David Lacey's IT Security Blog

Last week’s publication of the SANS Top 20 confirms a surge in sophisticated zero-day attacks on users and web applications. It should be seen as a wake-up call for those organisations who think security can be left to their IT operations staff. A new approach is needed. We’ve been de-perimeterised, as we say in the Jericho Forum. The threat we face today is no longer random vandalism by hobbyists. It’s targeted attacks by criminals or perhaps intelligence services on valuable information and essential services. We can’t expect to stop tailored, zero-day attacks with firewalls, virus scanners and penetration tests. We have to harden our applications, encrypt our sensitive data and implement strong authentication. This can’t be achieved overnight but the sooner we start the better. In the meantime we will have to raise our game substantially in monitoring, patching and user education.

Yet another laptop theft story in the newspapers. This time a case of three stolen laptops containing payroll and pension details of more than 15,000 Met Police officers. Following on from the recent Nationwide incident it’s clear that the UK Media have this theme firmly in their sights. It’s nothing new of course. Thousands of laptops are lost or stolen in the UK every day. But the problem is growing with increasing numbers of laptops with larger amounts of data being carried to and from work and between meetings. And there is now a higher probability that sensitive data might be compromised with the growing interest of organised crime in new sources of information to support identity theft.

Sensitive personal and business data should always be encrypted - both in transmission and storage. There is no excuse for not doing this today. The technology is available and affordable. But you can’t change the habits of an organisation overnight. Lots of HR, Marketing and Finance personnel have been downloading sensitive personal data into unprotected spreadsheets on their PCs for many years. It’s a legacy from a less dangerous age, when we all operated in secure office environments and criminals were less inclined to steal PCs for the data they contained. But the business environment and the security threat have changed substantially, so we should aim to close down these vulnerabilities as quickly as possible.

So what should CISOs be doing to mitigate the risks? Here are some suggestions.

Two unrelated news items caught my eye today, one an obscure case about a cheque modification fraud based on erasable ink pens, which I picked up from Bruce Schneier's blog, and the other one a high profile news item about the bugging of Royal conversations by journalists. It’s always helpful to get occasional reminders of the vulnerability of written and spoken information to short-range physical attacks, even though such attacks are generally rare and a relatively low priority for most organisations.

The interesting thing I’ve always found about these threats is that they often seem to be counter-intuitive for many people. Most of us have a high confidence in the providence of paper and ink documents, even though they are extremely easy to forge. We are too trusting when it comes to the written word because forgeries are outside our everyday experience. Bugging is also an arcane practice that is not well understood by the average person. A paranoid executive might think that a crackly telephone line suggests a bug, when in fact the opposite is more likely, i.e. eavesdroppers prefer clear lines. And I know some executives that worry that their office might be bugged but still feel confident to pull out confidential papers on a train or plane, or perhaps talk openly in bars.

There's nothing more instrusive than a planted bug or line tap, but fortunately such incidents are rare. These attacks are tricky to mount, as they present risks to the perpetrator and they require inside information and frequent access to the target office. The results can also be unpredictable and time-consuming to process. There are often cheaper and easier methods of gaining inside information, such as bribing a member of staff or hacking into an insecure database. The trick, of course, when considering potential attacks on information is always to put yourself in the attacker's shoes.

The US press and wire services report that the US Government has warned that US online stock trading and banking Web sites are the potential target of an al-Qaeda attack. The warning is reported to have originated from a Jihadist site.

A Homeland Security spokesperson is reported as saying: "There is no information to corroborate this … threat”. Reuters report that: “A person familiar with the warning said al Qaeda may be aiming to penetrate and destroy the databases of U.S. online stock trading and banking Web sites. But there was no evidence to suggest the effort could cause harm”.

Are we right to play down such warnings? They could well be false alarms. And our banks might well be adequately protected. There’s also a risk of crying wolf. But there’s also a danger of complacency. Personally I’d prefer to see a little more paranoia about the dangers of hostile cyber attacks.

Last year ZDNet accused me of being a “doomsayer” for a relatively mild prediction I made back in 1999 that the “Electronic Pearl Harbour” would not happen until around 2006. That particular prediction was based on an analysis of several Technology Road Mapping exercises, which indicated a cumulative build up threats, impacts and exposures that were expected to peak at around this time. Professor Fred Piper mentioned this in a speech earlier this year, posing the question: “Who is right?”

But regardless of what anyone thinks, it’s always better to be safe than sorry.

I was interested to read about the latest assault on Oracle security by database security expert David Litchfield of NGSS. It comes as no surprise to me, as the focus of attacks and security controls are progressively and inevitably migrating from the infrastructure layer to the application space. Databases are the new target, because today's attacks are criminally motivated and that’s where the money is. So you can expect database vendors to come under increasing fire to tighten up their coding standards and product testing.

Of course the vendors already know this. I am regularly asked by application and database vendors what I think of their security. It often leads to a brief flurry of activity. But too often the response is a marketing initiative, rather than an attempt to transform their business processes. I guess that’s to be expected. Most software companies are run by commercial people, not technology gurus or security visionaries. Microsoft eventually saw the light and transformed their priorities, training, product development processes. It cost them a lot of time and money. Now other software vendors must bite the same bullet. It’s essential to meet today’s business expectations. You can’t avoid it. Even if the hackers don’t get you first, the regulators will sooner or later put a gun to your customer’s head.

Not that I'm pointing the finger at Oracle, because they do seem to have been raising their security game in recent years, and in fairness you should also check out Eric Maurice's response on his Oracle blog.

All of these legacy weaknesses in our databases and applications will all take a long time to fix. So what can an organisation do to compensate for security inadequacies in their database applications? Well I’m afraid the answer lies in more add-on point solutions. The latest must-have security product is the database firewall. It would be nice if such technology was incorporated into leading application and database software products, but that’s some time away. In the meantime, if you’re concerned about your database security - and you should be – then you should check out Secerno, a new technology start up out of Oxford University, based on some very interesting intelligent monitoring software designed by Dr Steve Moyle, one of the leading UK experts on database security.

Today marked the opening of a two-day conference and exhibition in London on counter-terrorism, ambitiously titled “Building a Secure World”. Highlights included excellent keynotes by the BBC’s star correspondent Frank Gardner OBE, and Sir Richard Mottram, Cabinet Office Permanent Secretary responsible for Intelligence, Security and Resilience. Both emphasised that the War on Terror was now primarily a battle of ideas and values, though there are other major strands including military, financial and intelligence initiatives. Clearly there is a long way to go, especially the work to influence hearts and minds.

The current UK Strategy is interesting for any security professional, comprising “4 Ps” to contain the risks: Prevent terrorism, Pursue terrorists, Protect the public (and UK interests), and Prepare for the consequences. No rocket science here but a nice, balanced set of objectives. And who should pay for all the extra security measures that Industry must implement? The UK Government policy is clear. Consumers should pay through Industry. UK companies should not expect cost sharing from Government.

Best quote of the day was from the floor: “We keep analysing the future through the rear-view mirror”. Absolutely correct and one of the main reasons we often get things wrong. I was also impressed to hear people using the more appropriate term “weapons of mass effect” rather than “weapons of mass destruction”. Now how many of our IT systems fall into that category?

