David Lacey's IT Security Blog

Last week’s publication of the SANS Top 20 confirms a surge in sophisticated zero-day attacks on users and web applications. It should be seen as a wake-up call for those organisations who think security can be left to their IT operations staff. A new approach is needed. We’ve been de-perimeterised, as we say in the Jericho Forum. The threat we face today is no longer random vandalism by hobbyists. It’s targeted attacks by criminals or perhaps intelligence services on valuable information and essential services. We can’t expect to stop tailored, zero-day attacks with firewalls, virus scanners and penetration tests. We have to harden our applications, encrypt our sensitive data and implement strong authentication. This can’t be achieved overnight but the sooner we start the better. In the meantime we will have to raise our game substantially in monitoring, patching and user education.

Yet another laptop theft story in the newspapers. This time a case of three stolen laptops containing payroll and pension details of more than 15,000 Met Police officers. Following on from the recent Nationwide incident it’s clear that the UK Media have this theme firmly in their sights. It’s nothing new of course. Thousands of laptops are lost or stolen in the UK every day. But the problem is growing with increasing numbers of laptops with larger amounts of data being carried to and from work and between meetings. And there is now a higher probability that sensitive data might be compromised with the growing interest of organised crime in new sources of information to support identity theft.

Sensitive personal and business data should always be encrypted - both in transmission and storage. There is no excuse for not doing this today. The technology is available and affordable. But you can’t change the habits of an organisation overnight. Lots of HR, Marketing and Finance personnel have been downloading sensitive personal data into unprotected spreadsheets on their PCs for many years. It’s a legacy from a less dangerous age, when we all operated in secure office environments and criminals were less inclined to steal PCs for the data they contained. But the business environment and the security threat have changed substantially, so we should aim to close down these vulnerabilities as quickly as possible.

So what should CISOs be doing to mitigate the risks? Here are some suggestions.

Two unrelated news items caught my eye today, one an obscure case about a cheque modification fraud based on erasable ink pens, which I picked up from Bruce Schneier's blog, and the other one a high profile news item about the bugging of Royal conversations by journalists. It’s always helpful to get occasional reminders of the vulnerability of written and spoken information to short-range physical attacks, even though such attacks are generally rare and a relatively low priority for most organisations.

The interesting thing I’ve always found about these threats is that they often seem to be counter-intuitive for many people. Most of us have a high confidence in the providence of paper and ink documents, even though they are extremely easy to forge. We are too trusting when it comes to the written word because forgeries are outside our everyday experience. Bugging is also an arcane practice that is not well understood by the average person. A paranoid executive might think that a crackly telephone line suggests a bug, when in fact the opposite is more likely, i.e. eavesdroppers prefer clear lines. And I know some executives that worry that their office might be bugged but still feel confident to pull out confidential papers on a train or plane, or perhaps talk openly in bars.

There's nothing more instrusive than a planted bug or line tap, but fortunately such incidents are rare. These attacks are tricky to mount, as they present risks to the perpetrator and they require inside information and frequent access to the target office. The results can also be unpredictable and time-consuming to process. There are often cheaper and easier methods of gaining inside information, such as bribing a member of staff or hacking into an insecure database. The trick, of course, when considering potential attacks on information is always to put yourself in the attacker's shoes.

The US press and wire services report that the US Government has warned that US online stock trading and banking Web sites are the potential target of an al-Qaeda attack. The warning is reported to have originated from a Jihadist site.

A Homeland Security spokesperson is reported as saying: "There is no information to corroborate this … threat”. Reuters report that: “A person familiar with the warning said al Qaeda may be aiming to penetrate and destroy the databases of U.S. online stock trading and banking Web sites. But there was no evidence to suggest the effort could cause harm”.

Are we right to play down such warnings? They could well be false alarms. And our banks might well be adequately protected. There’s also a risk of crying wolf. But there’s also a danger of complacency. Personally I’d prefer to see a little more paranoia about the dangers of hostile cyber attacks.

