Despite the millions of pounds spent on security technology and consultancy every year, the IT security world remains divorced from business users, according to Martin Smith, chairman and programme consultant at IT security conference Compsec, which takes place next week. In the resultant confusion, skewed priorities, inappropriate measures and mis-selling are the norm. "At the moment, the [experts] are selling brain surgery while the patient dies of the common cold," he says. "Senior management are worried, concerned and know they are vulnerable but they don't know what to do."
In Smith's opinion, the IT security establishment has matured technically but it has not matured intellectually and continues to fail business by not addressing underlying issues and security concerns in business terms.
Compsec, which is sponsored by the Computer Weekly Infosecurity User Group, will look at the key security risks and how to cope with them. As well as taking in ongoing management challenges such as data protection, disaster recovery and business continuity, the conference will look at technologies like Extensible Markup Language and public key infrastructure and address legal and ethical issues that surround the gathering of computer forensic evidence.
The event, according to Smith, provides IT professionals with a generally informative discussion amongst peers on security threats and issues, free from supplier hype and sales pitches. However, for Smith, it is also an opportunity to try to shake the IT and business communities out of their complacency and to start getting to grips with the real security issues instead of the perceived ones.
While he identifies a lack of awareness as the greatest cause of all security breaches, Smith also points to missed opportunities arising from companies implementing inappropriate and overly complex or misunderstood security solutions. "The ways to improved security are rarely technical," he says. More effort should be spent on practical, non-technical solutions such as user education, improved internal communication and establishing proper processes within the organisation. A key barrier here is that there is no money to be made by security firms in increasing users' awareness of security issues and good practice, Smith says.
Keynote speaker Marcus Ranum, chief technology officer at US firm NFR Security, will be looking at the future of network security. "Surprisingly, the un-sexy stuff works the best," says Ranum. By this he means regularly updated anti-virus software, using personal firewalls and designing systems conservatively. "That means, not turning on all the features, not leaving everything open, researching features before you use them, and not just believing suppliers when they say 'trust us, it's secure'," he says.
Like Smith, Ranum believes that companies are misdirecting their efforts and focus. He sees a curious paradox. "On the one hand many people are scared of the potential threat of cyberterrorism, which has not happened so far, and yet they don't do basic things like install firewalls, audit traffic, or perform back-ups," Ranum says. "It's amazing the number of people who don't even take the basic precautions."
Users should be taken out of the loop as much as possible, argues Ranum. "Expecting people to show common sense is ridiculous when it's so easy to just make many of these things automatic," he says. As well as automation, Ranum favours "mandating" security measures and says that suppliers like Microsoft, with its Windows operating system, should start shipping their products with anti-virus software pre-installed. His main piece of advice for IT directors is to plan before you implement. While security is not hard to build in to what you are doing, he says it is nearly impossible to retrofit. "Factor security in as part of your reliability and availability plans: it's like doing your back-ups - boring but essential," he says.
Lessons from terror
At the conference, Alan Brill, managing director and technologist at US risk consulting firm Kroll, will draw on the lessons from last year's 11 September attacks in the US. He will guide delegates through what to do and what not to do in such a situation. In common with other speakers, Brill argues that it is often the simple and practical things that are overlooked and says key lessons relating to information security can be learned from the tragic events of 11 September:
- Action plans are too complex or confidential to the point of being impractical
- Companies - Brill points to law firms as an example - experience problems owing to their over-reliance on paper
- Too often there is an over-concentration of authority in a few staff so that no one can make decisions in their absence.
The current threat from international terrorism will be examined in the keynote speech by Brian Jenkins, senior adviser to the president of the RAND Corporation and adviser to the US-based International Chamber of Commerce. Jenkins believes that a combined, simultaneous attack using multi-dimensional tactics involving physical strikes, biological weapons and cyberattacks is a grave concern.
Sally Leivesley, business continuity manager at Risk Analysis (UK), is also in apocalyptic mood as she aims to discover how companies' systems would cope during a chemical, biological, radiological or nuclear attack. In her interactive workshop, Exercise Survive, Leivesley aims to simulate such an attack to help the participants gauge their ability to react and provide useful pointers for survival.