We should all be concerned about the growing criminalization of hacking, highlighted in a new, updated report by McAfee on Organised Crime and the Internet. This publication confirms a disturbing trend for criminals to recruit top computer students from UK universities. The report also suggests that children as young as 14 are being drawn into online crime by the promise of "celebrity status" among their peers.

Unfortunately, what might seem attractive at first will quickly become a highly dangerous lifestyle for the hackers, their family and their friends. Cyber crime is a dark, dirty business, not the glamorous profession that many young people would like it to be.

Techworld reports a disturbing trend in the sophistication of malware. The problem is that it's declining.

Alexander Gostev, Head of Kaspersky Lab, points out that higher volumes of low-quality malware are taxing the resources of security companies. The quality is down but the quantity is up.

This is bad news because we know that the capabilities and criminal motivation of determined attackers are steadily increasing. But the security experts are being bogged down by a large amount of noise. It's a dangerous combination.

CISOs should ensure their organisations are well prepared for the possibility of a sophisticated, perhaps personalised attack. They should not rely on anti-virus companies continuing to respond in real-time to bail them out. Because the number of qualified experts is not infinite.

The newspapers are full of stories about Ross Anderson’s experiments with ATMs, demonstrating something we already know quite well, which is that if you spend enough time in a laboratory with a bunch of PhD research students you will actually find a theoretical weakness in a commercial system. Well of course you will! No security systems are foolproof, especially if you take them outside of their operational context. Any streetwise student can demonstrate this. But just how much does this add to the security of our banking systems? Well, not a lot.

I just wish that a university of the calibre of Cambridge would actually work constructively with APACS and the banks to develop secure solutions, rather than resorting to publicity-seeking exposures that are more likely to inform organised crime about potential lines of attack. But then that would be far too logical.

Next Tuesday, 16th January 2007, Oracle will issue 52 critical patches. It’s clearly a great leap forward for database vulnerability management. But it also illustrates the size of our security exposure at the application level. Any company that relies on database security measures to safeguard critical business processes or sensitive personal data should be very afraid. The security threat landscape is now focused on espionage and data theft. Efficient patching will not be sufficient. We need a step change in the application of good security practices throughout the system development cycle. And we need to take steps to secure our intrinsically insecure legacy systems. Organizations should not simply wait for the next set of fixes to known vulnerabilities. They should identify their critical applications, assess the security risks associated with them and immediately apply additional security measures to prevent external and internal attempts to exploit potential weaknesses. There is plenty of affordable security technology on the market to help with this. So there's no longer any technical excuse for not keeping your critical and sensitive data under control.

RSA have reported the discovery of a “Universal Man-in-the-Middle Phishing Kit” offered for free trial on an online fraudster forum. The kit enables fraudsters to create a fraudulent URL via a simple online interface, to intercept and capture customer account details in real-time. It's a disturbing but inevitable development, providing a more powerful and sophisticated capability to the ordinary criminal. And it highlights the need for all organizations to raise their game in both-ways authentication.

User and customer awareness helps but that won’t stop the problem. Because there is a sizable percentage of people who will not understand, forget or blatantly ignore the advice.

Strong authentication technology has been with us for years. It costs money but it reduces fraud and provides assurance for all parties. Too many organizations have traditionally relied on a reactive approach, hoping they can respond with a solution before the cost of fraud hits a damaging level. But this strategy breaks down when the threat grows much faster than the speed of implementing a fix. And phishing attacks are highly visible to customers. Your reputation is on line as well as your money.

Stuart King's blog posting on the danger of accidentally misaddressing emails reminded me of an incident I came across several years ago. But this was the opposite problem. Wrong source rather than destination address. And deliberate, not accidental.

The incident caused a large supplier to fail to win, or even be acknowledged for an important contract they had expected to win. The supplier enquired and was surprised to discover that at a late stage in the tender process the customer had received a spoofed fax informing them that the supplier wished to withdraw from the bid, and did not wish to be contacted any further.

A simple, crude, blatent dirty trick by a competitor. Possibly with inside help. But it worked. And it demonstrated yet again that the soft underbelly of all organisations is the human factor.

Ed Gibson's comments on my recent posting on "information security fatigue" raise a timely and important issue: Should we now publicise security incidents?

I'm in favour. Compliance is already moving in this direction. And if you have any Californian staff or customers you will already be responding to this issue. So let's come clean and report what's really happening. It's not without cost. It can impact your reputation. But it will quickly concentrate the minds of both business and customers.

The status of Scotland Yard's current strategy on e-Crime can be seen in a recent report published by the Metropolitan Police Service. It's an illuminating read. Clearly there is much to be done, and the size and scope of the problem space is growing each year at a substantial rate. But progress is way too slow. e-Crime prevention and response needs a huge boost in leadership, resources and equipment. Without it, we’ll all get swamped by the growing waves of criminalisation of hacking and malware. We've already lost momentum with the absorption of the NHTCU into SOCA. Let's hope that the authorities can eventually grasp the nettle and begin to plan for the future threats that are heading our way.

It’s not often you get to see security incident data from other organisations, so I was interested to read a report published this month about laptop losses and theft at the FBI. This type of data is hard to come by because few organisations (other than Royal Mail Group) maintain reliable, historical data on such security incidents. And even fewer publish such information. It’s good to see that the FBI has successfully reduced laptop losses by around two-thirds, from around a dozen a month to less than four a month. The figures seem consistent with other data I’ve seen. In Royal Mail Group the problem was initially bigger, though the reduction was greater. Such savings represent hundreds of thousands of dollars a year in incident and replacement costs, not to mention the value in reputation protection and safeguarding of valuable intellectual property. And it’s not difficult to reduce the losses. It just requires a small amount of research and analysis, followed by a few simple, targeted, educational interventions. It's certainly one of the easiest and cheapest security investments for any organisation. So let’s all copy this example.

Yesterday’s posting prompted a few questions about industry averages for the number of laptops that go missing. Such data would be very useful for business cases and benchmarking performance. Of course these figures vary across organisations and over time, depending on factors such as the mobility of staff, the degree of public transport used, and the vulnerability of the business environment.

One indication of the scale of the problem can be taken from surveys of City taxi drivers sponsored by Pointsec, a security vendor. They show that a surpringly large number of electronic devices are left behind in London black cabs. A survey carried out a few years ago showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis. One hopes that most of these were deposited in police stations and eventually recovered by their owners. The figures from similar Pointsec surveys in the USA are much lower (5-10%) because fewer executives use taxis. But these figures demonstrate just how forgetful staff can be. Pointsec also point out that 60% of identity theft arises from lost or stolen equipment.

Education and regular reminders are needed. My experience is that left unchecked, a typical organisation can expect to lose up to 5% of their laptops per year. But this figure can be reduced substantially to below 1% by smart, educational initiatives. Mobile phones and PDA losses will of course be much higher. They are at present less of a concern, though a growing one with increasing amounts of data being stored on them. It would be interesting to hear other experiences and views on levels of laptop or PDA losses.