Last year ZDNet accused me of being a “doomsayer” for a relatively mild prediction I made back in 1999 that the “Electronic Pearl Harbour” would not happen until around 2006. That particular prediction was based on an analysis of several Technology Road Mapping exercises, which indicated a cumulative build up threats, impacts and exposures that were expected to peak at around this time. Professor Fred Piper mentioned this in a speech earlier this year, posing the question: “Who is right?”

But regardless of what anyone thinks, it’s always better to be safe than sorry.

I was interested to read about the latest assault on Oracle security by database security expert David Litchfield of NGSS. It comes as no surprise to me, as the focus of attacks and security controls are progressively and inevitably migrating from the infrastructure layer to the application space. Databases are the new target, because today's attacks are criminally motivated and that’s where the money is. So you can expect database vendors to come under increasing fire to tighten up their coding standards and product testing.

Of course the vendors already know this. I am regularly asked by application and database vendors what I think of their security. It often leads to a brief flurry of activity. But too often the response is a marketing initiative, rather than an attempt to transform their business processes. I guess that’s to be expected. Most software companies are run by commercial people, not technology gurus or security visionaries. Microsoft eventually saw the light and transformed their priorities, training, product development processes. It cost them a lot of time and money. Now other software vendors must bite the same bullet. It’s essential to meet today’s business expectations. You can’t avoid it. Even if the hackers don’t get you first, the regulators will sooner or later put a gun to your customer’s head.

Not that I'm pointing the finger at Oracle, because they do seem to have been raising their security game in recent years, and in fairness you should also check out Eric Maurice's response on his Oracle blog.

All of these legacy weaknesses in our databases and applications will all take a long time to fix. So what can an organisation do to compensate for security inadequacies in their database applications? Well I’m afraid the answer lies in more add-on point solutions. The latest must-have security product is the database firewall. It would be nice if such technology was incorporated into leading application and database software products, but that’s some time away. In the meantime, if you’re concerned about your database security - and you should be – then you should check out Secerno, a new technology start up out of Oxford University, based on some very interesting intelligent monitoring software designed by Dr Steve Moyle, one of the leading UK experts on database security.

Today marked the opening of a two-day conference and exhibition in London on counter-terrorism, ambitiously titled “Building a Secure World”. Highlights included excellent keynotes by the BBC’s star correspondent Frank Gardner OBE, and Sir Richard Mottram, Cabinet Office Permanent Secretary responsible for Intelligence, Security and Resilience. Both emphasised that the War on Terror was now primarily a battle of ideas and values, though there are other major strands including military, financial and intelligence initiatives. Clearly there is a long way to go, especially the work to influence hearts and minds.

The current UK Strategy is interesting for any security professional, comprising “4 Ps” to contain the risks: Prevent terrorism, Pursue terrorists, Protect the public (and UK interests), and Prepare for the consequences. No rocket science here but a nice, balanced set of objectives. And who should pay for all the extra security measures that Industry must implement? The UK Government policy is clear. Consumers should pay through Industry. UK companies should not expect cost sharing from Government.

Best quote of the day was from the floor: “We keep analysing the future through the rear-view mirror”. Absolutely correct and one of the main reasons we often get things wrong. I was also impressed to hear people using the more appropriate term “weapons of mass effect” rather than “weapons of mass destruction”. Now how many of our IT systems fall into that category?

We should all be concerned about the growing criminalization of hacking, highlighted in a new, updated report by McAfee on Organised Crime and the Internet. This publication confirms a disturbing trend for criminals to recruit top computer students from UK universities. The report also suggests that children as young as 14 are being drawn into online crime by the promise of "celebrity status" among their peers.

Unfortunately, what might seem attractive at first will quickly become a highly dangerous lifestyle for the hackers, their family and their friends. Cyber crime is a dark, dirty business, not the glamorous profession that many young people would like it to be.

Techworld reports a disturbing trend in the sophistication of malware. The problem is that it's declining.

Alexander Gostev, Head of Kaspersky Lab, points out that higher volumes of low-quality malware are taxing the resources of security companies. The quality is down but the quantity is up.

