Stuart King's Security and Risk Management Blog

The title of this blog is the subject of a presentation I gave yesterday to the IISyG. I took a deliberately provocative stance, making a point that security is not there to enable the business, it’s there to mitigate risk. That is not the same thing: it's cost, expense, and time and we only do it because we have to.

What was interesting was the vociferous counter-argument, especially from those present from the financial services industry who made the point that many of their services would not be publicly acceptable nor acceptable to their regulators without solid built-in security and so in their case it's an enabler. Yes, I agree, however, doing something because you have to is not the same thing as doing something because you want to. The financial services industry is the same as other industries in that profit is the driving force and if they could get away without the additional cost and expense of designing stronger and better security then they probably would.

I don't think there is anything wrong in admitting that we "do security" because we have to. The trick is in the way the work gets sold within the business. Too often security professionals try to justify costs by presenting vague ROI figures or metrics such as firewall logs showing the number of intrusion attempts. The problem with this is that the finance director will laugh your ROI data out of his office and nobody outside of the IT department is going to be a) interested or b) able to understand the significance of a pie charted extract of the firewall logs. If you want to convince the business then you have to cut out the techie chat. The key points I made are that we need to

- Take a risk based approach
- Focus on business needs
- Talk the language of the business
- Don’t make wild statement about cost savings and ROI
- Work to reduce costs
- Put risk assessments into context
- Present a decent set of meaningful security metrics

Those who fall for spam based scams such as the Nigerian 419 emails or fake lottery wins make themselves easy targets for ridicule from those wise enough to be "in the know." However, there is a deadly serious side because many of the scams appear to be very plausible on first read, people do fall victim, and lives do get ruined as a result.

No better example than that reported by the BBC today. Read the full, tragic story here of how a university student killed herself after giving "more than £6,000 in the belief she had won half a million pounds in a lottery after being contacted over the internet."

Some people are vulnerable to scams because of their circumstances, not because they are overly gullable or stupid. If the scam is plausible enough and catches us at the right time in the right circumstances then any of us could get taken in. So, we need to remain vigilant to spam and we need to continue our warnings and security awareness messages.

Here are my top five information security related blog posts of the moment

1) ID theft – Facebook and MSN exploited by Kai Roer. This is a great example of a malware infection resulting in a compromised Facebook account and the resulting damage that can be done. There are plenty of other Facebook related stories around at the moment including this one from the BBC who were able to create their own malware for compromising private data.

2) Stopping at compliance by Michael Farnham. Michael hits the nail on the head when he says "compliancy does NOT equal security." I couldn't have put it so well myself.

3) Evolving Schneier’s Security Mindset . An interesting discussion on the perception of risk. The question the risk analyst must answer however, is really “What is *probable*?”. And we should really belabor the point that “What is probable?” is not just a “Can it be done?” question.

4) Swiss Army Knife – The Personal Portable Security Device posted by Mark Diodati. This discusses what is, from my point of view, an exciting new class of authentication product for the corporate network. Well worth reading about.

5) ROSI - Security Returns? by C Warren Axelrod. Interesting because I'm more likely to take an opposite stance and argue against trying to demonstrate an ROI for security related investments. Frankly, I don't think you can prove it.

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration.

So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software...

If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!

Reported on Slashdot today is the news that Peter Gabriel's web server has been solen from the data center where it was being hosted. I have my own thoughts on a possible motive; mostly related to some of the dreadful noise he's produced over the past 30 years.

Physical security has been a previous topic of this blog (see entry from 10 Dec 2007).

1. Don't make assumptions about third party security controls. Check them for yourself.

2. Make sure your incident response plans include actions to take in the event of critical equipment being stolen.

Some good guidance on physical security for small businesses here on GetSafeOnline.

Some further related information here.

How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It's a good question if you ask me because we're all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen.

Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home "contained confidential customer information and may have put millions at risk of identity theft." Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don't even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it's now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the "majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold."

But, let's suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop?

In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let's come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don't know and it doesn't matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you're stuffed because if the Press don't get you then the regulators will, and when encryption is so cheap and easy to implement these days then you've just been neglegent.

So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used.

That is good enough reason even if you, like me, don't rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that's another story....

It's a fact that most crimes are committed by people known to their victims. Similarly, businesses are most at risk from former and current employees. Most commonly when thinking about information security we consider how to prevent intrusion into our business from the outside. The facts and statistics tell a different story. 62% of large businesses in the UK (source: DTI/PWC Insider Threat Report 2006) have dealt with a security incident instigated by a current or former employee.

I've been writing up some of my research into insider threats in the form of a paper describing the risks posed to a fictional multinational company, Acme Widgets plc.