I've been watching out for interesting reports coming out of last week's Black Hat Convention in Arlington. Apart from the RFID fiasco I commented on a few days ago, the main story seems to be a demonstration by Errata Security of a new sniffer tool, shortly to be made available, that helps categorise intercepted WiFi emissions.

Of course there's nothing new in the vulnerability of insecure WiFi networks to determined attacks. But these tools make attacks much easier to mount and will therefore create an increase in the potential threat level. I've often found that users will simultaneously adopt a more sophisticated approach to their use of IT when the usability of their tools exceeds a certain threshold. So any advance in sniffer tool usability might herald a new wave of attacks. One to watch for, though of course the problem is that such interception is largely invisible.

A new report commissioned by the Association of Chief Police Officers puts the cost of Fraud in the UK at more than £20 billion. It's been arrived at by adding up the costs of reported fraud and then adding a rather conservative 50% extra to take account of under-reporting and tax evasion. This might sound like a lot of money but in my experience it's a substantial understatement of the problem. Because organizations are not only reluctant to report fraud, they are also ignorant of most of the fraud that occurs right under their noses.

Fraud is hard to crack because it's invisible, hard to detect and difficult to prosecute. Much of it is the result of weak business controls and a lack of expectation that it will happen. Most managers are far too trusting. They expect their staff and colleagues to be honest and incidents to have a visible impact. But that's not generally the case. There's an old maxim that states that if you take any four people, one will be an out-and-out crook, one will be honest to the point of stupidity, and the other two will take a risk assessment to see what they can get away with. I've never tracked down the source of this adage or validated the statistics, but it would seem sensible to assume that there are significant percentages of staff in each category. (Can anyone shed any light on this?)

And fraud can carry on for long periods without detection. The Oil and Gas Industry were shocked in the late 80s to discover that networks of so-called "illegal information brokerers" had for many years been manipulating major procurement contracts without their knowledge. Because these activities are very hard to identify and even harder to investigate and prosecute. It's a fair assumption that most industry sectors face similar issues. But they just haven't come to light or been adequately investigated. Or worse still, they have been recognized but management has decided that they are simply too difficult and expensive to address.

And who are the people who commit fraud? Well, I once put this question to one of the most experienced ex-police computer security investigators and he replied: "David, it's often bank mangers who rob banks, and company directors who steal from companies". I also recall a former CSO from a top international company being quoted as saying that there were three categories of insider who committed crime: single woman under 35, ladies over 50 who want to give the money to charity and older men who feel their careers have left them neglected. I have also noted that the typical profile of an "illegal information brokerer" in the Oil Industry is a middle-aged industry professional, perhaps passed over for promotion. So the lesson to be learned is that it could be absolutely anyone. After reading this you might be inclined to view your colleagues with new eyes.

The Information Commissioner's Office (ICO) has found eleven banks and other financial institutions in breach of the Data Protection Act after investigating complaints concerning the disposal of customer information. They were were all found to
have discarded personal information in waste bins /receptacles outside their
premises.

This is a clearly widespread problem. The ICO points the finger at HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, Natwest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank, Nationwide Building Society and The Post Office. It must be seen as a major wake-up call as the guilty parties are all respectable organizations with sizeable security budgets and functions, ones that are more likely to be leaders rather than laggards in security. If these companies can't get it right then it's highly likely that your organizations are also at fault. And there's no excuse. It doesn't require expensive technology, just a clear policy and firm enforcement.

Yesterday Oracle announced that are suing SAP for violations of several Federal Acts. The Complaint makes interesting reading. Oracle claim that SAP committed "corporate theft on a grand scale", illegally accessing and downloading thousands of proprietary, copyrighted software products and confidential materials. They claim that SAP employees used the log-in credentials of Oracle customers with expired or soon-to-expire support rights, in order to gain access to their password-protected customer support website.

The claim highlights a number of interesting points. Firstly, the ease with which password credentials can be stolen or passed on to third parties. It makes you wonder just how much information theft might be going on. Secondly, that it's relatively easy to identify potential sources of data leakage by looking out for unusual activity, such as large numbers of downloads in a short space of time. And thirdly, that it's likely that anyone engaging in illegal activity in a highly competitive marketplace will be found out at some stage. Because there will be intense scrutiny by competitors.

Regardless of the outcome of this case there is an action for us all. As I've said before, we should always close ranks against companies or employees that think it's acceptable to employ illegal methods. Top companies should aim for the high ground, not sink to dirty tricks.

Those of you who might have concluded that the risks posed by the Y2K Bug were overstated should take a look at this recent story about six Lockheed F-22 Raptors crossing the International Date Line (IDL). The F-22 Raptor might be the most advanced fighter jet in the world, but multiple systems, including fuel, navigation and communications, crashed when the six Raptors crossed the IDL. Fortunately the weather was good and there were refueling tankers around to help guide them home. Otherwise it would have been "real serious".

Clearly we haven't all learned the lessons from the Y2K experience.

All security professionals worth their salt need to key an eye on global security events, especially terrorist acts that might present an immediate risk to company assets or globe-trotting executives. So it's definitely worth adding Global Incident Map to your Google Favorites list.

This remarkable site is a free service intended "to give the public, law enforcement, military and government individuals a new way to visualize, and become instantly aware of terrorism and security incidents across the world". It blends together news feeds, Google Earth images and other data to deliver an up-to-date visual summary of terrorist incidents and other suspicious activity across the world. It looks to be a useful addition to any crisis room.

Now, if we could just have one of these maps for cyber-incidents...

The run up to Infosecurity Europe (this week in London) is always an interesting time because of the associated wave of product launches, surveys and press releases. One announcement that caught my eye was the results of a MORI survey commissioned by Secerno, a leading UK supplier of database security technology, on current British consumer views on personal data theft.

Of course these days we should expect retail customers to be more street-wise about data theft. Especially following incidents such as the recent breach reported by TJ Maxx, in which hackers stole details of more than 45 million payment cards. It was interesting to observe some consumers interviewed on UK TV News over the weekend (following a credit card skimming incident in Hull) saying that they now preferred to pay for petrol in cash to avoid the potential risk of data theft.

But the figures in the Secerno survey are disturbing for the progress of e-Commerce in the UK. They indicate that a massive 95% of consumers are concerned about data security theft, and that 63% of adults are concerned about the ability of data centres to protect their date, in the UK and abroad. These figures cannot be ignored by merchants because they also suggest that a whopping 53% of customers might refrain from using services and almost as many might opt to cancel their credit cards from companies that do not immediately address major breaches.

Perhaps we have reached a major tipping point at which large numbers of consumers are losing confidence in the security of credit card transactions. It certainly seems that way from this survey, because it also indicates that 45% of consumers do not think banks and online retailers are doing enough to protect their personal data. Such figures suggest there could be a major crisis of confidence brewing. And that's something we must avoid at all costs.

Last week's Daily Telegraph reported concerns expressed by Home Secretary John Reid about the threat of cyber terrorism causing economic chaos or plane crashes through an electronic attack on critical national infrastructure. Just how worried should we be? Is the likelihood of such an attack an imminent danger? Or is it just political scaremongering?

