 
|
Published in the November/December 2007 issue Take it on board: 2008 previewRisk assessment, web 2.0 and the iPhone are among next year’s big issues, according to Infosecurity’s editorial board in a meeting chaired by SA Mathieson
SA Mathieson: When we did a similar exercise to this at the end of 2006, one thing which came up was the idea of infosecurity becoming a more strategic part of most organisations. Hugh, you mentioned [in that article] that in many companies IT security was already divided between operations security, maintaining firewalls and so on, with infosecurity being the strategic part. Hugh Penri-Williams: The term that was being bandied about at the time was “operationalised”, and at the end of my comment I said I preferred to call it “emancipation”. We are continuously going down this road, of speaking in business terms, of using risk management and governance as our departure point for these strategic issues, not coming at it from the “we need a server in room 53” style. But I still have a lot of qualms about how successful we are in doing that: successful in terms of being recognised by the real C-level folks, because in most companies the CIO [chief information officer] still doesn’t belong to that level, and certainly the CISO and CSO [chief infosecurity and chief security officers] don’t. David Lacey: There are many reasons for that. If you put somebody at board level in charge of information security, he wouldn’t last five minutes. I’ve been reporting into the Royal Mail board [the UK’s publicly-owned postal service], and alongside me at the same level, briefly, was one guy who had 160 000 staff, running a business. Now, there’s absolutely no way that I can be a peer of his, so what happened was I tended to get other things put onto me, like you can do the IT governance as well, you can do administration, you can do communication. I ended up having it diluted right down. Basically, it’s too small a subject area to sit with the big boys, so you’ll never be a big-hitter in information security. Hugh Penri-Williams: David, don’t misunderstand me please.
On the information security board front, I didn’t mean it
in the same sense as for the CIO. I wrote also in that article last
year that for me, it’s just having that direct line, so that
you can use it when you need it. Peter Berlich: Evolution is an important aspect. Information security has evolved to the point where in the most mature organisations it’s almost no longer visible, because it’s fully integrated. I certainly would not normally expect to see it on the board level – security requires a functional organisation, so it will naturally sit under one of the company’s directors as a sponsor. It would need to be a highly security-sensitive organisation in order to justify information security on the board. Kai Rannenberg: One reason to have it on top, on the board, is perhaps to have it not on its own but together with other quality assurance and regulatory issues, like data protection, privacy protection, general quality control and compliance. What I’ve seen several times is when it’s sitting in some functional unit, it’s losing this holistic approach, which was stated as important in the 2006/2007 trends. David Lacey: It’s still a very immature subject. There are still a lot of misconceptions about what’s good practice. I know lots of people who think they should be running privacy as well, but you really need a legal background to understand a lot of those issues. It’s very dangerous if an amateur person starts making policy judgements on privacy, compliance issues, legal issues. At the same time, the legal people haven’t quite caught up with the latest things that are going on in technology and security. It’s got to evolve a lot further. Re-visiting last meeting’s minutes SA Mathieson: The last question in the 2006 article was essentially, ‘what would happen during this year?’, and a lot of the comments were along the lines of ‘we’re not seeing any huge new threats emerging’. A couple of specific threats were targeted attacks, risks from mobile devices and Hugh, you mentioned digital convergence, which is closely related to that. Has that come to pass? Hugh Penri-Williams: We get back to one of our fundamental problems in this discipline, and that is, people owning up to what is actually going on. There’s an abysmal lack of empirical evidence that we have. I know from my own experience in my own previous companies, that people just don’t talk unless they have to. You find out by chance. David Lacey: Well, a lot of people don’t measure what’s going on inside their own organisations. Hugh Penri-Williams: Yes, and that’s a fundamental problem we have, because that then doesn’t allow us to use good empirical data when we’re talking about risk management. Luckily I’ve worked for 15 years or so in the insurance industry, so I have a pretty creative mind when it comes to people saying, “this won’t happen to us”. But those are all things that hold us back. People don’t want to admit what’s going on. Peter Berlich: Picking up on that, Hugh, I think one of the things that is rolling around will be that we start having these risks becoming insurable, that commercial insurers are picking up on security risks and are taking them, thereby