Archive for the ‘Network security’ Category
April 27th, 2012
For the last three days I have been at the InfoSec and Internet World shows. Fear not this won’t be a rambling post about the joys of trade shows or living in the airless atmospheres contained within Earls Court.
This post touches on the world of Information Security and its parallels with trade show partner Internet World. Okay, I admit, on the face of it this is not the world’s most exciting topic, nor is it likely to bring much respect in the world of comms, as my past experience of being in the â€˜Tech’ team of various PR agencies has proved. Back then, if you understood technology, you were part of the geeks in the corner that can fix the printer or set up an email account on your phone, but that’s about it.
Well, as we know, the tide has turned and technology in its many forms and guises is intersecting every part of our lives. This has been propelled in the most part by social media (more on that later) and mobile devices – referred to throughout the IT Security world as BYOD (Bring your own device) and anyone at InfoSec is no doubt full of stats from the many BYOD surveys available throughout the show.
At the risk of making sweeping generalisations, which i admit is a fear as there are of course examples of social acceptance and use among security vendors, but my experience over the last few days has shown that too many IT Security pros still look at social media as a risk, and not an opportunity.
On the face of it I understand why. Social media opens many points of risk to the very organisations that security companies are trying to secure. The traditional way of securing this risk is to block and control. I.e. block access to the sites in question and/or control those sites that are deemed worthy of access in the work place.
However, this doesn’t account for human nature and that dramatically over used acronym BYOD. In short, you can tell people that they can’t do something, but if it’s easier to choose the forbidden route, you can guarantee what the outcome will be.
Having spoken to a wide range of people at both shows over the three days, my general perception was those at Internet World weren’t very concerned by security issues, and those at InfoSec were not only concerned about the risks posed by social media and other digital channels, but in some cases were suggesting blocking and ways to circumvent social communications across the board.
Let me be clear that I completely appreciate the ever-growing problem posed by cyber-criminals and the multitude of very real and escalating risks. We not only lose money to these risks on a daily basis, but also risk our IP and physical security , which is perhaps the often overlooked issue that faces our governments and industry on a daily basis. Having seen just a small portion of the realities of these threats I completely understand the reaction of IT Security to social media. However, that doesn’t make it right or workable.
Let’s start out with that age-old argument of banning social media in the work place. In my opinion this is not a relevant response to the equally ridiculous notion that people will spend all day on Facebook instead of working, and it’s not a viable response to prevent people from sharing data on social networks. If it’s possible, it will happen.
Therefore, if you do ban social media, you will force people onto their own devices which will remove even more of that control that many are craving in the first place. So what’s the response? Well it starts with a culture change, which drives a technology change.
First, the culture. Social media cannot be forgotten, ignored or banned, so deal with it as part of the overall strategy, not something to be treated separately. Secondly, relying on people to use specific software or machines to access corporate information is also unrealistic, so security needs to be built into all devices, utilising security by design. Thirdly, if we can’t ban or remove social, we need to educate people about its correct use.
Obviously sharing corporate information on Facebook is not a good idea, just like writing your password on a post-it and sticking it to your monitor is not a good idea. Facebook is not the issue, the lack of understanding about the risks is the issue.
I have no doubt that social media needs to be banned in highly secure locations, but that doesn’t mean it can be banned across the board. People always find a way.
Without wishing to get preachy, the revolution in communications devices and channels is only going to continue gaining momentum, it’s certainly not going to go away and it’s unlikely to slow down. Therefore, ignoring or banning is not the answer for the majority that do not work in highly secure environments.
In my opinion, staging the InfoSec and Internet World shows on the same three days, and within five minutes walk of each other, was a missed opportunity to share information between these two sectors, as each could learn a lot from the other.
December 23rd, 2011
Cyber threats continue to grow as the world becomes more mobile and networked. Next year, we can expect the number of successful network defence attacks to grow rapidly, partly because legislation will make data breach reporting mandatory but also because, increasingly, everything that moves will become a target â€“ as a controllable mobile networked device.
