Like many others I am trying to make sense of what is currently happening in the on-line world with the rerouting of Domain Names and collapse of Clouds after the compromise and revocation of many of the digital certificates that are at the heart of the SSL security regime.
DigiNotor was part of a ring of mutual recognition. It was supposedly regulated and audited to the highest standards. There are, however, allegations that the security breaches which caused the Dutch Government to revoke all the certificates used for its on-line services were long standing, that its certification service had been compromised before its take-over by VASCO and that other services are similarly vulnerable. It is also said that few, if any, major users are aware of the most of the certificates trusted by their systems, who issued them on what authority and which applications need them.
It may be that we only know about this breach because the Iranians, who had paid to use the breaches in order to help them track down dissidents who believed in the security of western e-mail system, wanted bragging rights and public revenge for the humiliation caused by Stuxnet. Some say it is the most serious security problem since Stuxnet. I suspect it is far more serious – but the response may also prove more constructive. It is certainly causing players to listen far more seriously to the Identity Commandments of the Jericho Forum and to re-read the Information Security Alliance paper on Security by Design and its recommendations for action by governments, professional bodies and trade assocations to hrelp change market behaviour.
Most of those who might know the reality are keeping a low profile. The exceptions are those using the opportunity to promote the need to look at the people processes within those they trust – and not leave their own security to layers of bloatware. Players like Venafi, are also promoting tools to help expedite the process of identifying who your systems trust – so that human beings can set about the process of removing those you have never heard of.
The Information Society Alliance report on Security By Design is prefaced by a quote from Professor Richard Walton (formerly Director of CESG), “The main benefit of investing in better security technology is to force the enemy to concentrate on corrupting your people instead of trying to break your systems”. Bruce Schneier has put the current situation succinctly “Amateurs attack machines: professionals attack people”.
Martin Smith, at a recent ISSA meeting, quoted Einstein on his definition of insanity: “doing the same thing over and over again and expecting different results”. Martin then spoke of the madness of putting IT professionals in charge of security. Most IT professionals went into the predictable world of machines in order to escape from the stresses of having to deal with unpredictable human beings. But almost all serious information security breaches involve using weakenesses in the the people processes to gain the privileged accesses necessary to find routes through the technology processes.
I am currently working to get the Information Society Alliance work on Information and Identity Governance off the ground before I stand down as Secretary General (at the end of the month). I then hope to be able to use the results in the round of national and international policy studies and implementation campaigns that I am expected to organize in my new role – as executive chairman of the Conservative Technology Forum. One of my three objectives as chairman is to find credible policies to help stop the erosion of on-line trust that will otherwise help cripple western economic recovery – and put the UK in poll position as the most trusted location to do on-line business.
One of the points of leverage will be to look at the issues of impersonation from the perspective of the victim . Assembling the “right” team to address this is proving to be as interesting a challenge as getting IT professionals to think politically, top down – as opposed to assuming that some-one else will define the “problem”.
Why should I be surprised?
Twas always thus.
The other term for a victim is “user”.
And we all know what, or rather how little, IT professionals think of users.