ComputerWeekly.com's Security Think Tank puts information security questions to a group of experts in the field. This page compiles all those questions with links to the experts' answers. Our security panel comprises experts from: (ISC)2 , British Computer Society (BCS) , Gartner , Isaca , Information Security Forum (ISF) , Information Systems Security Association (ISSA) , National Computing Centre (NCC) , Royal Holloway, University of London , ISACA and The Corporate IT Forum (Tif) .
CW Security Think Tank: What’s holding up the cloud?
CW Security Think Tank: Are security concerns and a lack of adequate risk assessment tools the reason SMEs are not adopting cloud computing, or is the real reason something else that security professionals are also in a good position to address?
Gartner: cloud can help SMEs in the recession
Small or midsize enterprizes (SMEs) present a significant opportunity for cloud service suppliers. SMEs have always been a natural segment for managed and hosted services; however, during the past 24 months the depressed economy has moved more SMEs towards cloud-based services.
ISACA Security Advisory Group: nervousness about risk assessments need to be addressed
It has been suggested that the reason SMEs, are not adopting cloud computing (cloud sourcing) is that shortfalls exist in the area of risk assessment around this set of infrastructures and associated components.
ISF: risk management needs to be addressed
SMEs (especially the 'S' ones) often do not have the luxury of information security departments, so security and risk concerns are difficult to address - and can stop cloud adoption.
(ISC)2: there is growing acceptance of cloud among SMEs
Numerous articles in the media about the security risks of operating in the cloud contribute to the perception that working in the cloud is a risky business and dampen the enthusiasm of potential adopters. However, recent surveys, including one from Microsoft, reveal that there is growing acceptance of the cloud computing model among SMEs, with 39% of SMEs expecting to be paying for cloud services within three years - one-third more than in 2010.
Cloud Security Alliance: SMEs are already engagged with the cloud
Amazon releases online music cloud player; IBM introduces cloud-based social analytics; Playstation Plus offers game saves in the cloud; Google Cloud Connect gets official launch; New Apple cloud service to launch in spring; Virtual Internet unleashes cheap Microsoft Exchange cloud computing email service. All these were news in one week. Is moving to the cloud avoidable or is it a phobia that time will heal?
The Corporate IT Forum: Cloud offers access to software that would otherwise be cost-prohibitive
There are clear potential benefits for a SME in the cloud. Smaller, and probably quicker to adapt than a large enterprise, the cloud offers the SME access to software that may be cost-prohibitive on a traditional delivery model.
CSA: security risks notwithstanding, cloud services are ideal for SMEs
Cloud computing is all around us. Many organisations use it to support their everyday activities, sometimes even without realising. Services such as web hosting, Google Apps for e-mails, Dropbox for file sharing, backup services and others attract the attention of SMEs as these are easy to use and just work, without complicated setup.
BCS: SMEs may not need the cloud
I have to admit I view "the cloud" with some suspicion as I've seen the hype before and the technologies of earlier times are not that different from "the cloud" (remember application service suppliers - ASP's - from the early 2000s).
CW Security Think Tank: What should information security professionals do - and what should they avoid doing - to ensure the success of infosecurity projects?
Gartner:: Treat them as business projects It is safe to say that a large proportion of IT security projects either fail outright or do not fulfill the expectations that were used to justify the project. There are a few reasons that are common across the board for these failures.
(ISC)2: Get buy-in, share benefits and challenge the culture Projects that tend to succeed are those that consult with the business, where the senior management offers active and vocal support, and where IT and security work together as a team
ISSA: Cost properly, and take a holistic view of security and education Procurement overoptimism fails to take into account the ongoing support for a solution post-implementation, and fails to ask the supplier to back up its claims with a detailed case study.
CAMM: There are multiple causes of failure There is rarely a single overriding cause of failure for an IT security project. More common is for a number of seemingly small setbacks or deviations to build up until successful delivery is no longer achievable.
The Corporate IT Forum: Treat the project as a standard business scheme The difference between security and other business projects? There aren't any.
Cloud Security Alliance: Keep the ever evolving skillsets up to date Skills for security professionals will have to adapt from deep technical expertise to a much broader technical competence. The need for strong communication skills and report writing will be of paramount importance.