What are the chances that the increased opportunities will result in cyber-attack, successful or not? Given the current network security methodologies deployed in a greater majority of organisations around the world, which rely on layers of software to deflect attacks, and the lack of robust security at the device level, I think it is highly probable that series of attacks will be mounted next year.
This is recognised in a current report on one mobile sector, on the worldâ€™s waters. The European Network and Information Security Agency (ENISA) has just published the first EU report on cyber security challenges in the Maritime Sector. The report says that recent deliberate disruptions of critical automation systems, through malware worms such as Stuxnet, prove that cyber-attacks have a significant impact on critical infrastructures.
Disruption through Advanced Persistent Threat (APT) to these ICT capabilities may have disastrous consequences for EU Member States’ governments and social well-being. The need to ensure ICT robustness against cyber-attacks is a key challenge at national and pan-European level.
The report says that Maritime cyber security awareness is currently low to non-existent and advises: â€œDue to the high ICT complexity, it is a major challenge to ensure adequate maritime cyber security. A common strategy and the establishing of good practices for technology development and implementation of ICT systems would therefore ensure â€˜security by designâ€™ for all critical maritime ICT components.â€
The tools for creating such havoc are becoming more focused and professional â€” and more accessible.
The newest and most unpredictable weaknesses today are in the connected systems embedded in late-model cars.
Vulnerabilities have been identified in remote start, locking, tracking and other car systems. Computer security researchers at iSec Partners, for example, have shown how they can unlock a car and turn on its engine using a laptop computer – and it took them but a few hours to tap into the car’s wireless connections.
These innovations were intended as theft deterrents but if cyber-criminals or terrorists could take control of these systems the consequences hardly bear thinking about.
And while the possibility of controlling an aircraft by remote computer,Â causing it to crash remains remote but hackers can disrupt flights and create potentially life-threatening situations.
Even rudimentary distributed denial of service attacks (DDOS) can and have been deployed; for example, the “ Low Orbit Ion Cannon“. These repurposed administrative tools bring down systems DDOS and they could cause serious problems if directed at critical transportation systems.
These networks are certainly frighteningly vulnerable. In 2002, a major weakness in the Simple Network Management Protocol (SNMP) was discovered that could have been exploited to bring down large portions of the Internet. The vulnerability was kept a secret while security firms worked to protect telecommunications equipment around the world.
According to FBI reports at the time, if the systems could have been used to interrupt control information exchanged between ground and aircraft flight control systems â€“ but the patches came just in time.
Similar outages in telecommunications systems and embedded systems could be used to disrupt train and track switching information in some countries, particularly the US.
Some rail systems there are based on supervisory control and data acquisition control systems (SCADA), similar to those that were compromised in the Stuxnet attacks in 2010.
Governments, organisations and corporates around the globe are waking up, belatedly to the seriousness of current network defence structural flaws. I hope that this new focus and energy will lead to adoption of radically more robust methodologies in 2012.
December 8th, 2011
How quickly things change in politics. In June, European Commission vice-president and Justice Commissioner Viviane Reding announced that she would introduce new rules that would make data breach reporting mandatory.
At the time, advice given was that these regulatory changes would be enacted by end-January 2012.
Six months later, the EU inertia, fuelled by intense lobbying and national political interests, has become clearly visible.
Now, the proposals for new legislation that will revise the 1995 Data Protection Directive are to be published at the end of next January, although many believe the process may take longer as the EU Justice Department needs to confer further with other national justice departments.
When these changes will become European law is in the lap of many gods. Donâ€™t hold your breath.
Neelie Kroe,Â ,EU Commissioner for the Digital Agenda, is a key player in the process of drafting the new laws with Commissioner Reding and her agenda is to dismantle the barriers that block the free flow of online services and entertainment across national borders.