This is bad news because we know that the capabilities and criminal motivation of determined attackers are steadily increasing. But the security experts are being bogged down by a large amount of noise. It's a dangerous combination.

CISOs should ensure their organisations are well prepared for the possibility of a sophisticated, perhaps personalised attack. They should not rely on anti-virus companies continuing to respond in real-time to bail them out. Because the number of qualified experts is not infinite.

The newspapers are full of stories about Ross Anderson’s experiments with ATMs, demonstrating something we already know quite well, which is that if you spend enough time in a laboratory with a bunch of PhD research students you will actually find a theoretical weakness in a commercial system. Well of course you will! No security systems are foolproof, especially if you take them outside of their operational context. Any streetwise student can demonstrate this. But just how much does this add to the security of our banking systems? Well, not a lot.

I just wish that a university of the calibre of Cambridge would actually work constructively with APACS and the banks to develop secure solutions, rather than resorting to publicity-seeking exposures that are more likely to inform organised crime about potential lines of attack. But then that would be far too logical.

Next Tuesday, 16th January 2007, Oracle will issue 52 critical patches. It’s clearly a great leap forward for database vulnerability management. But it also illustrates the size of our security exposure at the application level. Any company that relies on database security measures to safeguard critical business processes or sensitive personal data should be very afraid. The security threat landscape is now focused on espionage and data theft. Efficient patching will not be sufficient. We need a step change in the application of good security practices throughout the system development cycle. And we need to take steps to secure our intrinsically insecure legacy systems. Organizations should not simply wait for the next set of fixes to known vulnerabilities. They should identify their critical applications, assess the security risks associated with them and immediately apply additional security measures to prevent external and internal attempts to exploit potential weaknesses. There is plenty of affordable security technology on the market to help with this. So there's no longer any technical excuse for not keeping your critical and sensitive data under control.

RSA have reported the discovery of a “Universal Man-in-the-Middle Phishing Kit” offered for free trial on an online fraudster forum. The kit enables fraudsters to create a fraudulent URL via a simple online interface, to intercept and capture customer account details in real-time. It's a disturbing but inevitable development, providing a more powerful and sophisticated capability to the ordinary criminal. And it highlights the need for all organizations to raise their game in both-ways authentication.

User and customer awareness helps but that won’t stop the problem. Because there is a sizable percentage of people who will not understand, forget or blatantly ignore the advice.

Strong authentication technology has been with us for years. It costs money but it reduces fraud and provides assurance for all parties. Too many organizations have traditionally relied on a reactive approach, hoping they can respond with a solution before the cost of fraud hits a damaging level. But this strategy breaks down when the threat grows much faster than the speed of implementing a fix. And phishing attacks are highly visible to customers. Your reputation is on line as well as your money.

Stuart King's blog posting on the danger of accidentally misaddressing emails reminded me of an incident I came across several years ago. But this was the opposite problem. Wrong source rather than destination address. And deliberate, not accidental.

The incident caused a large supplier to fail to win, or even be acknowledged for an important contract they had expected to win. The supplier enquired and was surprised to discover that at a late stage in the tender process the customer had received a spoofed fax informing them that the supplier wished to withdraw from the bid, and did not wish to be contacted any further.

A simple, crude, blatent dirty trick by a competitor. Possibly with inside help. But it worked. And it demonstrated yet again that the soft underbelly of all organisations is the human factor.

Ed Gibson's comments on my recent posting on "information security fatigue" raise a timely and important issue: Should we now publicise security incidents?

I'm in favour. Compliance is already moving in this direction. And if you have any Californian staff or customers you will already be responding to this issue. So let's come clean and report what's really happening. It's not without cost. It can impact your reputation. But it will quickly concentrate the minds of both business and customers.

