David Lacey's IT Security Blog

The new art of war

2009-11-19T09:14:40Z

The National Journal has an interesting article on cyberwar, pointing out some of the opportunities and hazards associated with this new form of conflict. It's very different from anything we've seen before and it demands very careful consideration to avoid attacks damaging valuable business assets. It's also a very sneaky form of conflict. As I've often said, it's more the art of illusion than the science of sabotage.

It's also far too easy to trigger covert attacks. Minor, local conflicts can quickly escalate and cause global impact. In cyberspace, as John Suler points out in his online book The Psychology of Cyberspace, people can be tempted to go much further than they might in the physical world, exploring dark subjects, taking risks and becoming unusually hostile.

Cyberspace is a surprisingly dangerous medium in which to conduct warfare. Let's hope that future cyber warriors are alert to the dangers.

Small companies are the key to security innovation

2009-11-18T08:52:23Z

The Global Security Challenge finals which took place at London Business School last week were a revelation to anyone who believes that security innovation is dead. There's certainly little imagination and innovation to be seen in the products emerging from big vendors and research establishments. But many breakthroughs are initially developed by clever individuals or small start-up companies.

So it's no surprise to find an impressive range of unique and imaginative new security solutions in the Global Security Challenge finals, which is specifically aimed at small enterprises. Many were game-changing developments, such as a technology that can detect liquid explosives in suitcases, a new form of lightweight body armor that can survive point-blank grenade attacks, and a video camera that takes such high resolution pictures that you don't need an optical zoom capability. The cyber security finalists were also impressive, including two technologies that offer a step change in real-time vulnerability management, using very different approaches. (I'll cover these in a later posting.)

So if this initiative is delivering the new security solutions we need, what else is needed? The answer is a lot more of the same. We need more attention and support for the SME and start-up sectors. Many of the finalists in the Global Security Challenge have less than half a dozen staff and exist primarily on research awards and prizes. Yet they have also managed to develop complete products and gain real customers. We need more pump-priming investment to stimulate these sectors.

Oman sets the bar on security awareness

2009-11-17T20:19:08Z

Last week I was fortunate to have been presenting at a MIS Training CISO Executive Summit in Muscat. The Sultanate of Oman has long been my favourite business and holiday location. It's also a place where managers understand the importance of the human factor in business and security.

In the past, the people perspective has been low on the management agenda of Western organisations. The only time an executive board pays attention to staff is when they need a headcount reduction. But the business world has changed. Networks are empowering people to unprecedented levels of influence. We need to educate and listen to employees, customers and citizens, because the focus of decision making has shifted from the corporate centre to the front-line workforce. Managers, staff and customers are the engine of intellectual property generation, as well as the thin red line that safeguards these assets.

This is why I was highly impressed with The Sultanate of Oman's new information security awareness programme. It's a government sponsored, nationwide initiative, and it's tailored to the local culture. Madison Avenue executives might not be especially impressed with the simplicity of their images and messages. But they would be wrong. What counts for success is a good understanding, empathy and a resonance with the target audience.

From that perspective, Oman has set the bar for an initiative that other countries must also meet. There might be a wave of technology coming from the West. But there is also a wave of best practices in citizen education building from the East.

Towards the paperless office

2009-11-06T22:23:55Z

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...

The limitations of risk assessment

2009-11-01T14:57:09Z

I've just posted a short article on the limitations of risk assessment on my Infosecurity blog. Those of you who've read my book on Managing the Human Factor in Information Security will know I have many concerns about the practice of risk management, though I also take the view that it's an essential governance tool that's most definitely here to stay. I do however believe that we need a better, stricter approach to information security management.

Chinese Cyberwarfare Capability

2009-10-31T21:21:35Z

It's hard to ignore the report by Northrop Grumman Corporation on the Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, if only because of its size and authoritative style.

The title gives a hint as to what to expect: a lengthy, 88 page assessment which any good journalist or diplomat could have condensed down to a page with a bit of effort. Even Bruce Schneier has declined to read it, relying on his readers to pick out the salient points.

Written in the style of a military standards manual but littered with superfluous adjectives and acronyms, the report tells us that the Chinese are serious about cyber warfare and aim to penetrate our systems to steal information and perhaps change the data.

Yes, that's what we'd all assumed for many years. So what else is new?

Lessons from the safety field

2009-10-28T22:47:25Z

I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.

It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.

All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.

Opinions on RSA Conference Europe 2009

2009-10-27T09:14:19Z

Big conference web sites seem to be evolving into on-line magazines. RSA Conference and Infosecurity Europe publish news items and blog postings all year round. During last week;s RSA Conference Europe, Dawn Erska of SolutionSet was circulating with a Flip video camera filming opinions from speakers and attendees. You can view her montage of clips on the RSA Conference web site.