My own views are well-established. Back in 1999 when many people were talking up the possibility of an electronic Pearl Harbour, I forecast it was unlikely to occur before 2006. But after this time we would enter a long "critical convergence period" characterised by a step change in corporate risk profiles, resulting from growing connectivity, loss of perimeter security and increased vulnerabilities in platforms. And by this time the capabilities of terrorist groups, as well as their interest in such targets, might be sufficiently mature for them to contemplate a serious attack.

The problem is that terrorism, like espionage, is a covert activity. We simply won't know how much we are at risk until we get hit. Yet industry and government are still in reactive mode when it comes to security. Business and finance managers are naturally reluctant to spend money on new security measures until they've seen real evidence of a threat. And by that time it's too late.

So what can we do to mitigate the risk? Well if you can't afford the cost of hardening your critical systems and installing effective intrusion prevention systems, then at least be prepared to respond effectively to an incident. It doesn't cost much to review and update crisis response procedures and organization, or to conduct a short crisis exercise. And at the very least that should provide some much needed awareness amongst senior management of the seriousness of their exposure.

Thinking back on last week's NISC8 Conference, I have to admit to an uncomfortable feeling that we've been giving far too much credit to criminals, terrorists and spies. It's bad enough using respectable-sounding labels such as high-tech or white-collar crime. But I also heard several speakers making remarks such as "these people are smart" and "you need a holistic approach because they'll find your weakest point". This is not my experience, nor of leading authorities such as Donn Parker, who spent many years interviewing convicted computer criminals. They are rarely smart and seldom versatile, tending to operate with a narrow modus operandi. So let's not give them the respectability they don't deserve.

Mobile device security is becoming a hot topic, so I was highly interested to read the results of recent research into the causes of mobile phone losses by simplyswitch.com. It claims that a staggering 885,000 mobiles, worth around £342 million, are accidentally flushed down the lavatory (that's the posh word) each year. This seems to be the biggest cause of such losses, followed by 810,000 losses in pubs, 315,000 left in the back of taxis, 225,000 left on buses, 116,000 in the laundry and 58,500 chewed by pet dogs.

A survey carried out a few years ago by Pointsec, a security vendor showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis. This now looks like small beer compared to the lavatory problem. And of course it's likley that at least some mobiles left behind in taxis and buses might be recoverable.

This is a fascinating insight and a helpful input for designing security education campaigns. Mobile devices are becoming smaller and more powerful, so we need to take more and more action to minimise the business damage from accidental losses. These days a single loss can compromise gigabytes of sensitive data, enable unauthorised access to corporate networks and ruin the week for a senior executive. Not to mention the replacement and recovery costs.

So what can we do to prevent such losses? Waterproof coatings might be a good start. Perhaps coupled with some kind of elasticated lanyard to enable the device to be more easily fished out of the lavatory bowl. Or some sort of collapsible tray attached to the belt that opens out when you relieve yourself. In-built automatic location sensors might also help track down the device in the plumbing. Training courses in how to use facilities safely might be the next step. The mind boggles.

This week's press reported yet another loss of customer data by a leading UK Bank. This time it was HBOS coming clean about a loss of a disk containing information about more than 60,000 mortgage customers.

This type of incident is not new. People regularly make mistakes in today's fast-moving, cost-cutting business environment. All organisations have scores of insecure practices. In the safety field it's well understood that, on average, behind every major incident there are likely to be around 30 minor incidents, several hundred near-misses and thousands of bad practices. But you can also be unlucky. Anyone that's studied Statistics will appreciate that an average solution is not generally the most probable outcome.

But what I caught my eye about this incident was that the Bank admitted that the data should have been encrypted and sent by a secure courier. Now that's a step in the right direction. It shows that Management appreciates the need for defence-in-depth security standards. Perhaps the message is finally getting through, i.e. that there minimum standards for protection of customer data - you don't leave it to the discretion of the business.

I note that Google has come in for some stick from Privacy International, an International Human Rights Watchdog, for being "hostile" to privacy in a report that ranked leading Internet firms on how well they handle personal data. This London-based group claimed that Google was leading a "race to the bottom". Google naturally responded that the report was mistaken and it was working hard to safeguard user data.

Perhaps I've missed the point on this debate. But it strikes me that we do have a choice. You don't have to use the Internet. Many people that do are quite comfortable entering their personal data on Web pages for others to see. And most people today are mature enough to recognize that there's no such thing as a free lunch. If you get a free service then it's likely to be at the cost of an advertising sell. That's not a bad thing. Small and medium-sized enterprises rely on customer information and direct mail to promote their products. They're not evil. Such advertising serves a useful economic purpose.

If you don't like being connected to billions of other people, then don't use the Internet. But once you engage with it, you should lower your expectations of privacy. Because it's a powerful data sharing medium. That's what it's all about.

The French Security Service is reported to have advised Government officials working in sensitive offices not to use Blackberry devices because they use overseas servers, opening up an espionage risk. An alternative solution has been offered but it does not appear to work quite as well. Some officials are reported to have reverted to clandestine use of their Blackberrys. RIM claim that their encryption system is strong but they miss the point. It's about sourcing of products and services, rather than security features. If you don't control the sourcing, they can be compromised.

There's nothing new here of course. I know a few UK CISOs who initially resisted the introduction of Blackberrys because they could not get the assurances they required from RIM. In a perfect world we'd fully control the manufacture, supply and maintenance of all items that might carry sensitive data. But that's not practical. So what can one do? Ban the use of new foreign technology and services? Accept the possibility that foreign powers are listening in? Seek written assurances? Or try to manage the risks. The latter option is interesting. Because it opens up the thinking that the benefits of new technology might perhaps outweigh the potential damage from eavesdropping. And how many of our communications are really sensitive? Can they be secured on an exception basis? Or can we develop add-on solutions to secure off-the-shelf products and services?

The future technology market is a highly consumerised one, based on products manufactured in China and IT services that are increasingly off-shored. New thinking is required to manage the increased risks of espionage and fraud. Because imposing a blanket ban on the latest executive toy is unlikely to be welcomed by your senior users.

Every security professional should be keeping an eye on the developing market in security vulnerabilities. For some time, security vendors such as i-Defense and TippingPoint have been offering thousands of dollars in exchange for new security vulnerabilities. And this week saw a new development in this market with the launch by WabiSabiLabi of a new eBay-style service for trading security vulnerabilities.

It’s a fascinating, disturbing but inevitable concept, which underlines both the increasing value of security research and the growing ease with which potentially dangerous, cutting-edge know-how can be obtained. Such services are a step forward if buyers are adequately screened and management can properly safeguard the highly sensitive information they are likely to attract. But the easy access to such information can also present an increased risk. So let’s hope the company is geared up to manage this service securely. WabiSabiLabi claims to be “vendor neutral” and it certainly has an international flavour with a Swiss base and a Japanese-derived name.

One thing is clear. The stakes in this market are getting higher with growing business and citizen dependence on technology. The trading price of a new security vulnerability reflects this. In fact it’s a powerful new security metric that reflects the real value of information security in today’s world.

A new report commisoned by Garlick, a UK vendor of privacy management services, on the subject of UK Cybercrime, contains some interesting findings. Such surveys are essential reading for security professionals as they help to fill in pieces of the slowly forming but largely incomplete jigsaw of cybercrime activity in the UK.

