Stuart King's Security and Risk Management Blog

Passwords, crocodiles, and air disasters

2008-05-15T08:45:00Z

What do air disasters and password policies have in common? They were both the subject of anecdotes at last nights IISP lecture on "Security awareness - promoting long term behavioural change" presented by Martin Smith of The Security Company. Martin was making the point that everybody in an organisation is a stakeholder in information security, and that most businesses are rubbish at getting the right messages across. A copy of the employee handbook, a leaflet and a poster saying "Be Secure" with a picture of a padlock on it do not make for an effective and meaningful security awareness program. The point was that we need to emphasise messages in terms the business understands. For example, if you lose a pound then that's one pound profit gone which probably took ten pounds revenue to generate. Therefore you need to make another ten pounds to make that same pound profit back. In fact, you need to make twenty pounds because the first ten now only covers your original loss. Make sense? The password anecdote related to an organisation that fired somebody because he intentionally shared his password with a colleague to, apparently, facilitate a business related task. I can't vouch for all the facts but certainly strict and dogged adherence to policy is not always effective. Beat employees up with too big a stick and you're likely to end up with lots of disgruntled employees who care little for your security regime. The air disaster was an example of how lots of seemingly unimportant events (lots of little chickens) came together and resulted in a mid-air collision (the crocodile). At any point prior to the incident, somebody should have either raised issues or adjusted their behaviour. Human factors caused the disaster, not technology. An all to real example highlighting the fact that not one single recent data breach has been because of a technology failure. It's human factors each and every time.

Impact Factory

2008-05-14T11:00:00Z

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

Data Loss Epidemic

2008-05-13T08:30:00Z

Most UK companies are losing data every month a survey has found. The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.. Read the rest of the article here. The results of such surveys are great marketing for companies such as CA with their portfolio of threat management tools. I suppose the question is how you define "losing data." One record or a thousand records? Do you want to count every lost USB stick and mobile phone? Perhaps you should if they are likely to contain private data. Most of the problem is that we don't know where all our data is. There's no neat perimeter - it's everywhere from in your pocket to the third party company that does your mailshots. Personally I'd prefer to not play on scare stories and wild statistics. There's a change of attitude required. We're not going to solve data security problems with technology alone and it's not simply an IT problem. It's culture, training, awareness, and technology. We need people to start asking how to protect data rather than waiting to be told.

HSBC lose a server

2008-05-12T08:00:00Z

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. " Read all about it here and there's more here. This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

Each visit I make to a business unit, one of the first things on my agenda is a visit to the server room where I'll check everything from the access log to the temperature of the air conditioning. Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over. Risks increase if your office is within a building shared with numerous other businesses such as the case with this branch of HSBC in Hong Kong. I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."

Insider Threats: the biggest Information Security risk

2008-05-10T15:00:00Z

It's a fact that most crimes are committed by people known to their victims. Similarly, businesses are most at risk from former and current employees. Most commonly when thinking about information security we consider how to prevent intrusion into our business from the outside. The facts and statistics tell a different story. 62% of large businesses in the UK (source: DTI/PWC Insider Threat Report 2006) have dealt with a security incident instigated by a current or former employee. I've been writing up some of my research into insider threats in the form of a paper describing the risks posed to a fictional multinational company, Acme Widgets plc. You can download the paper for free here. If you'd like to leave me feedback or would like more information about insider threats, write to the email address within the digital signature at the end of the document. If you'd like to make a donation in return for downloading the paper, please give to Children in Need.

Laptop encryption

2008-05-09T05:00:00Z

How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It's a good question if you ask me because we're all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen. Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home "contained confidential customer information and may have put millions at risk of identity theft." Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don't even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it's now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the "majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold." But, let's suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop? In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let's come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don't know and it doesn't matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you're stuffed because if the Press don't get you then the regulators will, and when encryption is so cheap and easy to implement these days then you've just been neglegent. So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used. That is good enough reason even if you, like me, don't rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that's another story....

Peter Gabriel Web Server Stolen

2008-05-07T13:00:00Z

Reported on Slashdot today is the news that Peter Gabriel's web server has been solen from the data center where it was being hosted. I have my own thoughts on a possible motive; mostly related to some of the dreadful noise he's produced over the past 30 years. Physical security has been a previous topic of this blog (see entry from 10 Dec 2007). 1. Don't make assumptions about third party security controls. Check them for yourself. 2. Make sure your incident response plans include actions to take in the event of critical equipment being stolen. Some good guidance on physical security for small businesses here on GetSafeOnline. Some further related information here.

Microsoft Senior PC - not just for the elderly

2008-05-06T19:00:00Z

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration. So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software... If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!

Web scam suicide

2008-05-02T16:19:57Z

Those who fall for spam based scams such as the Nigerian 419 emails or fake lottery wins make themselves easy targets for ridicule from those wise enough to be "in the know." However, there is a deadly serious side because many of the scams appear to be very plausible on first read, people do fall victim, and lives do get ruined as a result. No better example than that reported by the BBC today. Read the full, tragic story here of how a university student killed herself after giving "more than £6,000 in the belief she had won half a million pounds in a lottery after being contacted over the internet." Some people are vulnerable to scams because of their circumstances, not because they are overly gullable or stupid. If the scam is plausible enough and catches us at the right time in the right circumstances then any of us could get taken in. So, we need to remain vigilant to spam and we need to continue our warnings and security awareness messages.

Is security really a business enabler?