You can download the paper for free here. If you'd like to leave me feedback or would like more information about insider threats, write to the email address within the digital signature at the end of the document.

If you'd like to make a donation in return for downloading the paper, please give to Children in Need.

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. "

Read all about it here and there's more here.

This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."

Most UK companies are losing data every month a survey has found. The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.. Read the rest of the article here.

The results of such surveys are great marketing for companies such as CA with their portfolio of threat management tools. I suppose the question is how you define "losing data." One record or a thousand records? Do you want to count every lost USB stick and mobile phone? Perhaps you should if they are likely to contain private data. Most of the problem is that we don't know where all our data is. There's no neat perimeter - it's everywhere from in your pocket to the third party company that does your mailshots.

Personally I'd prefer to not play on scare stories and wild statistics. There's a change of attitude required. We're not going to solve data security problems with technology alone and it's not simply an IT problem. It's culture, training, awareness, and technology. We need people to start asking how to protect data rather than waiting to be told.

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

What do air disasters and password policies have in common? They were both the subject of anecdotes at last nights IISP lecture on "Security awareness - promoting long term behavioural change" presented by Martin Smith of The Security Company.

Martin was making the point that everybody in an organisation is a stakeholder in information security, and that most businesses are rubbish at getting the right messages across. A copy of the employee handbook, a leaflet and a poster saying "Be Secure" with a picture of a padlock on it do not make for an effective and meaningful security awareness program.

The point was that we need to emphasise messages in terms the business understands. For example, if you lose a pound then that's one pound profit gone which probably took ten pounds revenue to generate. Therefore you need to make another ten pounds to make that same pound profit back. In fact, you need to make twenty pounds because the first ten now only covers your original loss. Make sense?

The password anecdote related to an organisation that fired somebody because he intentionally shared his password with a colleague to, apparently, facilitate a business related task. I can't vouch for all the facts but certainly strict and dogged adherence to policy is not always effective. Beat employees up with too big a stick and you're likely to end up with lots of disgruntled employees who care little for your security regime.

The air disaster was an example of how lots of seemingly unimportant events (lots of little chickens) came together and resulted in a mid-air collision (the crocodile). At any point prior to the incident, somebody should have either raised issues or adjusted their behaviour. Human factors caused the disaster, not technology. An all to real example highlighting the fact that not one single recent data breach has been because of a technology failure. It's human factors each and every time.

David Lacey makes the important point that writing secure software is "not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process." It's a subject I've been harping on about for some time, with many references to excellent resources such as OWASP, and great leaders on the subject such as Mark Curphey.

Over the last few years I've heard many solutions proposed to fix the problem of insecure software, ranging from sacking the developers to improving the software development lifecycle so that security requirements are stated from outset and followed through into production and beyond. The evidence is that none of it works. OK, the folk at Microsoft, for example, will say that security is now embedded in their culture, and they've certainly generated a nice new stream of revenue for themselves out of all the books, tools and journals on the subject. But they are still releasing security patches with a frequency and schedule that the I wish the rail company I use each day could achieve with their trains. And other vendors are coming up with clangers at an alarming rate. For example, this latest one from leading CMS vendor RedDot. An SQL Injection vulnerability in an enterprise level CMS system - what were they playing at with their quality control?!

So, here's the thing. We can't write secure code. It's true. Can you show me any decent commercial, consumer focused product (that people actually want to use - not just techies who haven't seen daylight in 12 years and live on a diet of digestive biscuits) that is secure from the off as soon as it's exposed to the Internet and where 12 months later it hasn't required a patch of some sort? Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough.

I'm not knocking OWASP et al. It's the first resource I recommend developers go to and will remain so. Just that the business expects more functionality, cheaper costs, more complexity, better performance, and a more rapid deployment for its products. Chucking in security with all that lot is like rubbing your belly and patting your head at the same time, while riding a motorbike. So, let's make it easy on ourselves. Application firewalls!

Windows Vista is, apparently, less secure than Windows 2000. An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature, Vista isn't doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools' calculations, based on analysis of 1.4 million computers which accessed its online ThreatFire community, 639 unique threats were found for each 1,000 Vista machines. For Windows 2000, the figure was 586, while for Windows 2003, it was 478

The response from Microsoft to this news is that "in some cases its the user and their lack of knowledge and their implicit "it-wont-happen-to-me" complacency." Michael Kleef goes on to say that we need to do more to educate users about security. "If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) website, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I'm hosed" he says.

I disagree with Michael. Vista is far too complex for most home users. I'm willing to bet that few people really understand the implications of most of the security settings or security related messages they are bombarded over the course of a browsing session.