The status of Scotland Yard's current strategy on e-Crime can be seen in a recent report published by the Metropolitan Police Service. It's an illuminating read. Clearly there is much to be done, and the size and scope of the problem space is growing each year at a substantial rate. But progress is way too slow. e-Crime prevention and response needs a huge boost in leadership, resources and equipment. Without it, we’ll all get swamped by the growing waves of criminalisation of hacking and malware. We've already lost momentum with the absorption of the NHTCU into SOCA. Let's hope that the authorities can eventually grasp the nettle and begin to plan for the future threats that are heading our way.

It’s not often you get to see security incident data from other organisations, so I was interested to read a report published this month about laptop losses and theft at the FBI. This type of data is hard to come by because few organisations (other than Royal Mail Group) maintain reliable, historical data on such security incidents. And even fewer publish such information. It’s good to see that the FBI has successfully reduced laptop losses by around two-thirds, from around a dozen a month to less than four a month. The figures seem consistent with other data I’ve seen. In Royal Mail Group the problem was initially bigger, though the reduction was greater. Such savings represent hundreds of thousands of dollars a year in incident and replacement costs, not to mention the value in reputation protection and safeguarding of valuable intellectual property. And it’s not difficult to reduce the losses. It just requires a small amount of research and analysis, followed by a few simple, targeted, educational interventions. It's certainly one of the easiest and cheapest security investments for any organisation. So let’s all copy this example.

Yesterday’s posting prompted a few questions about industry averages for the number of laptops that go missing. Such data would be very useful for business cases and benchmarking performance. Of course these figures vary across organisations and over time, depending on factors such as the mobility of staff, the degree of public transport used, and the vulnerability of the business environment.

One indication of the scale of the problem can be taken from surveys of City taxi drivers sponsored by Pointsec, a security vendor. They show that a surpringly large number of electronic devices are left behind in London black cabs. A survey carried out a few years ago showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis. One hopes that most of these were deposited in police stations and eventually recovered by their owners. The figures from similar Pointsec surveys in the USA are much lower (5-10%) because fewer executives use taxis. But these figures demonstrate just how forgetful staff can be. Pointsec also point out that 60% of identity theft arises from lost or stolen equipment.

Education and regular reminders are needed. My experience is that left unchecked, a typical organisation can expect to lose up to 5% of their laptops per year. But this figure can be reduced substantially to below 1% by smart, educational initiatives. Mobile phones and PDA losses will of course be much higher. They are at present less of a concern, though a growing one with increasing amounts of data being stored on them. It would be interesting to hear other experiences and views on levels of laptop or PDA losses.

I've been watching out for interesting reports coming out of last week's Black Hat Convention in Arlington. Apart from the RFID fiasco I commented on a few days ago, the main story seems to be a demonstration by Errata Security of a new sniffer tool, shortly to be made available, that helps categorise intercepted WiFi emissions.

Of course there's nothing new in the vulnerability of insecure WiFi networks to determined attacks. But these tools make attacks much easier to mount and will therefore create an increase in the potential threat level. I've often found that users will simultaneously adopt a more sophisticated approach to their use of IT when the usability of their tools exceeds a certain threshold. So any advance in sniffer tool usability might herald a new wave of attacks. One to watch for, though of course the problem is that such interception is largely invisible.

A new report commissioned by the Association of Chief Police Officers puts the cost of Fraud in the UK at more than £20 billion. It's been arrived at by adding up the costs of reported fraud and then adding a rather conservative 50% extra to take account of under-reporting and tax evasion. This might sound like a lot of money but in my experience it's a substantial understatement of the problem. Because organizations are not only reluctant to report fraud, they are also ignorant of most of the fraud that occurs right under their noses.

Fraud is hard to crack because it's invisible, hard to detect and difficult to prosecute. Much of it is the result of weak business controls and a lack of expectation that it will happen. Most managers are far too trusting. They expect their staff and colleagues to be honest and incidents to have a visible impact. But that's not generally the case. There's an old maxim that states that if you take any four people, one will be an out-and-out crook, one will be honest to the point of stupidity, and the other two will take a risk assessment to see what they can get away with. I've never tracked down the source of this adage or validated the statistics, but it would seem sensible to assume that there are significant percentages of staff in each category. (Can anyone shed any light on this?)

