cryptanalysis at Bletchley Park" given by Dr Joel Greenberg of the Bletchley Park Trust. When listening to any account of wartime code breaking one cannot fail to be impressed by the astounding level of innovation demonstrated by the early cryptographers. Such creativity is rarely encountered in today's commercial environment which stamps out mavericks and encourages tick-box conformance, short-term action and widespread copying of other people's practices.

The lecture was followed by a private dinner at which the Dean announced the University's plans for a new Innovation Centre. There's been a slight hitch in accommodation. (I'm told the earmarked site was sold to house builders.) But the concept must be applauded. Innovation is essential to help us escape from the damaging culture of conformance and compliance that has poisoned our cyber security efforts. And funding of fresh thinking is the key to finding the silver bullets to kill advanced persistent threats.  

Unfortunately it's more likely to be more of same rather than anything new: one step forward and another back. The step forward is the creation of a bigger research effort and an incubator for new developments. That is certainly welcome though it might not necessarily create any new funding. The step back is that the research will still be under the direction of the usual suspects, i.e. the government and industry sponsors, supported by an advisory board of establishment figures. So don't expect to see anything that is left-field, long term or high risk.

The problem is that government research bodies don't like to fund anything that looks remotely like a product: the closer you get to anything practical the quicker the funding tails off. In contrast vendors and venture capitalists tend not to fund anything that takes more than 18 months to develop. They are only interested in money or new features for their products. That's why we have so few innovative security technologies. New approaches tend to disappear down the gap between blue sky research and product development.

Fifteen years ago I sponsored the development of a model of the human immune system for fraud detection. It worked but needed further development. The concept died when the funding ran out. A similar fate killed another promising research project to detect human behaviour of security interest in digital networks. No less than a decade of funding is required to take a new technology from the drawing board to the market place. In the case of cryptography it can be even longer, as new approaches take many years to be accepted and implemented.   

Groundbreaking ideas rarely result from themed research. Creativity requires a high level of freedom coupled with a clear focus on a challenging problem - the more impossible-sounding the better. NASA research works because it focuses relentlessly on solving problems. MIT Media Lab works because it recruits students with creative ideas and gives them freedom to choose and direct their own work. MIT Media Lab researchers can develop a magic trick, design a new musical instrument or tackle a seemingly-unsolvable problem. Sponsors can visit and discuss their business requirements with researchers but they have to "charm" the researchers into cooperating. Promising projects will run for many years. That's how to encourage and enable real innovation. Anything less is merely jobs for the research boys.  

Enhanced by Zemanta

Qualys - A force to be reckoned with

| No Comments | No TrackBacks
| More

Last week I attended a sneak preview of the latest Qualys product road map. I was impressed, not so much by the functionality of the products - which is not especially original - as by the ambition and architecture of the new product range.

While other security vendors have been extending their products through acquisitions of best of breed point solutions, Qualys have been quietly re-engineering their services around a unified, secure, cloud architecture, avoiding the patchwork quilt of products that other vendors have inherited.

Qualys are also extending their product portfolio to match those of their competitors. It's a move that presents a potential competitive edge in economy and speed of maintenance, which is good news for a marketplace that needs low cost, up-to-the-minute security defences.

Enhanced by Zemanta

APT Protection via Data-Centric Security

| No Comments | No TrackBacks
| More
I'll be contributing to a Webinar on APT Protection via Data-Centric Security next Thursday. Given the progressive erosion of corporate perimeter security it's about time we switched our attention to hardening our applications and data.The Jericho Forum have been preaching this for more than a decade. The message is finally getting through though its implementation has a long way to go.     
Enhanced by Zemanta

How to manage the risks of Advanced Persistent Threats (APTs)

| No Comments | No TrackBacks
| More

My new ISACA book on Advanced Persistent Threats has now been published. It's an excellent guide for any Business, IT, Security or Audit Manager responsible for safeguarding critical, sensitive or valuable intellectual assets.

In particular, it advocates a higher level response by enterprises at risk, based on a coordinated response and a range of enhanced security processes, awareness and technologies.  

It's free for members of ISACA and $60 for everyone else. At that price you would be well advised to join ISACA and gain the advantage of discounts of research reports and cheaper access to ISACA events.    

Enhanced by Zemanta

More on the history of BS7799

| No Comments | No TrackBacks
| More

Anthony Freed has been publishing further historical information on the true background of BS7799 on his Tripwire blog. There are some important learning points from these postings. It's particularly interesting to note that new standards are not taken up immediately but can have a major impact after a decade, by which time they may are likely to be out of date. 

Enhanced by Zemanta

It was 20 years ago today...

| No Comments | No TrackBacks
| More

Well not quite today, but at the end of September it will be exactly 20 years since the original text of text of BS7799 (now ISO 27002) was published in the form of BSI document DISC PD0003. The history of how the standard was developed has never been accurately documented until now. Anthony Freed has just published the first of three postings covering the background on his Tripwire blog. It's essential reading for any student of the history of information security. Don't believe what you read on Wikipedia. It's not all correct.

Enhanced by Zemanta

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

Archives

 

-- Advertisement --