providing us with a whole new model for this terrible ‘return on security investment’ discussion. David Lacey: I find that difficult to implement at the moment, personally. Having looked at insurers in the past, in Royal Mail Group the typical model was each business unit would pick up the first £1 million of a hit, the group centre would then pick up up to £10m, if it was bigger than that it would be insured out. So you’d have to get big numbers. They are coming, if you look at the TK Maxx stuff, a huge billion-dollar hit, then you’ve got to insure that sort of thing. But I think a lot of the risks are going from very small to potentially very big, very rapidly. Hugh Penri-Williams: And those, quite honestly, the insurance companies are not going to touch, because they will point a finger immediately and say, “just like a drunken driver, you were negligent, we’re not going to pay”. Insurance is only there up to a certain extent. Am iSecure? SA Mathieson: On convergence and mobile devices, is that something we have seen this year? Kai Rannenberg: I think it has come. I don’t know how many actual disasters it has produced. What I remember from last year was ideas from CEOs saying, you’ve just got the security beefed up in your system, now I want a BlackBerry and I want it yesterday. Quite a few of you have perhaps tried to install or integrate a BlackBerry system into the email or corporate communication system, and know there are certain delicacies with it. I don’t know if we’ll have another information security-risking top management’s toy this year or next year, but this one hasn’t come to full flavour yet. Hugh Penri-Williams: We’ve got the iPhone coming in Europe [launched in three countries in November]. Exactly the same thing is going to happen. You bet there’s going to be some bleeding-edge executives who say right, I want to have an iPhone now, my BlackBerry’s not sexy enough anymore, make sure that I can receive everything on that device. Richard Ford: I continue to see convergence as a huge threat, and as the guys point out, the iPhone is the ultimate fashion accessory on this side of the Pond right now, and you’re going to see exactly the same thing happen, squared probably, in Europe. It’s simply dumb security risks, like you losing it with all your credentials on it, which is something we don’t talk about because it’s not very sexy. But I spend as much time worrying about that as somebody hacking the thing. David Lacey: They can be made secure though, so why isn’t somebody bringing out a corporate better-security version? Peter Berlich: There’s a strong economic incentive to not make these devices too secure. Making them secure takes time, it may make them less easy to use, and potentially security issues may not even be fully understood until they’ve proliferated. David Lacey: It’s a consumerisation trend on one hand, but on the other hand, guys from the Trusted Computing Group were telling me that all of these cryptographic modules were being built into mobiles, so we could have good authentication. Peter Berlich: But that’s in the next generation of models. Whenever you introduce the first generation of anything, it will not be as secure, and that’s by design. Hugh Penri-Williams: Because otherwise you’re going to miss that market opportunity. Right on target SA Mathieson: Something else which came up in the 2007 predications, which has seemed to happen, is more targeted attacks. Richard Ford: We got that one right, I think. David Lacey: That was a big change on security, because for the previous 10-15 years, the most economic way of doing security has been taking a baseline approach and standardising, and just having a reasonable level of security across your infrastructure. That’s kept away most of the non-targeted attacks. But now it’s different. You’ve got to do more risk assessment and harden those valuable assets. That’s much harder. Hugh Penri-Williams: Especially as the attacks, the targeted ones, are not the massive attacks that get noticed, they are surreptitious ones, when the only time you find out about it is when it’s probably too late already. How about [giving staff] some security advice, some dos and don’ts? I was in Dubai at a conference, and in the business centre, there was a chap who had used the PC. He had left his Google account open: the first email was ‘Strategic Plan 2008-2010’. It would make my hair stand on end, if I had any. Kai Rannenberg: There are things like computer driving licences. I think the paradigm has to shift to something like internet survival licences. I think that trend is coming, these licences are going towards the internet, but some of them still seem to be in the 80s and 90s computer age. Marco Cremonini: I think one key point is to make people understand
the many relationships between security and other disciplines, like
economics, management and so on. Most of the time, this is not clear,