CAMM/CSA: Communicate the benefits Unless care is taken to explain the emergent benefits of the project to the stakeholders who will be subject to it, they will see no benefit in it and resist any changes it brings that affect their productivity.
ISF: The project manager and the project team are the overriding factors It's all about people. Adopting good project management disciplines is a start, not an end. Good project managers know this and focus on both the tangible and the intangible.
KPMG UK: Four drivers of failure, five routes to success Failure to account for the people and processes involved in IT security projects is a rapid route to failure. Although there is no magic bullet for IT security success, its likelihood can be increased significantly.
BCS: Young Professionals Information Security Group Security must be seen as a business driver rather than just a cost IT security in general is still often not regarded as a business driver, being seen instead as a necessary cost in mitigating risk. However, the absence of board-level support for a security strategy creates a key reason for projects to fail.
ISACA: The human factor underpins both success and failure As the following list of reasons for failure and success demonstrate
CW Security Think Tank: Do UK IT security professionals have the skills required to help their organisations implement cloud computing securely?
An overwhelming majority of our members participating in the current edition of the (ISC)2 Global Information Security Workforce study have told us that the answer to this question is "no".
In the light of British Airways' recent disclosure that an employee was plotting a terror attack, how well are UK businesses equipped to perform forensic investigations of computer systems?
ISSA UK: Organisations must be prepared The scouting motto "be prepared" saved Maldives president Maumoon Abdul Gayoom from assassination in 2008 when a local Boy Scout stepped in to foil his attacker. Being prepared for a security incident affecting computer systems may not produce such dramatic results, but it will enable an organisation to maximise its potential to use digital evidence while minimising the costs of an investigation.
BCS: First step is to recognise the threat The problem of the internal "black hat" (person intent on doing harm to a computer system) is not a new one. Many organisations choose to implement a system in which they escort staff from the premises when they are made redundant or fired, in order to reduce the risk of damage to systems or the unauthorised removal of sensitive information.
Gartner: Investigations must be done carefully and correctly Human activity is becoming increasingly virtualised. With routine communications and daily activities starting on workstations and taking place across enterprise networks and the internet, it is only to be expected that this is accompanied by a commensurate rise in the levels of undesirable digital activity in the workplace.
(ISC)2: Crime scene must be protected Just because I carry a first aid kit in my car, does that make me equipped to deal with a road traffic incident? Probably not. The intention is clearly there, but when reality strikes...
Corporate IT Forum: Downturn has changed employee attitudes The plotting of terrorist activity is an extreme example of employee misuse of access, but there is little doubt that the deteriorating economy has impacted on the quality of internal business relationships and, ultimately, heightened employee disaffection.
ISACA: Rigorous approach is required More than 70% of UK homes have a computer, with over 93% connected to always-on broadband. In the majority of criminal and corporate cases, somewhere in the background a computer, PDA or cell phone may be lurking - hence the case for computer forensics.
ISACA Secrurity Group: Organisations must be forensic ready The phrase "Crouching tiger hidden dragon" is a Chinese proverb that has many possible interpretations. My favourite is "everyone conceals their strengths from others to preserve the element of surprise".
What should information security professionals be doing to ensure their organisations are protected from phishing scams aimed at private enterprise?
ISACA: Experience tells us that the computing world has excelled at the art of untimely acceptance of new vectors of risk Read full article
BCS: Tackling e-mail-based scams and spam starts with reducing the volume of spam by filtering and is completed by the educating the users from the top of an organisation right down to the most junior levels to recognise spam and scams and to delete. Read full article
Trusted Mangement: This topic started a passionate debate among members of The Corporate IT Forum's Information Security Service, with strong advocacy on both sides but no quick or obvious answer. "Who guards the guards?" was an issue raised by some. Others were concerned that agreeing on jurisdiction and legislation across global borders would stall any discussions. Read full article
ISSA UK: Phishing works. If it were unsuccessful then we would not be bombarded with e-mails from former dictators requiring our assistance in exchange for the GDP of a small country. Read full article
Gartner: Protecting an organisation from the damage incurred by phishing and malware scams requires a layered security approach. Read full article
The Corporate IT Forum: Online scams aimed at senior executives or specific functions within the business are potentially very damaging. Read full article
(ISC)2: Phishing scams are not new, just the latest technological means of perpetrating them are. Read full article
Do we need a single cyber-security organisation to secure the internet?