Of course, as with any survey that might have been carried primarily for marketing purposes, it's necessary to take any estimated figures with a pinch of salt. Some are scaled up from previous surveys. For example the staggering figure of 1.93 million on-line (email) harrassment cases is estimated on the basis of an earlier survey which indicated that 8% of adults using the Internet were victims. But nevertheless, the survey indicates a massive, growing problem for cybercrime offences against the person. And it's interesting also to note that "cyber crimes are just as prevalent as traditional crimes. In 2006 the incidents of online financial fraud doubled the number of robberies taking place". Which suggests that UK law enforcement strategy might not have the balance right.

The report also points out that "computer misusers tend not to consider their actions as immoral". And interestingly, the experts have already coined a term for this lack of virtual moral consensus. It's called "toxic disinhibition". However not everything is neatly defined. The report also points out that "although the term ‘cybercrime’ is now in everyday use, the first problem encountered in measuring cybercrime is that there is no commonly-agreed definition of the term". And, unfortunately, that can undermine the credibility of any cybercrime survey that relies on figures from earlier studies.

Last week Symantec issued their latest Internet Security Threat Report. These six-monthly reports have become essential reading for all security practitioners. The latest 30 page report (it could do with a good précis) is packed with useful, though largely unsurprising, facts.

The report confirms that the security threat landscape is becoming characterized by attacks that are more professional and increasingly commercial. These attacks are often carried out in multiple stages, using a low-profile compromise to create a beachhead from which subsequent attacks can be launched. Multiple methods of attack are likely to be used and trusted entities will be exploited. Defending against such attacks is not easy. They are difficult to detect and even harder to stop. And in an age when zero-day vulnerabilities are a reality, it’s disturbing to read that some big vendors still have patch development times measured in hundreds of days.

The consequence of this trend is that organisations need to adopt a more intelligence-led approach to security. Identity valuable assets and critical services. Understand the enemy. Think like an attacker. And then implement specific controls to identify and deflect such attacks. It’s no longer good enough to apply a basic level of commodity-level security across your estate. That approach might have been effective in the past. But today’s attackers don’t just focus on soft targets. And the sophistication of their threat has now surpassed the defensive capabilities of most baseline security measures.

Message Labs latest intelligence report shows a sharp increase in viruses, spam and email threats, which now stand at record levels. Over one in fifty emails now contains malware, generally through a link to a site that installs it when opened. More than one in ninety mails contains a phishing attack. And viruses have doubled since the Spring to levels not seen for 18 months.

A major factor behind the increases is the Storm botnet, which created a fair amount of havoc in August. But it all demonstrates the unexpected nature of today’s threats. They can grow rapidly and decrease just as fast. Statistics provide little indication of future levels of activity. So business cases for new defensive measure should not be built on historical incident levels alone. Security functions need to be agile, always prepared for a steep rise in threats. With Christmas approaching it's a timely reminder for everyone to sharpen up their incident response.

It’s comforting to read those security threat level indicators that inform us that the threat from malware attacks is currently low. Unfortunately there are blind spots in early warning systems. They’re based on intelligence rather than real intent. The reality is that we don’t know when a big attack is likely to strike. It could be tomorrow or might be next year. It’s easy for users to become complacent about threats when newspapers aren’t carrying scare stories. But the indications are that something big might be brewing in the pipeline. And we aren’t doing anywhere near enough to educate our users and customers.

For those of you who haven’t been tracking the steady progress of the Storm worm, I’d recommend reading Bruce Schneier's recent analysis in Wired. It’s claimed that up to 50 million PCs might have already been infected by this agile piece of malware, perhaps making it more powerful than the world’s fastest supercomputers. And we don’t know who’s behind it or what they are planning - unless we get lucky and they get caught. Storm is a glimpse of the future of malware. It’s dangerous and difficult to stop. Education is the key to reducing our exposure. So with Christmas looming and a flood of e-Cards and mail shots about to hit everyone’s in-trays, it’s time to raise those security awareness levels.

A few days ago Symantec reported a Word exploit in the wild just one day after Microsoft released the patch for the corresponding vulnerability. Rather unusually it was created using Word for Macintosh. Yet just a few months back McAfee claimed that “Exploit Wednesday” was a myth, pointing out that hackers simply don’t stockpile exploits waiting for the release of a patch. Perhaps they do. Or perhaps vendors have taken to stockpiling announcements.

But arguing about the current motives and habits of hackers is beside the point. The threat changes all the time. It can go up or down in any month The real trend to note is that our exposure continues to get worse. Exploits are increasingly likely to strike before you get a roll out your patches. And the consequence is that we need to tighten up security around critical applications and infrastructure. Baseline security measures are no longer sufficient to protect valuable corporate assets. Organisations must identify, prioritise and place additional layers of security around their Crown Jewels. Because corporate infrastructures are becoming as open to attacks as the Internet itself.

CNN’s web site has an interesting item on the nature of the foreign intelligence hacking threat to US interests. It reports Joel Brenner, National Counterintelligence Executive, as saying that it’s not accurate to blame only the Chinese Government for recent penetrations of government systems. The reality is that about 140 foreign intelligence organizations are trying to hack into US computer networks. They are too easy to hack and the number of world-class hackers is multiplying at bewildering speed.

Of course this is only to be expected. Hacking is cheap, fast and can be carried out remotely. And the necessary skills are becoming widespread. In just a couple of years time Nicholas Negroponte’s one laptop per child initiative will hopefully have issued millions of networked laptops to children across several developing countries. Fast-forward several years and even the smallest intelligence services will have access to unprecedented levels of computer skills. Today we’re just scratching the surface of the real potential for cyber espionage and information warfare. As Alvin Toffler pointed out many years ago, it might even dominate the 21st Century.

Perhaps the only item in doubt is the actual number of countries in the world, which, interestingly, can range anywhere from 189 to 266 depending on your source. But whichever number you accept, it represents a lot of competing national interests.

My eyebrows were raised by a story in Computer Weekly claiming that cybertheft is the UK’s “most feared crime”, even outranking burglary, assault and robbery. It just doesn’t ring true. Perhaps some interpretation is needed? Looking closer, the research is commissioned by a security vendor, so perhaps there’s been a little selective reporting. The sample is “regular Internet users”, so it’s not completely representative of the UK public. Reading further, the phrase “most feared” becomes “most vulnerable” which is perhaps more understandable. And the proportion of users voting this way is 43%, which is high, but not overwhelming. But rather strangely, Liverpool is the city most afraid of cybertheft with 93% citing it as a concern, followed by Glasgow with 92% and Cardiff third with 91%. Why these places? Could it be down to reports in the local press? Or might it be that Northern City dwellers are so hardened to other forms of crime, that cybercrime is actually scarier than being mugged? Now that would be alarming.

Back in 1999 I predicted that the “Electronic Pearl Harbour” would probably not happen until around 2006. That prediction, which led some elements of the computer media to accuse me of being a “doomsayer”, was based on a considered analysis of emerging trends which indicated that by around about now the global security risk profile would have climbed to a dangerously high level. Many people advised me I was wrong and that instead we are likely to experience just more of the same, i.e. lots of small incidents that are more of an irritation than a serious threat. But that ignores the potential power of global networks, which can leverage positive feedback loops to deliver immensely powerful attacks, as well as the raft of systemic flaws that are building in our infrastructure, through continued bad practice and a herd-like mentality to standardize on a single choice of platform.