so few people are aware of the many relations. David Lacey: One other point is that in organisations we are extremely bad, very very immature, in terms of acceptable use policies, in terms of writing them, communicating them and enforcing them. It’s very much a tick-in-the-box thing – the guy in the centre puts together a policy because he has to, and he writes it and forgets about it. What you really need is a much richer, more specific policy targeted and tailored to each business. Richard Ford: One of the big challenges we have is the lack of feedback. In other words, users don’t have a clue. With driving, for example, you know pretty much instantly with a sharp crunch when you did something wrong. With infosecurity, you may never know what action it was that caused your machine to get compromised, or caused a breach of the security policy of the organisation, and I think the broken feedback loop is one of the big challenges we have. I don’t see any easy solution in the near future. Hugh Penri-Williams: The difficult thing in that area, if we can agree that people are our biggest problem anyway, either innocently or maliciously, either internally or externally, is typically measuring it. Because when trying to get funding for security awareness campaigns, a typical thing management will say to you is, right, I want to know how successful it is, I want to measure the ‘before’ and the ‘after’, and it’s extremely difficult to do. Budget approval SA Mathieson: John Pescatore of Gartner said in a speech that maybe organisations should spend less of their IT budget on security as time went on. David actually blogged on this, disagreeing. David Lacey: You can’t spend enough. Outside of a few areas in government, like Tempest spending in the 80s [which was meant to shield radiation thought to broadcast screen contents], I’ve never seen anyone overspend on security. Peter Berlich: The basic question is not necessarily whether you over or underspend, but what you want to achieve and whether it’s affordable. You can always approach the problem from the other direction, and say, these are our priorities, this is how much we can burden our business. In a world where compliance requirements tend to become more absolute it’s more difficult to factor risk into the equation. Richard Ford: It’s ruddy difficult to answer within the organisation, because you have no real idea what your original investment is. When we handle the economics of infosecurity, they are absolutely horrible in most organisations. I actually have consulted for an organisation that was succeeding on overspending for their risk. It just didn’t make sense, the amount of protection they wanted to put in, but that was one organisation out of the many I’ve met. But I think evaluating the cost-effectiveness of what you’re doing is so very difficult, because we don’t have metrics of what the real risk is. David Lacey: I disagree with that. Compared with many parts of business, like how much to spend on advertising, or how much to spend on a new product launch, which are leaps of faith, with security there is a lot of data out there. Also, you should be able to get some data from around the organisation, sufficient to make it a lot more predictable and certain what your return is than you would for, say, investing in a customer relationship management programme, which is a complete leap of faith. Richard Ford: That’s a really interesting perspective, I just don’t think that we do have a handle on it. Hugh Penri-Williams: Our starting point after all is not the spending, our starting point in talking to the business people has to be the risk management aspect. If we can lay out clearly enough to them what we believe to the best of our ability what the pros and cons of the various activities of that particular company are, and then say the likelihood of this happening, the impact and so on in our judgement is this and this, we therefore think we should concentrate on such-and-such, and that would have such-and-such a price tag. If you, senior management, are willing to accept the risk to that, then we don’t have to spend anything on it. We have to do it from that angle, and not do it by walking around the store with a shopping basket. Kai Rannenberg: We have a new way to find out whether certain security [products] are worthwhile or insecurities are worthwhile: zero-day exploit auction sites. To some degree, it’s quite shocking that they exist, but certain elements of the market have now made their way into the hacking scene. I think it’s an interesting trend to follow, what things are valued at and by whom. Peter Berlich: We’ve mentioned briefly the price for breaches,
but we’ve also got a relatively mature business model for
cybercrime in general, which provides the context for the value
of these breaches. Organised cybercrime has emerged in 2007, it
