Data leakage, poor code are concerns at Infosecurity

Insider threats, data privacy top the themes that emerged from the year's big show.

The information security industry must have breathed a collective sigh at the end of three day's frantic activity, when Infosecurity 2008 finally closed its doors on Thursday night. Apparently more than 12,500 visitors attended the show, prompting the organisers to move to a larger venue in Earl's Court, West London, for next year's event.

For most of the time, especially on the second day, the place seemed to be heaving with people, and exhibitors on the stands reported genuine enquiries from a whole range of organisations including police, education, central government as well as the private sector.

While the show included most of the usual anti-malware vendors, it was noticeable that this year's focus was on insider threats and how to stop private and personal information getting to the wrong people. Part of that is driven by the need to comply with new requirements, such as PCI DSS, but there also a belated recognition that insiders, whether malicious, careless or stupid, are much more likely to cause you trouble.

Data leakage sparks encryption interest
As the new BERR Information Security Breaches Report revealed, when it was conveniently released on the first day of the show, anti-virus and anti-spam defences are doing a pretty good job at reducing the number of security breaches. The real worry now is how to keep a lid on data leakage, and that point was underlined in a statement on the same day from the Information Commissioner, who reported that he had received 94 notifications of personal data breaches since the loss last November of HMRC data.

Encryption is (rightly) seen as a major part of the solution, although many think (wrongly) that encrypting laptops will make the whole problem go away. It takes a bit more thought than that.

Anyhow, the encryption vendors were out in force, from stalwarts such as PGP, which arrived armed with research showing that 60% of UK businesses had experienced an information breach in the last year, to newcomer Apsec, which has just set up in the UK. This private German company specialises in file and folder encryption, and according to its CEO Frank Schlottke, has already taken an 80% stake of the German health market, as well as selling to Deutsche Bank, VW and the German Stock Exchange. The company's product encrypts files according to policy rather than asking users to decide, which makes it especially useful in the health sector, said Schlottke, who said he is already in talks with parts of the NHS.

While most email management systems can help in controlling what information goes out in email messages, attachments and even instant messaging systems, the determined 'bad apple' employee will be able to find new ways of getting round those controls.

The only way to catch that kind of thing is to look at network and system behaviour, and to pick up anomalies in behaviour. One new product attracting attention was Intellinx, a fraud management tool from Israel, which has been launched in the UK by e-Solutions, a system integrator based in Burton-on-Trent. "It can install in an afternoon," said Angus Stewart, the company's boss, who explained that the system just sniffs traffic passing through a switch and tests it against a set of rules.

He said the product had received a lot of interest from banks, which worry not only about dishonest clerks but also about call centre staff selling off their customers' data. "We had one building society where call centre staff, who earn maybe £15,000 a year, are regularly molested by people with large wads of money," he said. "They want to be able to detect, for example, anyone who is accessing lots of customer files in a short space of time, and who might be collecting information to sell."

Breaches continue:
Ninety four more breaches reported since the HMRC case: The HMRC breaches have not prevented other security breaches from occurring, according to the Information Commissioner, Richard Thomas

Stewart was also showcasing a brand-new product developed at Munich University, which authenticates users based solely on their typing style. The Psyloc system asks users to type in the same short sentence nine times in order to register themselves. Thereafter, the system is able to recognise them from the way they touch the keyboard. "It's a very simple and low-cost form of biometric authentication," said Stewart. He said no-one had yet been able to trick the system, despite offering a money prize to stand visitors.

One other first time exhibitor at Infosecurity was the printer manufacturer Ricoh, keen to remind visitors that information leakage does not just involve electronic data. The company has developed a range of mechanisms to ensure that only the right people can print off information – including a smart card which users insert at the machine to identify themselves and to ensure they are present when the report appears. The system also ensures that data held on its internal hard disk is erased (up to nine times for military customers) thus ensuring the material cannot be stolen.

The key to secure coding
Another big theme was the problem of insecure code, especially in websites where SQL injection and cross-site scripting attacks are encouraged by the generally low standard of coding. According to John Jack, president of Fortify, which supplies automated source code analysis to 50 of the top 60 financial service and telecoms companies, "In 98% of cases where we do an initial analysis with a customer, they'll say they didn't know it was that bad."

With hackers able to pull down ready-made attack code from publicly available websites, he said, companies were laying themselves and their customers open to danger. He said the circumstances existed for a "perfect storm" with companies adopting new software technology such as AJAX, Javascript and Web 2.0 applications, while the developers were poorly trained in security and generally under pressure to build against a deadline. At the same time, the criminal community is employing highly skilled hackers to do their work and find ways of exploiting insecure code.

Coming at the problem from a slightly different angle was Jeremiah Grossman, former CISO at Yahoo! and founder of Whitehat Security, which claims to have the industry's first continuous vulnerability assessment and management service for websites. Through a link-up with F5 Networks, Whitehat can identify and prioritise a vulnerability, and then the F5 application firewall can immediately apply a new rule to prevent the vulnerability being exploited.

As Grossman said, security teams need to get vulnerabilities closed quickly, but they rely on developers to go back and change the code – which by his research can take on average 150 days for an SQL injection vulnerability.

But source code analysis may not be enough, according to Matt Moynahan, president and CEO of Veracode, which goes below the source code and actually analyses the object code of programs. His argument is that with so much code development outsourced, or accessed via web services, much of the source code is unavailable to inspect. "It's what we call Soup – software of unknown pedigree. It's like being an auditor and only being able to audit two-fifths of the company," he said.

His first big UK scalp is at Barclays, where he said new CISO Rhonda Maclean now plans to make it a condition of any new software procurement that object code will be scanned for vulnerabilities. "You can't break the economic model of the software companies, who need to get product out, but it makes sense for companies buying software to do their own health checks," said Moynahan.

And some help with pentesting….
However strong your security, most companies need to use outside consultants or companies to do a penetration test to spot any weaknesses in technology or procedures. But how do you spot a good consultant?

One certification scheme that got its official launch at the show is Crest, the Council of Registered Ethical Security Testers ( The scheme has already attracted 18 members, including Deloittes and Ernst & Young and is designed to operate as a kitemark of excellence. The scheme will offer a set of examinations for individuals and an approvals process for prospective member companies.

Individuals pay £1,600 to take the exams, while companies pay £7000 a year for membership. Any company that already has CHECK certification from CESG to work on Government projects will automatically qualify for Crest certification.

The association's chairman Paul Docherty said he had already had requests from South Africa, Australia and the US to set up Crest chapters.

Read more on Privacy and data protection