So here we are in 2007 facing a serious terrorist threat, a criminal underworld that routinely exploits IT vulnerabilities, and a sophisticated espionage threat from more than a hundred intelligence services. On top of that we have a physical infrastructure that is incapable of preventing staff from walking off with tens of millions of sensitive records, and an electronic infrastructure riddled with vulnerabilities that require prohibitive amounts of resource to repair. And the scale of the potential impacts from security incidents grows larger every day. Already this year we’ve had major incidents in industry and Government of unprecedented impact. We’ve also witnessed attack vectors of unprecedented sophistication. It strikes me that we’re all sailing like a ship of fools towards an electronic catastrophe. Time for a wake-up call.

Laptop theft is currently a hot topic with many organisations exploring new solutions, some quite innovative, in order to reduce the risk of an embarrassing data breach. I’ve been asked lots of questions on this topic in the last week. I’ll be covering a few of them in this week’s blog postings.

The first question is whether there is an acceptable rate of laptop loss. That’s an interesting thought. We know that laptops continually go missing. They get left behind in taxi cabs and stolen from car boots and hotels. You cannot completely eliminate the risk. But the loss of even a single laptop containing unencrypted sensitive data can be damaging. In some cases it doesn’t even have to be sensitive data to impact company reputation. So encryption is mandatory. But it’s still important to reduce losses. So what is an acceptable rate?

The answer is that it varies according to the geographic location of offices, the amount of travel undertaken and the degree of public transport used by staff. A company with a single large campus set in leafy suburbs is likely to experience fewer losses than one with a head office split across several city centre locations. But in my experience no organisation should be losing more than a handful of laptops per thousand users per year. What do I mean by a handful? As many as you can hold in your hands. Single figures. So if you experience a rate higher than 1% a year, you should aim to raise your game. It's not that difficult. See my earlier posting on Ten Practical Steps to Prevent Laptop Theft.

I see that Cambridge University have hit the news again with claims of flaws in Chip and PIN reader technology.

All commercial systems have security weaknesses. They are a compromise between cost and potential losses. We don’t always get it right. Sometimes we spend too much, sometimes too little. What counts is whether the weaknesses actually lead to losses, and there’s no evidence that any attacks of this nature are being mounted or contemplated.

But regardless of that, it’s irresponsible to publicise weaknesses that cannot be readily addressed in systems affecting millions of customers.

The recent seizure of $76 million worth of counterfeit Cisco kit by US authorities comes as no surprise. What’s interesting is that security is cited as a major concern.

Security professionals in high threat environments have long been concerned about the sourcing of hardware and software. That's because it’s easy to plant a bug or a back door, but extremely hard to detect one. The reality however is that the business community decided long ago that the economic benefits of overseas manufacturing and services outweigh these security concerns.

Counterfeiting is a more insidious threat, because the true sourcing is disguised and the quality of the product is less certain. Perhaps this is a timely wake-up call for organisations in high threat environments to review the security risks associated with their sourcing processes.

Computer Weekly reports that the Home Office turned down a request by ACPO to find £1.3 million cash to fund a pilot e-Crime unit. At first glance this might seem a setback. But, in my view it’s nowhere near enough, no more than a token gesture. We need a much bigger, strategic response. That’s what we should press for.

Symantec’s latest Internet Security Threat Report shows what looks suspiciously like exponential growth in detected malware threats. More worryingly there is a clear trend towards targeting of information and an increasing focus on sabotaging trusted sites. It’s no longer sufficient to "avoid the dark alleys of the Internet", as Stephen Trilling puts it.

None of this is surprising but neither is it comforting to have your fears confirmed. And there's potentially worse to come as there's a lot of exposure in our infrastructure. We do nowhere near enough to manage the security of our technology supply chain. It's scary to think what might be lurking in the products we procure, now that that there’s a well-established incentive to compromise them.

A survey published today by Secure Computing Corporation, a security vendor, reveals an increasing concern by IT Directors about insider threats. More than 80% of the 103 Directors surveyed were more concerned about insider threats than external ones. One reason for this might be that 37% of respondents have experienced a leakage of sensitive information in the past year. The result appears to be a significant increase in budgets allocated to strengthening internal security.

That's good news because concern about insider threats has previously been very low on the radar of IT directors, though it's always been the soft underbelly of organisations.

Amongst other things it reflects a significant increase in data leakage incidents, as well as the fact that technology is now the preferred channel for espionage and leaks .

I've just been informed that a recent video interview with me on Sarb Sarb Sembhi's excellent Virtually Informed site has been voted "Answer of the Month for May". It's my response to the question "Where the next threat will come from?"

In my view it's attacks on integrity of data that will be the next big concern. We don't see many of these attacks, so we don't do as much as we should to defend the integrity of our intellectual property. But the impact of even a small change to a database can be hugely damaging to services, confidence and reputation.  

The focus of our e-Business security has only in recent years switched from availability to confidentiality. The next focus will be integrity. 

An email from Techtarget drew my attention to a response by Michael Cobb to a question about the vulnerability of encryption systems, following revelations by researchers at Princeton University that the contents of DRAM memory can hold traces of data, including perhaps encryption keys, for some time after power off. Is it a serious problem?

I've never underestimated the vulnerability of technology or people to highly sophisticated attacks. No real-life system is foolproof. But just consider the context. You have to gain direct, physical access to equipment, within minutes of a person vacating the equipment. You need specialist skills and equipment, as well as inside information to know that something is worth stealing. And the technique is unreliable. You can't guarantee a result.

All of this makes it a highly unattractive method of attack, unless you're out to prove a point. There will no doubt be easier and more reliable ways of obtaining the data.

We need to avoid the paranoia of the cold war days, when governments wasted millions of dollars on unnecessary electromagnetic screening to prevent equipment from radiating signals to nearby spies. But there wasn't anyone there.

Postscript:

My good friend Andrew Yeomans rightly points out that I should have said "powering off and unplugging" rather than "vacating", as attacks are of course possible on equipment left out on charge, or in hibernate or sleep mode.

But the threat assessment remains the same. It's extremely rare for a physical break-in to be mounted by a technical expert carrying specialist equipment, unless you happen to be operating in an extremely hostile environment, where the local authorities are keen to steal your data  

If the information on your laptop is so valuable that you feel it would make you such a target, then you should always lock it away when not in use. Valuable assets should always be afforded defence-in-depth protection.   

It's essential to keep abreast of surveys of security incidents. They provide a small glimmer of visibility on what's essentially a dark hidden area. There are a few reasons why we're kept in the dark. A lot of enterprises don't report incidents. Most don't keep track of them. And many simply don't know about them.

Last week, the Identity Theft Resource Center (ITRC) reported that the total number of incidents that could lead to identity theft on their 2008 breach list had already surpassed the final total of 446 reported in 2007. That's clearly an under-estimate for all of the above reasons. And each reported breach might have actually affected dozens of different businesses.