She wants to update EU Single Market rules for the digital era and through this to boost the music download business, establish a single area for online payments, and further protect EU consumers in cyberspace.
According to the Financial Times, which has seen draft proposals, the changes proposed by Commissioner RedingÂ include fines of up to 5 per cent of global turnover for businesses breaching data protection rules, a deadline of 24 hours for notifying data protection authorities and affected parties, and a requirement for all companies with more than 250 employees to dedicate staff to data protection issues.
Commissioner Reding has been active this week, outlining in indicative and different forms the thinking behind the new EU rules. The difference is in the detail.
On Tuesday (December 6th) at the European Data Protection and Privacy Conference in Brussels, Commissioner Reding said: â€œIn a world of ever-increasing connectivity, our fundamental right to data protection is in this moment seriously tested. Although the basic principles and objectives of the 1995 Directive remain valid, the rules need to be adapted to new technological challenges.”
She made no explicit reference to the idea of levying fines on organisations that allow data to be stolen.
The next day, at the GSMA Europe conference on cloud computing in Brussels, Commissioner Reding said that cloud computing brought both businesses and consumers enormous potential for growth but legislation needed to be brought up to date.
She said: â€œTechnological advances in 2011 represent one of the biggest challenges to data protection and data security of our citizens. This is why we have to equip ourselves now and for the future. And this is why we have to adapt our current, European legislation on data protection, which is more than 15 years old, so that it meets these new challenges and any new situations.â€
Among the proposals is a commitment to ensure users can remove their photos, videos or contacts from a cloud service without leaving any digital trace because “their profiles belong to them, not to the company”.
And there is the difference. Commissioner Reding is addressing her constituency, assuring them that their privacy concerns are heard and being addressed. At the same time, she is attempting to impose a regulatory system that forces organisations to report data breaches. Neither of these ideas is fleshed out in her public engagements this week and there are contradictions between the two thoughts she spoke around.
She said: “Reliable and consistent rules are essential if we want the digital economy and our digital single market to grow. These rules make people feel comfortable about using new technologies and services. We need a framework for privacy that protects individuals and boosts the digital economy.”
The central contradiction nestles between thought and action. Currently, there are inadequate reporting and compliance strategies being deployed by too many organisations. Further, they do not have the means to protect and deflect assaults on the data they store.
Leaving aside the weird concept of â€œour digital single marketâ€, Commissioner Redingâ€™s words surely give little comfort to neither consumer nor business because they are vague, offering no technology solutions and without a timetable.
This means that they are just this side of dirigiste. It would help if the EU Commissioners used the internet to connect with each other and exchange knowledge about what is need in the changing sphere of network security. Then discuss this with us.
Organisations and voters need clear advice on the best ways to protect their information and privacy. The EU and every nation state have been remiss in offering this advice.
Meanwhile, the EU is also negotiating a data protection agreement with the United States. Best of luck with that, people.
November 30th, 2011
The Pricewaterhousecoopers (PwC) â€˜2012 Global State of Information Security Surveyâ€™ is an astonishing document â€“ a searchlight on the fragile state of network defence.
It reveals telling contradictions between the confidence of organisations in their network security strategies and the actual state-of-play in the rapidly evolving commercial hacker culture.
There is a clear subtext in the survey. Every organisation across the globe is looking for the â€œsilver bulletâ€ that will solve their network security problems. The hard truth is that there is no single, complete solution to the threat of cyber-attack. And, currently, there is only a system of belief.
Network security specialists have been slouching towards Bethlehem for the past 20 years, reactively pinning their strategic and tactical hopes on ever-increasing software layers, with some success. But, to be honest, this is a â€œdeploy and prayâ€ strategy, only as good as the next agile hacker assault seeking to use the network security code to penetrate the system.
We have seen more than enough successful network attacks this year, from the RSA to Lockheed Martin, from Mitsubishi Defence to the Japanese Parliament, and from a US water utility to UK government minister laptop access, to understand that the threat and danger is clear, present and growing at an alarming rate.