ISF: Security starts with personal responsibility While it is understandable that people like the idea of a single global organisation or agency with overall responsibility for overseeing and securing the internet and all IP-based communications, the concept is simply unrealistic.
Corporate IT Forum: Education first, monitoring second ? This topic started a passionate debate among members of The Corporate IT Forum's Information Security Service, with strong advocacy on both sides but no quick or obvious answer. "Who guards the guards?" was an issue raised by some. Others were concerned that agreeing on jurisdiction and legislation across global borders would stall any discussions.
BCS Security Forum: A consortium could be the answer Overseeing security for the whole internet would be tough for any organisation and I am torn between government/inter-government and private sector/academia.
(ISC)2: We must first agree what needs policing At the crux of the debate is the fact that there is too much governance in the hands of one country, with the majority of organisations handling the governance of domain names and servers based in the United States. This has made it more of a political concern rather than an argument about practicalities.
ISSA UK: Global internet laws may be unachievable Much like the uproar caused when John Postel contacted the operators of the root nameservers in 1998, the creation of a cyber world police will be an equally divisive action. In particular, the challenge will be to determine a set of rules by which all users must adhere to.
ISACA: SOCA could take the mantle In the opinion of many professionals, there is already one particular agency that possesses national focus, and powers, and is involved in dealing with large scale criminal operations (not just regional, or metropolis focused)?
Why is corporate adoption of the trusted computing standard still very low when over 70% of new computing devices have built-in trusted platform modules (TPMs)?
Gartner: Users need to use multiple PCs There are several reasons why actual usage of the trusted platform modules (TPMs) is very low, writes John Pescatore, vice-president and distinguished analyst at Gartner.
(ISC)2: Users resist limits imposed on their freedom From a security manager’s perspective, the Trusted Platform Standard and modules offer the ability to do some remarkable things, technically enforcing the application of encryption, copyright licensing, policies on the use of unauthorised software and the like, writes Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director at (ISC)2.
ISSA UK: ‘Treacherous Computing’ can constrain legitimate software The Trojan horse is often cited as the event that led to the demise of Troy, writes Raj Samani from ISSA UK. Although the theft of the Palladium by Odysseus and Diomedes is the action that allowed for the daring raid.
BCS: Cost of support outweighs the benefits The use of any standard depends on a need (to use a standard) and/or the availability of products that can effectively leverage the particular standard, writes Peter Wenham, committee member of the BCS Security Forum Strategic Panel and director of information assurance consultancy Trusted Management.
ISACA: Users reject Trusted Computing because of privacy and security concerns Trusted Computing, and its various implementations, have been a perennial topic since the mid 1990s, writes Rolf von Roessing, international vice-president at ISACA. The first initiative, such as the "Clipper chip" met with grass-roots resistance, and subsequently industry resistance, as many thought this a misdirected attempt at government supervision and surveillance.
How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?
ISACA: Passwords and encryption strengthen printer security When we conduct a penetration test of a corporate network, we typically find dozens of printers offering management pages without passwords. This means that anyone on the network could not only print to the machine, but also control it, change the print settings and send faxes.
BCS: Responsibility for security of end-point devices must be shared across the business Network scanning technology needs to be capable of addressing the end points to ensure that anti-virus or software updates are run on printers and other connected devices to keep them virus-free and "healthy".
ISSA: Security managers must keep pace with weak points in connected devices Restrictions provide a back door into organisational networks through [the lack of] security in embedded devices.
Tif: Risk assessment enables targeted security managementThere is a broad spectrum of serious risks and vulnerabilities to be addressed, in which networked devices re-infecting networks is only one challenge.
How can security play a central role in enabling business growth?
Information Security Forum: Meeting regulations is key security advantage The business case for information security has finally been recognised. Rather than being viewed as an unwanted necessity and expense, information security is now seen as a valuable contributor for protecting and managing brand image.
BCS: Good security and security governance can help win business A very simple view of how security can enable business growth is to consider the question "why do cars have brakes?" The answer given by most people is that the brakes are there to stop the car, which is true of course, but not the reason.