I don't doubt Michael's statement that "Vista's actual vulnerabilities are significantly less than Windows 2000" but if the operating system is more vulnerable because people using it are more likely to allow malicious code to execute then nothing good has been accomplished. It's a bit like driving a car in which every time you try to accelarate asks you "are you sure you want to go faster?" Sure I do, if only I can switch off the annoying message - now, what did it say?

My sanity is being questioned for the second time in less than a week. In this instance it's because I have stated my opinion that it's ok for company employees to write down their passwords. There are conditions attached to that statement. Use common sense and don't keep the note anywhere close to your computer.

People write them down anyway, and a policy banning the practice is unenforceable. Given the number of passwords and the complexity that we enforce then expecting everybody to be able to remember all their passwords is completely unrealistic.

What we need to have instead is pointed security awareness messages that give sound advice about managing passwords. By all means make dictatorial edicts, but history tells us that many dictators get their come-uppance come the revolution...

American prosecutors have, in the past week, indicted a 49 year old woman on conspiracy and hacking charges for creating a fake MySpace account. In this particular instance the woman's motives for creating the account were to torment a 13 year old neighbour allegedly leading to her subsequent suicide.

Motive and deed aside - and we can all have an opinion on that - the prosecution is based on "three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy." In other words, "criminally accessing MySpace." Read the SecurityFocus article here.

This raises important questions. Some of them here from Bill Thomson, a journalist for the BBC.

We need to be careful that the US legal system, desperate to prosecute someone over the tragic death of a young girl, does not end up establishing a precedent that leads us all to censor ourselves online, just in case.

As Bill mentions, there should be nothing wrong in creating a fake online profile. It's the motive behind the act that's important. We are becoming ever more supervised and watched in our online behaviour and good intentions can be misintepreted, "it creates a degree of uncertainty and may, because of that (prosecution), have a chilling effect on what we do online."

The same is true of the new law reported here on Computer Weekly "that will mean communications companies will have to keep logs of internet usage and make this information available to the police."

Does this mean that every intent to prosecute an individual will see investigators trawling through web logs looking for new ways to indict somebody? Hey gov, we can't get him for murder but he did post an anonymous comment to a Computer Weekly blog. Gotcha!

It's the way we're going and we're getting there because nobody is making a big fuss and complaining about it. That's why there's a CCTV camera every few yards, it's why the BBC and DVLA can push their sinister "we know who you are" commercials warning those who dare not pay their TV licence fee and road tax. Soon it be British Telecom advertising that they know all about your online behaviour...

Bill Thomson, in his article, mentions "In Nineteen Eighty-Four Winston Smith is afraid of the telescreen not because he is being watched constantly but because he might be being watched at any particular moment." It's a good analogy to where we're going.

As you read this blog, I will be reclining my seat on an aircraft flying off towards the far east where I'm spending the next few weeks visiting various of my companies business units and the security managers who report back to me within that region.

One of the big attractions when I applied for my job was the prospects for travel and I still get excited about exploring new places.

I'll be posting blogs from my hotel room(s) for the duration.

I always wanted the chance to use that title for a blog! So, as I'm currently in Tokyo, and was yesterday reviewing the security of the business unit here, including processes for managing back-up tapes, that's my excuse to make a reference to an old classic hard rock album..

One must always show an appreciation for local cultures when visiting international business units, and this is especially true of Japan. Charging in and picking fault will not only cause offense, it will result in an incorrect assessment of risks. One example that highlights the point is that I noticed yesterday, as I was being driven through the outskirts of Tokyo, people parking their bicycles outside a suburban shopping centre. Not a single bike lock was in view: it's not even condiered that a crook might come along and steal one. So while a bike might appear to be highly vulnerable to being stolen, the level of threat is considered to be very low and therefore, it's a low overall risk.

That's not to say that Information isn't secured with any metaphorical bike-locks. In fact the opposite appears to true and I've found security here to be well considered and managed. One example that highlights the differences is the way that security awareness messages are delivered. In the UK, I know that if a security awareness message goes out to the company by email that most recipients will simply ignore it. In Japan, everybody reads the message, and will take whatever action is says. Conversely, delivery of messages via Intranet here - which seems to work well in the UK - is not considered to be effective.

Anyway, the early morning view from my 30th floor hotel room is that the sun is out and it looks like it's going to be another nice day...

I spent some time yesterday with the event director of another of my companies exhibition events: the Japanese Information Security Expo. This show exceeds Infosec Europe in scale, getting well over 100 thousand visitors over three days and covering a vast amount of floor space.