The PwC survey, developed with media partners CIO Magazine and CSO Magazine included more than 9,600 CEOs, CFOs, CIOs, CISOs, CSOs and other executives responsible for their organizationâ€™s IT and security investments in more than 138 countries.
The survey identifies that the majority of executives across industries and markets worldwide are confident in the effectiveness of their organisationâ€™s information security practices and that they have an effective strategy in place.
There is a lacuna in the executivesâ€™ minds. They consider their organisations are proactive in executing network security strategies and their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months, according to the survey.
But, significantly, the survey says: â€œYet all is not in order. Â Some evidence points to a â€œcrisis in leadershipâ€ and dangerous deficits in strategy. Capabilities across security domains are degrading. And security-related third-party risks are on the rise.â€
Further, the survey provides the top-line statistic, that 72 per cent of respondents worldwide have confidence in security practices may seem high but it has declined markedly since 2006.
Worryingly, some of the statistics, in the words of the PwC survey, suggest a â€œreluctance to commit scarce funds to the information security mission, even at the risk of degradation in security-related capabilitiesâ€. This, PwC says â€œpulls the curtain back on a trend in global information security practices and cyber-crime prevention that has persisted since 2008â€.
The survey highlights one of the most dangerous cyber threats – the Advanced Persistent Threat attack and identifies that few organizations have the capabilities to prevent this.
Only 16 per cent of respondents said their organisationâ€™s security policies addressed APT. More than half of all respondents reported that their organisation did not have core capabilities directly or indirectly relevant to countering the strategic APT threatâ€”such as penetration testing, identity management technology or a centralised security information management process.
The APT is just one of a legion of commercial hacker projects but it is the most significant advance in cyber-attack. If 84 per cent of organisations globally have no deflective security policy in place now, then the global networks are wide open in 2012.
While we know that there will never be a â€œsilver bulletâ€ solution and that the Cyber Wars will define the next decade, we do have a more secure way forward. This starts in the device. We have spent too many years developing software security layers while ignoring the obvious point â€“ that if you secure the device, then you can build trusted and known security.
And the only way to secure the device is to embed security in the hardware. Enter, Trusted Computing. The Trusted Computing Group has developed standards that should be adopted by every organisation because they focus first on the device and then the software.
The standards have led to the production of the Trusted Platform Module (TPM), a chip that is embedded in the motherboard of PCs, laptops, notebooks. This chip holds the security keys that enable network connection and validate the device and the user. Whatâ€™s more, the TPM cannot be cloned through any software process.
Allied to this robust device security is the Self Encrypting Drive, the most secure method of protecting stored data on PCs and laptops. Computer Weekly chief reporter Warwick Ashford has written the definitive articles about the SED and they are well worth reading, SED1 and SED 2.
If organisations are committed to their vision of data protection and their strategies of network security, then they must adopt the leading standard. And that is Trusted Computing. In this case, ignorance is not bliss.
November 3rd, 2011
My take-away from the London Conference on Cyberspace was the recognition that young people are just as concerned as business and government about hackers and cyber-crime.
The two-day conference (November 1-2 2011) ran in binary form â€“ a neat format given the context. A youth conference rolled at the same time as government leaders were discussing whatÂ â€œcyberspaceâ€ means, what commercial benefits it can bring, how states can co-operate online, and how to secure this space.
The youth conference gave a platform to voices and ideas from our young people who, as the organisers say â€œare driving the digital revolutionâ€.
The London Cyber Youth sessions underlined that, for young people, the online and offline worlds are one place. The guiding principle is that what is unacceptable offline is also unacceptable online.
Whether this is just a slight nod in the direction of young people by the current leaders or whether their ideas will be embraced with a matching passion is moot.
Their hopes and concerns are writ large in their submission and conclusions. Worth a read, scroll down to the bottom (I couldnâ€™t find the Annex B doc. Let me know if you find it).