And fraud can carry on for long periods without detection. The Oil and Gas Industry were shocked in the late 80s to discover that networks of so-called "illegal information brokerers" had for many years been manipulating major procurement contracts without their knowledge. Because these activities are very hard to identify and even harder to investigate and prosecute. It's a fair assumption that most industry sectors face similar issues. But they just haven't come to light or been adequately investigated. Or worse still, they have been recognized but management has decided that they are simply too difficult and expensive to address.

And who are the people who commit fraud? Well, I once put this question to one of the most experienced ex-police computer security investigators and he replied: "David, it's often bank mangers who rob banks, and company directors who steal from companies". I also recall a former CSO from a top international company being quoted as saying that there were three categories of insider who committed crime: single woman under 35, ladies over 50 who want to give the money to charity and older men who feel their careers have left them neglected. I have also noted that the typical profile of an "illegal information brokerer" in the Oil Industry is a middle-aged industry professional, perhaps passed over for promotion. So the lesson to be learned is that it could be absolutely anyone. After reading this you might be inclined to view your colleagues with new eyes.

The Information Commissioner's Office (ICO) has found eleven banks and other financial institutions in breach of the Data Protection Act after investigating complaints concerning the disposal of customer information. They were were all found to
have discarded personal information in waste bins /receptacles outside their
premises.

This is a clearly widespread problem. The ICO points the finger at HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, Natwest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank, Nationwide Building Society and The Post Office. It must be seen as a major wake-up call as the guilty parties are all respectable organizations with sizeable security budgets and functions, ones that are more likely to be leaders rather than laggards in security. If these companies can't get it right then it's highly likely that your organizations are also at fault. And there's no excuse. It doesn't require expensive technology, just a clear policy and firm enforcement.

Yesterday Oracle announced that are suing SAP for violations of several Federal Acts. The Complaint makes interesting reading. Oracle claim that SAP committed "corporate theft on a grand scale", illegally accessing and downloading thousands of proprietary, copyrighted software products and confidential materials. They claim that SAP employees used the log-in credentials of Oracle customers with expired or soon-to-expire support rights, in order to gain access to their password-protected customer support website.

The claim highlights a number of interesting points. Firstly, the ease with which password credentials can be stolen or passed on to third parties. It makes you wonder just how much information theft might be going on. Secondly, that it's relatively easy to identify potential sources of data leakage by looking out for unusual activity, such as large numbers of downloads in a short space of time. And thirdly, that it's likely that anyone engaging in illegal activity in a highly competitive marketplace will be found out at some stage. Because there will be intense scrutiny by competitors.

Regardless of the outcome of this case there is an action for us all. As I've said before, we should always close ranks against companies or employees that think it's acceptable to employ illegal methods. Top companies should aim for the high ground, not sink to dirty tricks.

Those of you who might have concluded that the risks posed by the Y2K Bug were overstated should take a look at this recent story about six Lockheed F-22 Raptors crossing the International Date Line (IDL). The F-22 Raptor might be the most advanced fighter jet in the world, but multiple systems, including fuel, navigation and communications, crashed when the six Raptors crossed the IDL. Fortunately the weather was good and there were refueling tankers around to help guide them home. Otherwise it would have been "real serious".

Clearly we haven't all learned the lessons from the Y2K experience.

All security professionals worth their salt need to key an eye on global security events, especially terrorist acts that might present an immediate risk to company assets or globe-trotting executives. So it's definitely worth adding Global Incident Map to your Google Favorites list.

This remarkable site is a free service intended "to give the public, law enforcement, military and government individuals a new way to visualize, and become instantly aware of terrorism and security incidents across the world". It blends together news feeds, Google Earth images and other data to deliver an up-to-date visual summary of terrorist incidents and other suspicious activity across the world. It looks to be a useful addition to any crisis room.

Now, if we could just have one of these maps for cyber-incidents...