This trend will continue upward as we get better at detecting, tracking and reporting incidents. Espionage and fraud has been going on inside companies for decades, but it's largely undetected. I've always operated on the assumption that any call centre with valuable information will be riddle with people selling information, that any large procurement contracts will attract information brokers, and that any unencrypted transmissions of sensitive information can be read by governments. And I'm not paranoid, just streetwise.   

You can tell it's still the silly season for news, when items about the science of fly swatting hit the front pages of broadsheet newspapers.

At first glance, it seems a trivial story. On second thoughts, it occurred to me that this might give an insight into strategies for dealing with irritating fraudsters or hackers. So I took a closer look.

This is serious research by a top Caltech Professor, funded by the National Institutes of Health and the National Science Foundation. The paper "Visually Mediated Motor Planning in the Escape Response of Drosophila" will be published August 28 in the journal Current Biology.

Professor Michael Dickinson used high-resolution, high-speed digital imaging of fruit flies faced with a looming swatter to study how flies avoid swatters. He seems to have concluded that flies see you coming and move out of the way. And he concludes that the best method for swatting a fly is to wait for it to land, approach it from behind and aim a bit forward of where you anticipate the fly is going to jump.

As Basil Fawlty put it: "Can't we get you on Mastermind...specialist subject: stating the bleeding obvious..."

Yesterday I attended a FASTtalk CEO round table on the "The Threat from Within". It's interesting how important this subject has become following the spate of high profile data breaches over the last year. The threat has always been there, in fact, but the level of risk has increased substantially.

Potential spies, fraudsters and information brokers are always lurking in our organisations. They just don't show themselves. But decades of progressive centralization, mergers and outsourcing have now made huge amounts of valuable data available to ordinary staff and contractors. It's like putting large amounts of cash in the hands of ordinary people. The potential for error and the temptation to steal is so enormous that visible breaches are inevitable.

But incidents and risks have been building for many years. We just haven't noticed them because incidents haven't been properly uncovered, recorded or publicised. Organisations lose hundreds of laptops a year. Large procurements attract fraud. And valuable trade secrets attract espionage. It's a healthy sign that at last we're beginning to recognise these unpalatable facts.

The latest figures from APACS show that card fraud in the UK has risen by 14% since last year, despite the introduction of chip and PIN. Online banking fraud increased by 185% due to phishing. More than 20,000 fraudulent phishing websites were set up in the first half of 2008.

This is no surprise. The banks should have invested in decent authentication systems a long time ago. Chip and PIN has cost a small fortune but only addresses part of the problem. We've all known for decades that mutual authentication is essential, yet there's still no sign of it.

Last night I was phoned by my bank for no good reason other than the fact they wanted to discuss my services (i.e. sell me something). They provided no authentication information, yet seemed surprised when I informed then that I don't discuss financial matters with unidentified strangers over the phone. No doubt they regard me as a difficult, rather than enlightened, customer. It's not surprising that there's so much fraud when leading banks set such bad examples.

Reports that a security researcher has discovered a criminal database containing access details for 200,000 servers worldwide demonstrates yet again the need for strong authentication, based on more than shared secrets, for all remote access.  

We should all be working on the assumption that any secret information might at some point be compromised. That's the nature of the information age. It's getting harder and harder to keep secrets and to safeguard private infrastructure. We can hope for best, but we should always plan for the worst.  

I see that a team of Swiss security researchers have discovered something that physicists have known for more than a century: that electromagnetic waves travel through the air. They suggest that computer criminals could soon be eavesdropping on the keystrokes of PC users by analysing the electromagnetic signal produced by each key press.

This phenomenon was extensively promoted by "Tempest" equipment manufacturers in the 1970s and 1980s to sell millions of dollars of unnecessary screening protection to naïve government departments. Yes, you can mount this type of attack if you want to eavesdrop on the chap at the next desk. But you'd look highly suspicious. And there are generally far more effective ways available, such as following him and listening to his conversations or looking through the papers on his desk.

It's not that difficult to spy on people within 20 metres if you really want to. And that's probably why I've never come across a single recorded incident of a Tempest attack in the UK over the last thirty years. 

A recent report by the news channel Fox 5 claims that the RBS Worldpay data breach of payroll card data, reported back in December, resulted in a well coordinated ATM fraud in November that netted a staggering $9 million from just 100 compromised card accounts.

According the Fox 5 report, fraudulent withdrawals took place across 130 ATMS in 49 cities across the World within a 30 minute period on a single day last November. If true, it demonstrates a level of sophistication rarely encountered in previous computer-based frauds. Clearly, the hackers not only stole sensitive data from the bank's computers, they also were able to arrange for the normal limits on withdrawals to be lifted. The fraud might have been a lot bigger if more compromised accounts had been exploited.  

This reflects the future of cybercrime: an information age threat that exploits the power of networks to steal information, remotely manipulate controls, and instantly exploit a global community of thieves. Future security defences will need to include a much better capability to detect and respond immediately to anomalous, coordinated behaviour across networks.

A recent Bruce Schneier blog posting drew my attention to a report of a revelation by a US Army Colonel that "EMP grenade technology is out there, but I've never had my hands on one". The comments on this particular posting are typical of the topic, generally casting doubt on both the capability and usefulness of such a device.

It's always been this way. The national security space attracts a good deal of spin, doubt and uninformed speculation, especially when it comes to anything to do with the electromagnetic spectrum. It's not just conspiracy. Vendors with vested interest tend to exaggerate the merits and capability of new technology. And many exotic techniques are next to useless because there are easier ways of achieving the desired objective.

In the early nineties, rumors circulated amongst the London security community that electromagnetic weapons might be used to extort money from banks. I asked several expert authorities for an opinion. The responses were all contradictory, ranging from "There's no such weapon" to "I've seen one demonstrated and they're very effective". The most believable answer was "The technology does exist but it's hit and miss". The safest response was "I can't talk about that subject over the phone". But the real learning point is that you should never believe in the existence of anything that you haven't seen with your own eyes.

Yesterday's ISC2 Security Leadership Seminar in London reflected a spectrum of contemporary thinking on the subject of information security, as well as highlighting some of the more extreme risks we can expect to encounter soon. It was an interesting blend of common sense, déjà vu and doomsaying, mirroring the different experiences and perspectives of the speakers. 

It was hard to disagree with Howard Schmidt's introduction, an articulate, realistic and mature assessment on the current state of play. Howard believes that, despite the credit crunch, organizations have not lost their appetite for security, sensing the bad guys are unlikely to take a break. The new factor, of course, is risk management which raises expectations that business as usual can be maintained with appropriate protection. The challenge is that we have to continue patching up a large legacy estate, designed with inadequate security controls, as well as preparing for future threats, such as those presented by the billions of mobile devices accessing the Internet. It's a huge challenge for a relatively immature discipline.

"Back to basics" was also a common theme. We keep to trying to do the same things over and over again, expecting different results, failing to learn from our earlier shortcomings. We've had good, documented standards for two decades but they haven't hit the spot. Perhaps the answer lies in more education and engagement. But, unfortunately, our cupboard is largely bare when it comes to addressing the softer side of security. Clearly, we need to accelerate our learning capability.