Higher standards for identity assurance

2009-10-26T10:57:15Z

Not a week goes by without a news item about yet another breach of personal data. The latest one is a compromise of data on the Guardian newspaper's jobs website. I think we all agree that there's a pressing need for a step change in the standards we apply to the protection of personal information. That's certainly what was agreed by a group of experienced practitioners at a recent ISSA UK debate. The findings from that debate were written up and published in a white paper, supported by former Home Secretary, The Right Honourable David Blunkett MP. It's essential reading for anyone working on systems handling sensitive citizen information.

Money in the Cloud

2009-10-22T08:37:49Z

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.

RSA Conference reflects trends in security landscape

2009-10-21T10:22:18Z

This year's RSA Conference Europe kicked off yesterday in London. There were the usual keynotes from RSA top management and the usual US style arrangements, including a photo identity check (arguably more of a threat to your personal data than a national security safeguard), a Darth Vader lookalike, and the inevitable 'brown bag' lunch. But, as usual, the whole show is brilliantly organised and runs like clockwork.

Behind all this there where also some interesting security trends to be noted. This year there was more emphasis on fraud prevention, more focus on community solutions, and more discussion of cloud solutions.

Cloud solutions are especially interesting in the security space, as there is a clear added value from the global community perspective available to vendors. I was particularly impressed with RSA's e-fraud network, which neatly illustrates how to fight networked threats with networked defences. Now that's the real future of security.

The RSA Conference comes to town

2009-10-19T22:25:39Z

Tomorrow sees the start of the year's RSA Conference Europe in London. As usual it's a largely vendor oriented event, with keynotes from sponsors, rather than thought leaders, and with a focus primarily on technology solutions rather than business problems. The marketing also has a strong US flavour, such as the rather strange draft letter to your boss to help justify your attendance (though if RSA is really serious about marketing to CIOs, they should start by beefing up the rather throwaway strapline of 'where the world talks security').

But beyond the sales pitches and the corny advertising there are some interesting sessions and exhibits worth attending. I shall certainly be spending some time checking out the latest products to see if they can actually solve current and emerging business problems. You never know what you might uncover. In some cases, the sheer proliferation of competing products can be a barrier to further progress in solving an industry wide problem. In other cases we simply don't have enough imagination. But what really counts is that user organisations devote some time interacting with vendors in order to bridge the yawning gap between business problems and technology solutions.

This year's theme is Edgar Allen Poe, an excellent choice as he was not only a cryptologist but a John Wiley author. And if you happen to drop by the Wiley stand on Wednesday afternoon, you'll find me signing books for anyone that takes up the cut price offer on my book 'Managing the Human Factor in Information Security'. Now that's surely a compelling reason to attend?

Responding to the postal strikes

2009-10-16T17:24:56Z

Just talk to any business owner, whether small, medium or large, and you'll quickly spot a golden opportunity for the security industry. This season's postal strike will generate a tipping point for many companies to finally ditch paper and move to the Internet.

In practice, however, it's far from easy to authenticate and secure electronic transfers of sensitive data over public networks. Tactical fixes rarely scale well. Hard-to-use security features fall into disuse. Legacy systems might not handle modern security protocols. Without careful planning and strict standards of security, we're likely to create a flood of new exposures to identity theft.

Now, more than ever, we need to raise our strategic game and design lasting security architectures that can safeguard information across a boundaryless, extended-enterprise environment. It's not easy or immediately achievable, but it has to be done if we are to build achieve an agile, compliant infrastructure that can support secure operations in a virtual business world.

Information Security across the World

2009-10-13T10:21:23Z

My postings have been thin over the last few weeks as I've been busy travelling, researching and writing. The highlight was a visit to Switzerland to give presentations to institutes in Zurich and Geneva, a thoroughly enjoyable experience. It's been a few years since I last visited Switzerland, so I was interested to experience the latest views and perspectives of the local security professionals.

I was impressed by the Swiss appreciation of the human factor in information security. They have a very good grasp of the nuances of organisation culture and the techniques required to change user awareness and behaviour. And it's also reflected in university teaching and research.

This might of course be expected in a country that successfully combines contrasting cultures, languages and politics. But it's not what we generally find in the USA, which has a stronger focus on security technology, often at the expense of the softer skills.

The UK is different again, with more emphasis on policies and processes, perhaps reflecting its claims to fame as the birthplace of ISO standards for quality and security. The ideal would be to combine these skills. But the blend is changing. Once we move into clouds, the balance will favour the softer side of security. Continental Europe is better prepared for that. But, unfortunately, so are our enemies.

Long distance data management

2009-10-02T08:16:43Z

Keen-eyed information management professionals will have been amused last night to spot Andy Hayler, former Shell data management expert and Kalido executive, in his modern role as professional restaurant critic, judging the finalists in Masterchef: The Professionals.

As Terry Wogan put it, the three judges looked like a lorry driver, a 1970s porn film producer and the 'Son of Satan'. (Andy presumably being the lorry driver?) It just goes to show that there are no barriers to reinventing yourself. There's still hope for us sad technologists and security professionals to achieve our true purpose in life, whether scoffing free food or driving trucks.