ISACA: Strong security builds trust; trust builds businessThe first challenge in attempting to articulate the extent to which security can help business growth is for the enterprise to recognise that security is a business issue, not just a technical one. #
ISSA: Raise the profile of security’s risk management potential The name Paul Moore, former head of risk at HBOS, is not synonymous with information security, but perhaps it should be.
Gartner: Seven ways to align security with the business There is no single tactic or strategy that guarantees success in improving business alignment of security. Rather, a number of varied but interrelated actions need to be identified and executed to improve alignment over time.
ISC(2): Security bridges divide between IT and business As information security grows in stature within the organisation, we in the profession must be careful not to develop any delusions of grandeur. No matter how crucial our efforts may be, we must recognise that we are very firmly cast in a supporting role.
Tif: Protection of customer data makes a strong selling point There is no doubt that security will play an increasingly important role in enabling business growth, but it requires those in the boardrooms of Great Britain to wake up to the real challenges that will threaten their business over the next decade.
What should businesses be doing to assess and manage the security risks of instant messaging?
Corporate IT Forum: The triangle of trust Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business.
ISACA: Develop flexible IM guidelines Any security technology that is developed for IM applications must be easy to use and, ideally, be as unobtrusive as possible.
BCS: Mitigate risks with security awareness and access control The first thing any company should do is to ensure they have a comprehensive set of acceptable use policies (AUPs) covering such things as IM, e-mail and internet access. They must also ensure that staff are aware of the various AUPs and sanctions for abuse of an AUP.
ISSA: No silver bullet for instant messaging security Introducing new communication channels for business also becomes a new delivery channel for malware and spam (or spim - spam over instant messaging). The popularity of IM is not lost on those that propagate such unwanted traffic.
(ISC)2: Educate, monitor and block My advice to companies would be to allow it internally, but to block any IM activity with the outside world. That way, the chances of connecting inadvertently with a stranger and disclosing company information, or of clicking on a malicious link, would be reduced.
Gartner: Comprehensive web security IT organisations must recognise that instant messaging (IM) is no more or less secure than any internet-facing application. It is really just one of the issues to consider when developing a comprehensive solution that will protect organisations from all types of Web2.0/internet threats.
What qualifications, technologies, sectors and networking events should IT security professionals be looking at to help increase job security and further their careers?
BCS: Balance corporate needs with personal career aspirations In the current conditions, employers are, rightly, pretty focused on performance and efficiency savings, and so it is important to be able to be strategic about balancing corporate needs with personal and future career aspirations.
ISACA: Information security professionals must broaden their horizons In these challenging times, it is prudent to take stock of where you are and make sure you are doing everything in your power to contribute to the success of the organisation you are working for.
ISSA: Building a profile is key to career progression Clearly certifications can demonstrate a measurable difference between candidates, but where particular qualifications are seen as merely a baseline, inevitably a greater differential is required.
ISF: Bridge the gap between IT and business to dodge layoffs The profession is changing: there seems to be a bigger drive for consultants with a greater understanding of business (and how it works) and a need for people who can 'bridge the gap' between technology and business. Technology specialisms are also likely to be in demand.
Gartner’s tips for furthering your IT security career Gartner has seen a dramatic increase in programme maturity over the past 10 years. Tools are still important pieces of the puzzle, but scalable, repeatable processes are now at the centre of security programmes.
(ISC)2: Keep your finger on the pulse and stay relevant Currently there is a huge interest in cloud computing and all that involves. It is certain that businesses will want to take up this business model and that security professionals who understand the threats and vulnerabilities and have looked at ways of using this technology securely will be in demand.
Are information security risks really increasing with offshoring and outsourcing and how can the IT security professional assess and mitigate the risk?
(ISC)2: Legal input is vital to meet data privacy challenge of outsourcing When offshoring and outsourcing, it is more likely that data is made accessible to third-party vendors or other combined legal entities. For this reason, the involvement of legal professionals is paramount to understand processing and disclosure principles and policy.
ISSA: Balance cost and risk for outsourcer information assurance In the film Meet the Parents, the character played by Robert De Niro unveiled his new invention dubbed the nanny camera. It had a motion-activated camera positioned within a teddy bear that would record the babysitter for later viewing.