The opposite end of such events will be explored in another conference stream discussing current developments in policing and investigation. Securing a prosecution following a security breach or theft of intellectual property, while not always the main objective, is tough. However, a couple of recent hacking cases in the UK have shown that it can be done and point to the growing importance of computer forensic evidence and increasing cross-boundary co-operation between law enforcement agencies, mirroring the global nature of network attacks and fraud.
Crime and the law
Willy Bruggeman, deputy director of Europol, the European law enforcement organisation aimed at boosting co-operation and collaboration between European Union countries, will be at Compsec to examine the police network that roams cyberspace in his keynote speech. A specialist adviser to the Hi-Tech Crime Unit, Phil Swinburne, will also be taking part, along with Frank Butler, a training manager at Guidance Software, which develops computer forensic software tools.
Legal issues relating to key areas such as fraud are also a central part of this year's event, with a stream dedicated to legal issues on the second day of the conference, running in parallel with the technical and management elements.
The legal briefings will show companies how to minimise risk through the use of active e-mail policies, including the use of e-mail audit trails and encryption to make sure no one sees data who should not and ensuring records are kept of who does access this data and when. The organiser of the legal stream, barrister and IT security expert Stephen Mason, hopes the event will act as a wake-up call. He aims to alert IT directors to the increasing threat of money laundering and the need to comply with anti-fraud legislation and e-mail storage, which he says will become "a big headache". Mason is keen to highlight the potential risks IT directors face if they don't address such areas which can affect a company's reputation, finances and even attract legal action.
Mason points to legislation, such as the Data Protection Act and the Stock Exchange's Turnbull Report, which makes directors liable for employee's indiscretions with e-mails and poor business continuity procedures. He also points to recent guidelines issued by the information commissioner for treating personal data relating to employees. The guidelines effectively make the company the data controller for its employees and the e-mails they send and that has some very serious implications, says Mason.
Tougher anti-fraud and money laundering legislation introduced in the wake of 11 September to increase state powers, such as the UK's Anti Terrorism Act, also needs more consideration, he says. Mason cites the case of the UK lawyer who was recently jailed for six months - not for money laundering himself but for failing to ask sufficient questions of one of his clients who was. IT directors could find themselves in a similar boat before long, he warns.
Complacency and hiding your head, it seems, in the sand are no longer options.
What the experts think are the top five security threats and issues for the near future
Barrister and IT security expert Stephen Mason lists the following as his top five security threats and issues:
- Loss of company secrets and theft of intellect property
- Risk to reputation - as well as financial and even criminal damage - through not controlling how e-mail system is used
- Money laundering - companies need to pay more attention to this and do some due diligence to help them identify suspicious behaviour such as unusually large orders
- E-mail storage - companies need to separate business e-mails, which may need to be stored for six years, from personal ones. Storing personal e-mails for this length of time could lead to breaches of the Data Protection Act - they should be wiped after a few days
- Hackers and trojan horses - smaller companies in particular need to do more to protect themselves against this ongoing risk, says Mason.
According to Marcus Ranum, chief technology officer at NFR Security, the top five security risks are:
- Bad software
- End-user apathy
- Executable content - blurring the lines between an e-mail message and a program and the fact that someone can e-mail you something that your computer will run without your doing anything
- Denial of service attacks
- Lack of leadership from the governments of the world. "Most governments are too far behind the technology power curve," says Ranum.
What is Compsec?
Compsec is an annual IT security event, run by Elsevier Advanced Technology and sponsored by the Computer Weekly Infosecurity User Group. It looks at the key threats to IT security now and in the coming year, featuring keynote presentations from industry experts and insiders. This year's events will be held at the Queen Elizabeth II Conference Centre, London, from 30 October to 1 November. For further information contact Nina Woods 01865-843297, e-mail firstname.lastname@example.org.
Join the Infosecurity User Group
The Computer Weekly Infosecurity User Group is a free networking, benchmarking and information resource for IT professionals with IT security-related responsibilities. The group, established earlier this year, offers its members a number of benefits and services, including:
- Monthly e-mail bulletin
- Regular security threat alerts - and advice on how to tackle them
- IT security benchmarking service - how do you compare to other organisations?
- Latest IT security research
- Discounts on IT security products and services
- Regular meetings with high-profile speakers on hot IT security issues
- Networking events
- Useful guides to IT security best practice
Membership of the Infosecurity User Group is open to anyone with responsibility for IT security in a UK user organisation. For information on the group contact CWinfosecurity@rbi.co.uk.