The run up to Infosecurity Europe (this week in London) is always an interesting time because of the associated wave of product launches, surveys and press releases. One announcement that caught my eye was the results of a MORI survey commissioned by Secerno, a leading UK supplier of database security technology, on current British consumer views on personal data theft.

Of course these days we should expect retail customers to be more street-wise about data theft. Especially following incidents such as the recent breach reported by TJ Maxx, in which hackers stole details of more than 45 million payment cards. It was interesting to observe some consumers interviewed on UK TV News over the weekend (following a credit card skimming incident in Hull) saying that they now preferred to pay for petrol in cash to avoid the potential risk of data theft.

But the figures in the Secerno survey are disturbing for the progress of e-Commerce in the UK. They indicate that a massive 95% of consumers are concerned about data security theft, and that 63% of adults are concerned about the ability of data centres to protect their date, in the UK and abroad. These figures cannot be ignored by merchants because they also suggest that a whopping 53% of customers might refrain from using services and almost as many might opt to cancel their credit cards from companies that do not immediately address major breaches.

Perhaps we have reached a major tipping point at which large numbers of consumers are losing confidence in the security of credit card transactions. It certainly seems that way from this survey, because it also indicates that 45% of consumers do not think banks and online retailers are doing enough to protect their personal data. Such figures suggest there could be a major crisis of confidence brewing. And that's something we must avoid at all costs.

Last week's Daily Telegraph reported concerns expressed by Home Secretary John Reid about the threat of cyber terrorism causing economic chaos or plane crashes through an electronic attack on critical national infrastructure. Just how worried should we be? Is the likelihood of such an attack an imminent danger? Or is it just political scaremongering?

My own views are well-established. Back in 1999 when many people were talking up the possibility of an electronic Pearl Harbour, I forecast it was unlikely to occur before 2006. But after this time we would enter a long "critical convergence period" characterised by a step change in corporate risk profiles, resulting from growing connectivity, loss of perimeter security and increased vulnerabilities in platforms. And by this time the capabilities of terrorist groups, as well as their interest in such targets, might be sufficiently mature for them to contemplate a serious attack.

The problem is that terrorism, like espionage, is a covert activity. We simply won't know how much we are at risk until we get hit. Yet industry and government are still in reactive mode when it comes to security. Business and finance managers are naturally reluctant to spend money on new security measures until they've seen real evidence of a threat. And by that time it's too late.

So what can we do to mitigate the risk? Well if you can't afford the cost of hardening your critical systems and installing effective intrusion prevention systems, then at least be prepared to respond effectively to an incident. It doesn't cost much to review and update crisis response procedures and organization, or to conduct a short crisis exercise. And at the very least that should provide some much needed awareness amongst senior management of the seriousness of their exposure.

Thinking back on last week's NISC8 Conference, I have to admit to an uncomfortable feeling that we've been giving far too much credit to criminals, terrorists and spies. It's bad enough using respectable-sounding labels such as high-tech or white-collar crime. But I also heard several speakers making remarks such as "these people are smart" and "you need a holistic approach because they'll find your weakest point". This is not my experience, nor of leading authorities such as Donn Parker, who spent many years interviewing convicted computer criminals. They are rarely smart and seldom versatile, tending to operate with a narrow modus operandi. So let's not give them the respectability they don't deserve.

Mobile device security is becoming a hot topic, so I was highly interested to read the results of recent research into the causes of mobile phone losses by simplyswitch.com. It claims that a staggering 885,000 mobiles, worth around £342 million, are accidentally flushed down the lavatory (that's the posh word) each year. This seems to be the biggest cause of such losses, followed by 810,000 losses in pubs, 315,000 left in the back of taxis, 225,000 left on buses, 116,000 in the laundry and 58,500 chewed by pet dogs.

A survey carried out a few years ago by Pointsec, a security vendor showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis. This now looks like small beer compared to the lavatory problem. And of course it's likley that at least some mobiles left behind in taxis and buses might be recoverable.