BCS: Remember you are outsourcing process, not legal responsibility Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage.
ISF: Get in early to mitigate outsourcing data risks Consistently the biggest information security problem associated with outsourcing has been in being late to the party. Finding out about the outsourcing deal after it had been signed, not being invited to participate in the vendor assessment process and realising that security was not part of the deal.
ISACA: Reality check your outsourcing risk This is of course something of a trick question, or should be. All organisations need to begin any risk assessment for existing outsourcing contracts from an operational risk perspective.
Gartner: Define a process to protect data when offshoring Offshore outsourcing is an emotive topic, and the security and privacy risks specific to offshoring can often be perceived, rather than real. Indeed, many companies have significant challenges managing security requirements with third parties regardless of location.
Application security is a growing area of concern, but what can UK businesses do to ensure the applications they buy today are not going to be security threats of tomorrow?
ISACA: Build security into the entire software development life cycle Application software is always going to contain flaws. The trick is to catch the mistakes as early as possible.
ISSA UK: Defence in depth is key to application-level security Having objective safety information is critical to the selection of a product that demands security for its users. For IT managers, such critical information for deciding which application is best for running the payroll is likely based on vendor assurances.
Gartner: Technologies for application-level security As attacks become more financially motivated and as organisations get better at securing their network, desktop and server infrastructures, there has been a shift in attacks to the application level. To address those new risks, several technology markets for application security have emerged.
How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?
ISSA UK: Give users an alternative to breaking the rules Unless you believe everything depicted in the TV show 24, employees are not recruited by foreign intelligence services, and data exfiltration is due to mistakes rather then malicious intent.
ISF: Get processes right, and the security will follow Many organisations still fall into the trap of selecting a security technology and then attempting to retro-fit a process around it. Often the resulting process is clumsy, encouraging users to make short cuts, or to simply perform tasks in a roundabout way. So, instead, reassess the problem in hand, design a new process and once that is right the appropriate security technologies should be easier to identify.
BCS: Security must be compatible with working practices Many security technologies do not appear to be effective because they do not fit in with the way people work. Users often ignore, avoid or circumvent anything that makes it difficult for them to do their jobs. And why would they not?
Gartner: Raise awareness of security measures Internet and IT risk have an impact on all employees, and controls required to mitigate these risks will inevitably constrain or hamper the activities of all users. A reality of human behaviour is that whenever controls are implemented that affect what people do, many of them will modify their behaviour in unexpected or undesirable ways.
ISACA: Ensure employee buy-in to security measures The two most significant factors that lead to employees circumventing security controls are lack of employee "buy in" to the controls and the absence of a good fit with "business as usual".
(ISC)2: Accountability is key to security Unfortunately the accountability of the user is yet to be well understood, which leads to error or justified flouting of the rules, often with management support, in order to get a job done. This presents a colossal task for the security manager to ensure employees understand the whys and wherefores of what is being asked of them.
Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?
Assess your software - and hardware-based full disk encryption options There are still plenty of people who believe that a strong Windows password will protect the contents of their laptop. However, the truth is that anyone with physical access to your laptop can also have full and unrestricted access to your data, unless you have encrypted the hard disk.
Full disk encryption effective, but lost productivity needs to be addressed Within large organisations, full disk encryption is already considered necessary to protect files and data - it is becoming an "as standard" technology and has been for some time. Indeed, in certain areas of the IT estate - such as laptops - encryption is now seen as 'unequivocal'.
Benefits of full disk encryption lie in avoiding PR and compliance risks of breaching data According to Forrester, full disk encryption will be the most piloted or adopted security technology in 2009. With national press now interchanging data loss stories with reports on an ailing housing market, this is hardly surprising.
Increased mobility makes full disk encryption more important, but so is end-user policy management The security officer is becoming increasingly aware of the importance of controls for end-user computing, writes Alessandro Moretti, co-chair of the (ISC)2 European Advisory Board, The Information. With end-users becoming more mobile thanks to the advances of technology, the numbers of laptops in an organisation is increasing.
Business case must be well-managed to balance cost and benefits of full disk encryption Full disk encryption (FDE) is expected to be the top security technology tested or adopted this year. There is little doubt encryption helps improve security. The issue that requires more thought on a case-by-case basis is that of desktops and the point at which the overhead becomes worth it.