2008-05-01T08:00:00Z

The title of this blog is the subject of a presentation I gave yesterday to the IISyG. I took a deliberately provocative stance, making a point that security is not there to enable the business, it’s there to mitigate risk. That is not the same thing: it's cost, expense, and time and we only do it because we have to. What was interesting was the vociferous counter-argument, especially from those present from the financial services industry who made the point that many of their services would not be publicly acceptable nor acceptable to their regulators without solid built-in security and so in their case it's an enabler. Yes, I agree, however, doing something because you have to is not the same thing as doing something because you want to. The financial services industry is the same as other industries in that profit is the driving force and if they could get away without the additional cost and expense of designing stronger and better security then they probably would. I don't think there is anything wrong in admitting that we "do security" because we have to. The trick is in the way the work gets sold within the business. Too often security professionals try to justify costs by presenting vague ROI figures or metrics such as firewall logs showing the number of intrusion attempts. The problem with this is that the finance director will laugh your ROI data out of his office and nobody outside of the IT department is going to be a) interested or b) able to understand the significance of a pie charted extract of the firewall logs. If you want to convince the business then you have to cut out the techie chat. The key points I made are that we need to

- Take a risk based approach - Focus on business needs - Talk the language of the business - Don’t make wild statement about cost savings and ROI - Work to reduce costs - Put risk assessments into context - Present a decent set of meaningful security metrics

One of the interesting notes that came out of the discussion was the impact of using the word "security." This seems to be the passion-killer. Talk about "risk" and "compliance" and "governance" and the view is that it's much easier to get business buy-in. Talk about "security" and it's considered to belong in the IT department or checking passes at the main entrance.

Traffic stats and the top 10 blogs

2008-04-30T05:00:00Z

This is the 300th published entry onto this blog. I thought it might be interesting to do a quick review of how many visitors it's getting, where you are all coming from and what the most popular postings have been over the past 12 months. Traffic figures are pretty good - weekly page views are generally between 600 and 800. Not too bad for a niche subject. As expected, most readers are from the UK but there's good interest from the US. I also have a small number of regular readers from the far east. My top ten blog entries (by unique page view) have been as follows: 1. Building an Information Security Strategy (5 March 2007) 2. What CIOs should be doing about security in 2008 (14 Jan 2008) 3. The 10 deadly sins of Information Security management (31 October 2007) 4. Portable wireless hacking device (9 Feb 2007) 5. HSBC new two-factor authentication system (7 September 2007) 6. Data Protection Act - What's the Damage? (20 September 2007) 7. RFID Passports (6 Jan 2008) 8. Incident definition and response (11 January 2007) 9. Use of Skype (28 March 2007) 10. More on PCI - the audit guide (24 March 2007) Ironically, those entries where I personally think I've hit the sweet spot and I sit by the phone waiting for the book-deal and television show hosting offers to come in don't do as well as the entries that are more "off-the-cuff." Your comments and feedback are always welcome.

Portable Identity and the BBC

2008-04-29T14:30:00Z

We've spoken about OpenID before on this blog (see entries from 9 Feb 2008 and 7 Feb 2007) and I've been quite enthusiastic about the prospects for this "open, decentralized, free framework for user-centric digital identity." It seems that the BBC have seen the potential and joined the OpenID foundation. Jem Stone, on his blog, makes the bold statement that "getting identity right is key to our future plans." I couldn't agree more. Managing identity is central to the future and long term success of everything from social networking to eCommerce. For their part, the BBC are currently looking at the concept of "portable identity." Good job if they can make it happen - the trick will be in ensuring that the solution is safe to use on a home PC, public terminal, mobile phone and the myraid of other Internet enabled devices we're now being sold. Two factor authentication is a must but it needn't be based on clunky tokens. Any other out-of-band method will suffice, for example an SMS message with a one-time password on a mobile phone. Whatever the outcome, it's good to see my licence fee going on something that's innovative and, if successful, having wider benefits.

Petty local government bureaucracy alive and well!

2008-04-28T12:00:14Z

In September of this year my daughter will be moving schools. The local council need a copy of her birth certificate as confirmation of her identity. This is despite the fact that her birth certificate was originally produced for the same council less than a year ago for the same purpose before she could attend her current school. Anyway, I dutifully posted said document. It has however, failed to arrive - either lost in the post or misplaced somewhere along the way. In conversation with the relevant admissions department this morning I asked why they actually need a copy of the birth certificate at all. The robot at the end of the telephone advises me that it's for identity and security purposes. So, I ask, why not simply refer to the previous submission. Because, the robot replies, that was for a different process. I don't give up so easily. As the document has clearly gotten misplaced somewhere between the post box and the admissions desk, could the process not be intelligent enough to note that my daughter still has the same date of birth and name as when we previously applied for a school place for her? Apparently not, "it's not the same process" is the response I get. Common sense and customer service clearly not strengths of Bracknell Forest School Admissions team...

On trial - role of the CISO

2008-04-28T06:00:00Z

It was fun to be in the dock as one of the defendants in the mock trial of A N Corporate at Infosec last week. I acted the role of the hapless and rather impotent CISO working for an overbearing CIO. There was a serious point to the exercise though - those barristers were playing for real and the legal terminology was all correct. The sentences handed out to the CIO and CEO, who were found guilty under section 450 of the companies act of destroying documents, reflected what would have happened in real life. It shouldn't come as a surprise that there might be confusion as to role of the CISO. It's a role that has quickly evolved from being technical and focused on IT, to one that's strategic and focused on mitigating business risks across the full scope of Information Security. My own role encompasses all aspects of managing risks to data and is, I'm pleased to report, far more respected than the part I played at the mock trial. But I've often had to push hard to put security on the agenda and I think some of the more traditionaly minded individuals in the organisation were taken aback by some of what I was putting on the table as being within scope of my responsibility when I first took on the role. The role of CISO is evolving and in fact, I think within a few years from now it'll probably no longer exist at all. Large organisations are going to require individuals whose role focuses on managing risk and compliance. The traditional view of the CISO as being a technical IT security specialist is going to very soon be as outdated as those who still hold that view!