This is a fascinating insight and a helpful input for designing security education campaigns. Mobile devices are becoming smaller and more powerful, so we need to take more and more action to minimise the business damage from accidental losses. These days a single loss can compromise gigabytes of sensitive data, enable unauthorised access to corporate networks and ruin the week for a senior executive. Not to mention the replacement and recovery costs.

So what can we do to prevent such losses? Waterproof coatings might be a good start. Perhaps coupled with some kind of elasticated lanyard to enable the device to be more easily fished out of the lavatory bowl. Or some sort of collapsible tray attached to the belt that opens out when you relieve yourself. In-built automatic location sensors might also help track down the device in the plumbing. Training courses in how to use facilities safely might be the next step. The mind boggles.

This week's press reported yet another loss of customer data by a leading UK Bank. This time it was HBOS coming clean about a loss of a disk containing information about more than 60,000 mortgage customers.

This type of incident is not new. People regularly make mistakes in today's fast-moving, cost-cutting business environment. All organisations have scores of insecure practices. In the safety field it's well understood that, on average, behind every major incident there are likely to be around 30 minor incidents, several hundred near-misses and thousands of bad practices. But you can also be unlucky. Anyone that's studied Statistics will appreciate that an average solution is not generally the most probable outcome.

But what I caught my eye about this incident was that the Bank admitted that the data should have been encrypted and sent by a secure courier. Now that's a step in the right direction. It shows that Management appreciates the need for defence-in-depth security standards. Perhaps the message is finally getting through, i.e. that there minimum standards for protection of customer data - you don't leave it to the discretion of the business.

I note that Google has come in for some stick from Privacy International, an International Human Rights Watchdog, for being "hostile" to privacy in a report that ranked leading Internet firms on how well they handle personal data. This London-based group claimed that Google was leading a "race to the bottom". Google naturally responded that the report was mistaken and it was working hard to safeguard user data.

Perhaps I've missed the point on this debate. But it strikes me that we do have a choice. You don't have to use the Internet. Many people that do are quite comfortable entering their personal data on Web pages for others to see. And most people today are mature enough to recognize that there's no such thing as a free lunch. If you get a free service then it's likely to be at the cost of an advertising sell. That's not a bad thing. Small and medium-sized enterprises rely on customer information and direct mail to promote their products. They're not evil. Such advertising serves a useful economic purpose.

If you don't like being connected to billions of other people, then don't use the Internet. But once you engage with it, you should lower your expectations of privacy. Because it's a powerful data sharing medium. That's what it's all about.

The French Security Service is reported to have advised Government officials working in sensitive offices not to use Blackberry devices because they use overseas servers, opening up an espionage risk. An alternative solution has been offered but it does not appear to work quite as well. Some officials are reported to have reverted to clandestine use of their Blackberrys. RIM claim that their encryption system is strong but they miss the point. It's about sourcing of products and services, rather than security features. If you don't control the sourcing, they can be compromised.

There's nothing new here of course. I know a few UK CISOs who initially resisted the introduction of Blackberrys because they could not get the assurances they required from RIM. In a perfect world we'd fully control the manufacture, supply and maintenance of all items that might carry sensitive data. But that's not practical. So what can one do? Ban the use of new foreign technology and services? Accept the possibility that foreign powers are listening in? Seek written assurances? Or try to manage the risks. The latter option is interesting. Because it opens up the thinking that the benefits of new technology might perhaps outweigh the potential damage from eavesdropping. And how many of our communications are really sensitive? Can they be secured on an exception basis? Or can we develop add-on solutions to secure off-the-shelf products and services?

The future technology market is a highly consumerised one, based on products manufactured in China and IT services that are increasingly off-shored. New thinking is required to manage the increased risks of espionage and fraud. Because imposing a blanket ban on the latest executive toy is unlikely to be welcomed by your senior users.

Every security professional should be keeping an eye on the developing market in security vulnerabilities. For some time, security vendors such as i-Defense and TippingPoint have been offering thousands of dollars in exchange for new security vulnerabilities. And this week saw a new development in this market with the launch by WabiSabiLabi of a new eBay-style service for trading security vulnerabilities.