Realise the full benefits by encrypting hard drive and storage media Full drive protection completely replaces the contents of a user's hard drive with an encrypted image. If this is combined with pre-boot authentication, a thief really has nowhere to start in breaking out the contents of the drive.
Full disk encryption performance faster but easier interfaces still expensive Full disk encryption (FDE) appears to offer an ideal solution to the increasingly publicised losses of data on laptops, CDs and thumb drives. By encrypting all the storage area on a device, FDE removes the need for an end-user to consider whether the information is protected.
How secure is the current practice in virtualisation?
Information Security Forum: Leverage the benefits of virtualisation but in a secure way The key driving force behind virtualisation is the promise of reduced costs resulting from server consolidation.
Sapphire Technologies: Guard physical and hypervisor layers against unauthorised access Virtualisation technology makes best use of available processor and memory resources.
ISSA: Set up virtual machines with extra caution The stampede to employ virtualisation shows no signs of waning in 2009.
BCS: If you outsource your virtualisation, thoroughly check your provider's security When you search for virtualisation, the results don't directly include security.
Security as a service: how are the patterns of risk and reward changing?
(ISC)2: Higher rewards for the client mean higher risks for the security service provider Overall, both the sum of risks and the sum of rewards stay constant, they are just distributed differently in the client-provider relationship.
ISSA UK: Business rewards make risk worthwhile The latest buzzwords are security as a service. The term refers to the delivery of traditional security applications as an internet-based service. It is not a new term, making its first appearance in 2001 when McAfee filed a patent for the delivery of security software as a service over the internet.
ISACA: Careful implementation and management of security service is essential Security as a service, if implemented and managed properly, can allow enterprises, and in particular the smaller business, to outsource essential security tasks for which they do not have the internal resources or the expertise.
The Corporate IT Forum: Rewards outweigh security drawbacks It is now over a year since we tested corporate attitudes towards outsourced security services and found that many Corporate IT Forum members were routinely outsourcing security functions such as spam management, e-mail virus and vulnerability scanning for external threats. We established that members felt comfortable and confident with the services provided, with many regarding them as cost-effective and sound business choices.
BCS Security Forum: Managing the risk is essential when outsourcing security In seeking to provide a detailed response for the above questions, views have been sought from the wide community of experts that make up the BCS Security Forum Strategic Panel (SFSP).
Gartner: Poor implementation presents the greatest risk - failure Security as a service can provide cost savings and accelerated implementation cycles, just as software as a service (SaaS). However, the "as a service" approach can fail if applied under the wrong circumstances using a poor implementation methodology.
With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?
BCS: Secure employee access to prevent insider threat Even an organisation with very good security can find it is effectively more vulnerable than an organisation with poor security if it is going through a period of change, such as redundancies, cost-savings, mergers or outsourcing.
(ISC)2: Guard business assets against increased threat The value of business assets, (for example, intellectual property, client data and service availability, managed in-house or via third parties) does not diminish during a downturn. During such time, there is an increased emphasis on the identification of key business assets and the mapping of a formal, consistent, and proportionate security strategy.
NCC: Beware employees' "exit strategies" during downturn Even the most process-oriented institution hinges on the human components that carry the information systems through their lifecycles from conception to disposal.
ISSA: Be vigilant of saboteurs' revenge cybercrime The threat of sabotage to organisations from disgruntled existing or former employees is very real, and can have a large impact on organisations.
Gartner: Drop in staff morale increases security threat Organisations can expect to experience internal security problems as staff reductions in turn reduce morale. Undoubtedly, there will be malcontent about reductions in stock or bonuses, outsourcing or redundancy.
ISACA: Don't let turmoil distract attention from security While most enterprises in financial services have generally understood the need for high levels of security and have applied themselves to implementing and managing effective and appropriate security measures, there is little doubt that risk will have increased throughout and following any major market upheaval.
ISF: Security is not primarily a technical issue The great myth associated with information security is that the risks are primarily technical. However, practitioners in the trenches know better the greatest vulnerabilities organisations face are down to human behaviour.
How do you protect from malware your mobile employees and customers, who lie beyond the network frontier?