The doomsayers were well represented by presentations from vendors armed with extensive incident statistics and market survey reports. The latest figures are enough to make your hair stand on end. Could you have imagined, for example, that there would be a 1,559% increase in data theft Trojans in 2008? And can your business survive an environment in which zero-day attacks now represent around 20% of malware attacks? It's a frightening threat for organizations who take days or even weeks to apply patches to legacy systems. Growth rates in infections of clients and web sites are now running at alarming rates, threatening to undermine current Internet business models, which are underpinned by confidence in clicks on banner advertising.

In fact, last year now appears to have been a turning point in the professionalism of cyber crime. The software development skills and data mining capabilities of organized crime are believed to be second to none. They (whoever that is) are stealing vast amounts of our data, though no-one really understands the logic in their targets. Process industries, rather than banks, seem to be in the firing line. Why should that be?

We can only speculate on where these developments will lead. But the implications to business are not good. We cannot carry on in the same way without something big breaking. We've seen from the banking sector, that there is no safety in sticking with the herd. Governments are raising the bar in the protection of critical infrastructure, but that leaves an awful lot of valuable systems with a growing vulnerability to a rising threat. In the absence of more demanding, mandatory standards, we have to rely on risk management, which, unfortunately, in practice becomes little more than the logic that excuses business from applying adequate countermeasures. A perfect storm is brewing and there's not much we can do to prevent it.

The Yorkshire Post quoted me in an article about Spam a few days ago. I admit that I do come across as a bit of a doomsayer. But surely someone needs to in a blinkered business world that seems to be content to carry on regardless, just like a colony of frogs in boiling water.

We need concerted action to tackle the growing threats of spam and malware. But there's little appetite for radical measures. Most people prefer to cross their fingers and hope that the problem will go away. It won't. And, left unchecked, it will eventually undermine the commercial models that underpin e-Business. It's a black swan waiting in the wings to savage us.

However non-threatening the latest influenza scare might prove to be, it will at least have served as a timely wake-up call. And that's important, as most experts concur that a major pandemic of one sort or another is likely to hit us hard over the next decade.

The latest outbreak is a useful reminder, as many managers have lost interest in the threat from avian flu owing to a lack of outbreaks and an absence of sensational media coverage. Advance planning for a pandemic is crucial to minimise its potential impact. The problem has been that in today's economic climate it's difficult to justify spending much time or money on a future threat that's not in the forefront of everyone's mind.

In fact there's a lot that can be done to prepare an organisation for a pandemic. The most important task is to establish the vulnerability of key business processes, supply chains and other essential services to unanticipated absences of staff. The next thing is to identify key staff, and make appropriate arrangements to ensure they can continue to work with minimal exposure to potential sources of infection.

This demands a carefully considered plan with clear actions at key transition points. If you haven't got such a plan, you should start now and put one in place. It doesn't cost much to develop one. But it takes a lot of time to research the facts, analyse the findings and agree a strategy. Good business continuity planning is not done through knee-jerk reactions. It's all about a slow, gradual appreciation of the smartest way to respond to a complex crisis.  

A news item about the possibility of Mars colliding with the Earth caught my eye yesterday. Of course it's not likely to happen for billions of years, but it's a sobering thought that the entire planet might one day be obliterated. Is it something we should start planning for now? Several years ago, I met a lady at NASA research in California who, amongst other things, was exploring fallback options for a future loss of the moon. Interestingly and surprisingly the presence of the moon is absolutely vital to support life on Earth, though one day its orbit will fail.  

Such thoughts beg the question "What's the worst thing we should plan for?" Former trader and author Nassim Nicholas Taleb uses the metaphor of a "black swan" to describe the impact of rare, unpredictable events that take us by surprise. Such events cannot be accommodated in traditional models of prediction. He argues that we place too much weight on the flawed assumption that past events will repeat. We should devote at least a small amount of our time and money on planning for highly unlikely outcomes.

Unfortunately, we don't have many methods for examining the consequences of extreme events. Scenario planning is one option. Shell, for example, has for many years conducted long-term scenario planning to ensure their business managers are prepared for alternative futures. There's a danger of course that such thinking could make them too risk averse. But this is a company that thinks long-term. I recall they even used to take steps to ensure they could continue business following a nuclear war.

Goldman Sachs used to plan for a "worst of the worst" or WOW scenario in which twenty different asset classes might fall to the lowest recorded level in recent years all on the same day. But, amazingly, that turned out to be nowhere near as bad as the recent financial meltdown. In fact, such exercises are neither realistic nor foolproof. But in practice they are useful for helping to prepare business managers for unexpected shocks.

Business continuity planning is a more practical tool for preparing for the worst. But how extreme should the options be? In practice, such plans address the more familiar forms of disaster. And most experienced managers prefer to operate on the basis of "no double jeopardy", i.e. it's unlikely that two improbable events will occur at the same time. Unfortunately, however, that can happen under certain conditions of networks and markets, though, to be fair, in those cases, it's generally triggered by a single, higher-level event.

Crisis exercises are a much better vehicle for "thinking the unthinkable". Like scenario planning, the use of an imaginary storyline encourages managers to suspend disbelief and go along with the plot. This results in a self-discovery of learning points that could not be conveyed through logical argument. Business managers generally become defensive if you try to present a case for addressing an unlikely event. It's better that they come to that conclusion themselves.  

This century we've already experienced major terrorist incidents, wars and market crashes. Pandemics and cyber wars are waiting to hit us in the near future. As networks connect more and more people, data and objects, they create new opportunities for high-impact events. For that reason we should all be aiming to raise our game in preparing for the unexpected.  

The claim in today's Guardian newspaper about journalists employing private detectives to use illegal means of gathering information on celebrities comes as no surprise. This has been going on for a long time. Price lists of information offered by small time information brokers have been circulating for decades. The Information Commissioner's Office reported in detail on this practice more than three years ago. Their excellent report "What price privacy? The unlawful trade in confidential personal information" is essential reading for all security professionals. 

What is new is that the Guardian story suggests that "hacking" of mobile phone messages took place. This is one step beyond the traditional practices of bribing and blagging to gather information. For those who are unfamiliar with the term, blagging is the art of impersonating officials to extract information from officials is a highly effective method of social engineering. Like many frauds, it exploits psychology. As the ICO report puts it:      

"As with so many calls, it's all in the art of persuasion. You have to make that person want to tell you that address, even though we all know they shouldn't - it's as simple as that really."
 
The way to tackle this problem is to crack down harder on offenders. Despite what the media might suggest, this is not big business. It's small time, under-the-counter trade. Bigger fines and sentences would encourage private detectives to stick to more legal forms of investigation.

It's hard to ignore the report by Northrop Grumman Corporation on the Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, if only because of its size and authoritative style.

The title gives a hint as to what to expect: a lengthy, 88 page assessment which any good journalist or diplomat could have condensed down to a page with a bit of effort. Even Bruce Schneier has declined to read it, relying on his readers to pick out the salient points.

Written in the style of a military standards manual but littered with superfluous adjectives and acronyms, the report tells us that the Chinese are serious about cyber warfare and aim to penetrate our systems to steal information and perhaps change the data.

Yes, that's what we'd all assumed for many years. So what else is new?