It’s a fascinating, disturbing but inevitable concept, which underlines both the increasing value of security research and the growing ease with which potentially dangerous, cutting-edge know-how can be obtained. Such services are a step forward if buyers are adequately screened and management can properly safeguard the highly sensitive information they are likely to attract. But the easy access to such information can also present an increased risk. So let’s hope the company is geared up to manage this service securely. WabiSabiLabi claims to be “vendor neutral” and it certainly has an international flavour with a Swiss base and a Japanese-derived name.

One thing is clear. The stakes in this market are getting higher with growing business and citizen dependence on technology. The trading price of a new security vulnerability reflects this. In fact it’s a powerful new security metric that reflects the real value of information security in today’s world.

A new report commisoned by Garlick, a UK vendor of privacy management services, on the subject of UK Cybercrime, contains some interesting findings. Such surveys are essential reading for security professionals as they help to fill in pieces of the slowly forming but largely incomplete jigsaw of cybercrime activity in the UK.

Of course, as with any survey that might have been carried primarily for marketing purposes, it's necessary to take any estimated figures with a pinch of salt. Some are scaled up from previous surveys. For example the staggering figure of 1.93 million on-line (email) harrassment cases is estimated on the basis of an earlier survey which indicated that 8% of adults using the Internet were victims. But nevertheless, the survey indicates a massive, growing problem for cybercrime offences against the person. And it's interesting also to note that "cyber crimes are just as prevalent as traditional crimes. In 2006 the incidents of online financial fraud doubled the number of robberies taking place". Which suggests that UK law enforcement strategy might not have the balance right.

The report also points out that "computer misusers tend not to consider their actions as immoral". And interestingly, the experts have already coined a term for this lack of virtual moral consensus. It's called "toxic disinhibition". However not everything is neatly defined. The report also points out that "although the term ‘cybercrime’ is now in everyday use, the first problem encountered in measuring cybercrime is that there is no commonly-agreed definition of the term". And, unfortunately, that can undermine the credibility of any cybercrime survey that relies on figures from earlier studies.

Last week Symantec issued their latest Internet Security Threat Report. These six-monthly reports have become essential reading for all security practitioners. The latest 30 page report (it could do with a good précis) is packed with useful, though largely unsurprising, facts.

The report confirms that the security threat landscape is becoming characterized by attacks that are more professional and increasingly commercial. These attacks are often carried out in multiple stages, using a low-profile compromise to create a beachhead from which subsequent attacks can be launched. Multiple methods of attack are likely to be used and trusted entities will be exploited. Defending against such attacks is not easy. They are difficult to detect and even harder to stop. And in an age when zero-day vulnerabilities are a reality, it’s disturbing to read that some big vendors still have patch development times measured in hundreds of days.

The consequence of this trend is that organisations need to adopt a more intelligence-led approach to security. Identity valuable assets and critical services. Understand the enemy. Think like an attacker. And then implement specific controls to identify and deflect such attacks. It’s no longer good enough to apply a basic level of commodity-level security across your estate. That approach might have been effective in the past. But today’s attackers don’t just focus on soft targets. And the sophistication of their threat has now surpassed the defensive capabilities of most baseline security measures.

Message Labs latest intelligence report shows a sharp increase in viruses, spam and email threats, which now stand at record levels. Over one in fifty emails now contains malware, generally through a link to a site that installs it when opened. More than one in ninety mails contains a phishing attack. And viruses have doubled since the Spring to levels not seen for 18 months.

A major factor behind the increases is the Storm botnet, which created a fair amount of havoc in August. But it all demonstrates the unexpected nature of today’s threats. They can grow rapidly and decrease just as fast. Statistics provide little indication of future levels of activity. So business cases for new defensive measure should not be built on historical incident levels alone. Security functions need to be agile, always prepared for a steep rise in threats. With Christmas approaching it's a timely reminder for everyone to sharpen up their incident response.