The seminar programme this year had a heavy focus on internal controls and web security with topics including dealing with information leaks, document security, forensics, and identity management.

The picture of the main seminar theatre above gives some indication of the scale of the event.

I was discussing with one of my local colleagues here in Tokyo the reasons why some major vendors were noticeable in their absence from the exhibitor list. His opinion was that many international companies, on first arriving in Japan, focus and prioritise on recruiting english speaking employees without much attention as to whether those people understand the business or market they are being brought into. What is clear is that the European or American ways of doing business do not always translate very well to the Japanese way, and that an understanding of local culture is essential for success. 

My visit to Tokyo is all too brief. I have some sightseeing time over the weekend before heading off to the next stop on my tour: see you in Shanghai!

The view on the left was the view from my hotel room in Tokyo. The one on the right is from Shanghai! Rather ironically, that is probably a good way to also contrast the approach to information security between the two locations.

The cultural differences and the way these have an impact on the attitude to information security are probably best summed up by within Japan, my take-away was that security is seen as a critical component of the whole business process. In China, it's a cost. Policy that incurs cost without being seen as having any benefit is likely to be ignored. So the success or otherwise of the security program is dependant upon the ability to describe the benefits in financial terms: i.e. if you don't do <insert policy here> your data will be stolen and your business will lose money.  

I was reading this story about a TJX employee being fired "after he left posts in an online forum that made disturbing claims about security practices at the store where he worked."

Current and former employees with an axe to grind pose a much greater threat than many of the other issues we often spend our time chasing after. In this instance, an employee has taken it upon himself to sully his employers name in a public forum. Regardless of whether the information he posted is correct or not he deserves to be fired.

As to the information itself, I'm not sure it's important. I wouldn't be surprised if individuals within most large organisations couldn't probably dig up a few things they'd consider to be evidence of poor security. WIthout the full picture of other controls it's not possible to make a judgement on risk.

Given that on the forum itself the employee in question states that "I am at the same hierarchical level as a cashier" it's highly unlikely that he knows much about the security processes in place. Did he deserve to be fired? Absolutely yes!

My first career was as an airman in the Royal Air Force. It was a lowly position working in flight operations. I had no real connection to the Chinooks but I did enjoy the occasional flight with one of the squadrons based in Germany and I recall the absolute professionalism of the aircrew.

I've been following this story reported today in CW with interest, and wanted to blog a couple of points. Software does fail and it's not unheard of for aircraft accidents to have a software problem as one of the factors. Does the fault for the accident lie with the computer or the pilot? Neither in my opinion. If fault is to be pinned on anybody, pin it on the system designers or the people who have responsibility for testing the systems, or the management that allows faulty systems to be put into service.

Don't pin it on the poor souls lumbered with having to learn how to work around problems. At the end of the day, computers don't commit crimes, computers don't crash aircraft. There are human factors every time. Don't blame the pilots. I never met a reckless one - they all want to get home for their supper.

Can anyone guess, from looking at the picture on the right, where I am today? This is the view from my hotel room. As a clue, I'm still in China, about a three hour flight south of Beijing.

I discovered yesterday that "fasten seltbelts" on an Air China aircraft is a euphemism for "walk around carrying food and drinks, occassionally spilling them onto the Englishman, and anyway what use is a seatbelt if we hit the ground at 500mph."

Actually, in fairness the service was good and onboard food not too bad either. Flight out of Beijing was delayed and it always amuses me to hear people complaining to the staff. It's as if they expect a response along the lines of "Oh, so sorry to hear your complaint. I'll just have a word with the pilot and get him to bring the departure time forward for you. I'm sure that'll be fine."

My trip around China has been eye opening. This isn't the first time that I've been here but I've never before learnt so much about the perception to information security related risks that Chinese businesses have.

What it means for me in my role is a change of approach. It's fair enough running a global program but it's apparent that if you don't take into account local risks, local culture, and - probably most importantly of all - local budgets then you wont get off the starting blocks.

I've found some very good security awareness here where company employees actively seek to protect their customer data, and ask questions where they feel not enough is being done. One of the challenges they have is in working within an environment where there's so much pressure on keeping costs down to be competitive that security expenditure has to be seen to be vital with quick results before it's likely to be committed to.

It's been a positive trip so far and I'm now off to visit Thailand.

Time for an end of month round up of the most read of my blogs during May. They are:

1. MySpace, Fake Profiles, & Internet Surveillance 

2. Peter Gabriel Web Server Stolen

3. Data Loss Epidemic

4. HSBC lose a server

5. Vista (in)security - it's all your fault

Thanks to all those of you providing feedback both online and offline.