will emerge further in 2008. Next year’s agenda SA Mathieson: On new places, new forms of communication – gaming, social networking – are there any new dangers, or at least changed dangers, emerging? Richard Ford: We’ve already seen attacks using social networking sites, for planting click-throughs where we want to direct somebody to a particular end-point. The bad guys have worked out that if you have a comment on your home page, people are much more likely to click on the URL to see what it’s all about. We’ve also seen a rise in malware that attempts to try to snag your gaming credentials, because a lot of these things now involve real-money transactions, even places like Second Life. I’m not certain how big this is going to be for business, but certainly for bad guys, these places are being looked at for money-laundering. Marco Cremonini: I don’t really see any new interesting areas for infosecurity. Gaming and social networks are perhaps interesting, but frankly I don’t see anything really new. Peter Berlich: If Infosecurity has an article on gaming, I’ll absolutely read it, but it’s not something I’d probably want to read every month. Conversely, the whole area of social networking, web 2.0, as more companies are moving there and starting to base their business models on it, that might be something to watch. It provides a whole new angle on aspects like identity management. Hugh Penri-Williams: I think the virtual world has real dangers in it, and it behoves us to help to point those out to the innocent by-standers. But the particular bee in my bonnet at the moment concerns identity. I won’t use the term ‘identity theft’, because it’s not theft as such, it’s really [acting as] an impostor. The infosecurity folks could really do something useful here for mankind, if we in some way could help crystallise some sort of universal identity, made up of all sorts of different factors. If we could do that, I think we would remove a lot of the threats and vulnerabilities which are out there, caused by the terribly undefined and weird way that we identify ourselves today. Kai Rannenberg: I think that gaming and social networking is something which is going to get bigger. I think it will certainly stay with us. I agree that the identity issue will get bigger, but it will not be solved by next year. We have Google Earth, to look upon people, areas, regions, corporate sites, sometimes old pictures, but they are getting newer every day. We have these little unmanned vehicles which are flying around, flying over UK concert sites, looking on who is dealing drugs. I think that gives a new interesting perspective on all kinds of attacks on corporate sites, corporate security and privacy also. David Lacey: I think it’s a huge area, social networking. It’s a form of deperimeterisation, it’s the personal and business lifestyles blending together in a way which is going to create havoc. There’s a phenomenon that researchers call ‘disinhibition effect’, where people do all kinds of things they wouldn’t normally do, probably because they don’t think they are being watched, and their behaviour changes. It can get quite nasty and darker and dirtier. I had a big pharmaceutical [company] asking me at the beginning of the year, “David, what’s the acceptable use policy for Second Life?” I think the problem is that life is getting more and more complex, and people will have more identities, and they are going to network a lot more, and it terrifies the life out of me as to where it’s all going. Private business SA Mathieson: Europe has tighter privacy rules. How does this particular debate look from the US? Richard Ford: The US is in a mess right now with how it’s dealing with all this stuff. Everything is going to change, very likely, with the next election, and the next president, as we start to look at the whole surveillance thing. David Lacey: I think [mandatory] reporting of incidents is really taking off now. It’s all over America, and it’s coming over here. I don’t know about the timescale, but it’s definitely coming this way. SA Mathieson: Given that many US states have this as a mandatory requirement, who thinks that in their own country or possibly across Europe, we will have something similar to the Californian law in place during 2008? Kai Rannenberg: There hasn’t been any discussion on that in Germany. If there has been a discussion in the UK, I haven’t seen it coming to Brussels. Hugh Penri-Williams: I think it will come from the privacy angle, which is not where it came from in the US, but the end effect I believe will be the same. I think with the type of government we have in place here now [in France], that’s the kind of issue they would take up if there’s enough individual pressure for it. Peter Berlich: I see it coming, but I’d expect it more to come from consumer protection groups. [However] the subject has not been surfacing very prominently in Swiss discussions so far, I would say. Marco Cremonini: There hasn’t been any discussion in Italy about public disclosure, as in the Californian law. We have had discussions on new laws on data-handling and privacy in industry. Peter Berlich: I wanted to bring up two [more] subjects I think we need to watch. We’ve discussed liability of service providers, and things like liability of vendors, especially software vendors, that was included in the House of Lords report. Such liability is awfully hard to establish, and one wonders whether it can work or not. The last thing, and that has to come, is education of [infosecurity] personnel and staff. We have discussed the users, making them aware, but we need to train our professionals, keep their skills up to date and retain them in a competitive market. So far, global certifications like CISSP, SSCP and CISA dominate the market. I’m still sitting on the edge of my chair, watching what will come out of local initiatives such as the IISP [Institute of Information Security Professionals]. More from November/December 2007 How to dodge the red
card Comment: Biometrics industry
must challenge government
|
|