ISSA: Traditional controls inadequate There is a common misconception that because an organisation has anti-virus, it must be safe.
Tif: Boundaries are blurring The notion of a boundary existing between "locked down" IT systems inside the corporate network and everything else operating outside it does not make as much sense as it once did.
ISF: Extend the security perimeter By and large, corporates have solved the problem of protecting the security of workstations against malware in their own internal environment.
ISACA: Constantly mutating challenge The idea that enterprises have made great progress in locking down their infrastructure to protect end-users from malware may not be totally accurate.
Gartner: Control devices and encrypt data As new and improved technologies appear in the mobile markets, and are adopted by businesses, so new threats and attacks appear.
BCS: Audit and educate Attend the likes of InfoSec to ensure you are up to date with the latest products and then seek the advice of an expert consultant to help in cutting through the snake oil.
NCC: It's all about layers Working outside an organisation's physical domain brings certain responsibilities with it and the road warrior must take caution along in the kit bag.
Has the government got the business case for ID cards right?
Royal Holloway: Benefits to the citizen have yet to be proven In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is.
BCS: Now is the time for action I don't need platitudinous diktat from government indicating that they are doing me a new favour.
NCC: Be sure of making the complete case ID cards are only part of the identity management solution - not the solution - nothing ever is.
ISSA: ID cards - analyse the facts Let's put emotion aside when asked about national identity cards and analyse the facts presented by the Identity and Passport Service.
In view of the cyber-warfare dimension to the Russia-Georgia conflict, and the Chinese cyber-espionage ongoing against the west since c.2003 ("Titan Rain", and so on), how concerned should we in the UK be about state-sponsored hacking?
ISSA: The threat to the UK from cyber terrorism What has the UK got to fear from hackers?
NCC: The national threats from hackers What could hackers realistically do to disrupt our national infrastrucure, and how should government respond?
(ISC)2: We know how to deal with the threat The is much to fear from hackers, but using established security principles UK government can deal with the threats
ISF: There is much to prepare for Governments must be prepared for "blended threats"
ISACA: The cyber-crime threat is difficult to measure Cybercrime threat is very real, but dealing with it will be difficult
Social networking sites: what are the associated risks at a corporate and at an individual level?
Gartner: at-a-glance guide to social networking risks Multiple worms and viruses have been introduced to various social network environments. Content distribution within a social network parallels peer-to-peer environments and can support rapid distribution of malware embedded in applications and graphics
BCS: Individual risks become corporate risks As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority. The key cause for concern is the late realisation of the open nature of the web and thus how much personal information has been left exposed to any passing stranger.
Tif: Limit your liability from social networking The main risk of social networking comes from the blurring of a participant's professional and personal profile. Very often, social networkers align themselves with professional networking groups that indicate clearly who employs them and what their job function is. Potentially, this can make it very easy for criminals to harvest information that can be used against them or their companies - so called "social engineering".
NCC: Social networking security is a people issue It is an enticing technology but few of the associated risks are really technology problems. It is no different from that old managerial adage of "less gob, more job". And heavy handed bans are unlikely to mitigate the risks. You may curtail the workplace access, but you cannot control the cybercafe or home PC without instilling staff with a risk-literate attitude.
ISSA: Would you shout your details in the street? The danger of giving too much information away on social networking sites is of significant concern. Even information that seems innocuous, such as date of birth and postcode can be used for nefarious motives. How many times is this sort of information used as a challenge when speaking to a call centre operative to prove your identity?
ISF: A greater social networking threat on the horizon Last year, Facebook purchased Parakey, a start-up from two of the creators of Firefox that promises a web-based operating system designed to bridge the gap between desktop and web and make it easier to move content between the two. How long will it be before one of these sites gives simple remote access from PC to PC?
(ISC)2: Policies hold key to social networking security threat The rapid take up of social networking sites offer cyber criminals and mischief makers a new large target. Remind colleagues not to use any workplace e-mail addresses or passwords on these websites. Many of these websites do not encrypt user log-on details. Passwords and user IDs transmitted in clear text across the public internet are subject to possible interception or compromise.
Indications are that remote working was able to reduce the financial impact for those companies that have enabled it, but very few small and medium businesses have the budget or technical ability to implement and manage secure virtual private networks (VPNs) with sophisticated network access control.
Remote working - how risky is it and what can small businesses do to enable it securely?
ISACA: Low-cost and secure remote working is achievable for SMEs Remote working is commonplace in the corporate world, but many small business have still to take advantage of a secure method to permit their staff to connect back to the office when they are working at home or travelling. Whilst there are low-cost, adequately secure alternatives, small businesses are generally unaware of the technology or the risks of a poor implementation.
ISSA: Remote working is not all or nothing Remember looking out of the window and being greeted with a blanket of snow? The very hint of no school and a day in the snow is every kid's dream. This attitude changed one day, and the only thought was the impending journey into work because a day out of the office is surely unthinkable.
(ISC)2: Remote working need not be feared Remote working should be encouraged and embraced, not feared, in companies where the actual work can be done remotely.
ISF: Remote working is a challenge for companies of all sizes Even large organisations struggle to secure remote working - and that is with multi-million pound budgets, 24x7 support and dedicated technical teams. Small businesses are exposed to the same risks, may not have any of these controls, yet would still like the flexibility and convenience that remote working offers them.
SMEs at risk from casual remote working practices Most organisations have remote workers, whether teleworkers working from a home office, or mobile workers who work from a variety of locations.
Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
ISC2: The more complex to technology, the greater risk users will bypass it As with any security measure the answer to the first part of this question depends on the application. There are some instances where even the use of a password is too much. Why, for example, when I order theatre tickets or book a restaurant must I use a password to make a reservation?
ISACA: more complexity delivers security, but not without cost We are all familiar with the following string of characters '12345' - according to some articles it was the most commonly used password at the dawn of the internet. The problem with passwords is that they are generally easy to guess and are often easily compromised.
Gartner: What matters is risk-appropriate authentication Ant Allan, research vice-president at Gartner, says a glib answer to the first part of the question would be, "No. We have already passed that stage." But that would not be universally true. Legacy passwords are vulnerable to a wide variety of attacks, but they can still provide appropriate levels of assurance and accountability in some low-risk situations. Gregg Kreizman, research director at Gartner, says there is a future in federated identity. But is it a bright future in which every organisation must support identity federation? No.
ISF: Federated identity services may be the way forward In a world where users expect access any time, any place, anywhere, the days of an employee just sitting at an office desk in front of a desktop PC and accessing 'the network' by entering a single username and password are long gone. The employee may be a contractor or outsourced, and the desktop replaced by a laptop, smartphone or PC at home or in an Internet café. Users now access a far wider set of applications, services and other information sources.
ISSA: Strike a balance between security and co-operation Suggestions that the life of passwords is at end for information systems have been mooted for a number of years. However, much like the wholesale adoption of single sign-on, such assertions have failed to materialize. The logic behind their demise is understood; passwords have a number of vulnerabilities that range from non-repudiation, subject to guessing, brute-forcing, etc.
The Corporate IT Forum: Users are human and part of the risk matrix Secure user authentication is a difficult balancing-act for IT security professionals. There needs to be a careful balance between accessibility and the requirements of secure networks and systems. With users increasingly emanating from federated business environments (such as online customer and colleague communities, remote, mobile and global workforces) the requirement to validate the integrity of the user has become a top priority.
What are the security risks associated with social-media use, and who owns these risks?
Deeper relationships must be balanced with reputational risk, but an outright ban puts social media beyond policy control. Content-based risks are trickier than technological threats, so the fundamental issue is not the technology but the information – which begs the question of whether the business can justifiably manage something that is social and organic?
What should security professionals do about Stuxnet?
Technology alone is not the answer, and widespread education is needed. Basic security measures can be effective, but make sure systems are isolated and protected. Employees must be kept alert to the dangers, and open-source intelligence can help find out find out if you are a target. Also, look at both whitelisting and blacklisting
How to prevent security breaches from personal devices in the workplace
January represents a significant challenge for the security professional; this will be the time employees bring in their new consumer electronic devices into the office with the expectation that they can use them at work. Regardless of corporate policy, organisations are being challenged on an almost daily basis to provide support for a range of devices often designed for consumer use.
This was first published in May 2008