Meanwhile, in the main conference delegates present and those commenting online were clear that government and industry had a shared responsibility to do more to prevent cyber-crime. The commercial sector has to deploy more secure devices, systems and services and is a core part of a solution on prevention.
At the same time, there is a strong energy to give people and organisations more help to identify those products that can deliver good security. Delegates are encouraging the private sector to lead development of improved internet security products, systems, services and standards.
But thereâ€™s a way to go before everybody is synchronised. Fear, mistrust, self-interest and possibly a scintilla of greed, all are playing out in this â€œcyberspaceâ€ discussion.
That said, many delegates showed strong support for practical collaboration and capacity development on cross-border law enforcement. The thinking is that we have to move real quick because the networked world moves fast â€“ extremely fast..
Global contact points – Â the â€œ24/7 Networkâ€ â€“ are being promoted as the best means to make sure that when urgent assistance is required, partner countries are able to obtain it. Delegates called on all countries to join the 24/7 Network and to redouble efforts and commitment to make it a success.
William Hague. UK Foreign Secretary used his position as chair to advise: â€œThe London Conference on Cyberspace began this more focussed dialogue on principles and set out an agenda for further work. The success of this agenda will be founded on the set of partnerships we have explored at this Conference.
“Our starting point must build on existing work, including the Geneva and Tunis World Summits on the Information Society.
“Our partnerships must remain inclusive, co-operative and collaborative to make certain we can build a secure, resilient and trusted global digital environment.Â This work will now go forward over the next 24 months with conferences in 2012 and 2013, graciously hosted by Hungary and South Korea respectively, to take stock.â€
While the diplomatic fissures were clear at the conference, delegates agreed that having the right legislation in place is essential, supported by a willingness to act. Countries need to ensure they have the forensic resources, processes and willingness to co-operate as necessary.
We do need to act, and quickly. The current network security system is not really fully prepared for the battles ahead â€“ and they will be very fierce, beyond our imagination- but maybe not those of our youth.
October 26th, 2011
Cyber-attacks on Japanâ€™s leading companies and its government must surely present a definitive case for a change in network security.
Iâ€™ve followed the story of network breach at Mitsubishi Heavy since the first reports in September. The breach was in August and it took some weeks before the company admitted that its network defences had failed.
The day after the first breach reports, the company advised that no data had been accessed or stolen. This week, reports suggest that sensitive weapons and nuclear data could have been seen, and appropriated. The attack involved about 80 servers and computers at 11 facilities related to nuclear power, missiles and submarines.
At the very least, the companyâ€™s confusion over whether the breach had leaked data is indicative of the need to reform the way we address security as a policy, rather than an inchoate organisational strategy.
One breach might be seen as an exception but in the past two days, more data breach reports at the highest level in Japan must surely question the fitness of current network security strategies and methodologies.
Would you agree with me that these and so many other successful cyber-attacks this year demonstrate two things? First, the current global network security practices are effectively a busted flush. The reliance on multiple layers of software defence simply does not work in the ferocious climate we now inhabit.
Second, the hacker culture has evolved. Sure, it still includes the individuals and groups who seek to gain respect, authority and notoriety. But the culture now embraces organised, well-funded, focused and very proficient criminal groups who siphon off many millions of global currencies to further fuel their medium-term goal of stealing not only money but also ideas.
It seems that corporates are happy to write off financial theft as a cost of business. Maybe they and every other organisation that is bound and embedded in the global network would be changing their minds if they saw how easily their commercial futures are being stolen.
Weâ€™re close to the network-security endgame here and we need to move very fast. The current system is broken, badly. We need to secure at every point, from the device, to data storage to management and control at the network layer.
Itâ€™s not too much to ask, surely?
October 23rd, 2011
Reports this week of a new variant of Stuxnet, the military-grade malware that attacked Iranian nuclear power servers, exposes the fragility of global network security.
The malware variant, Duku, is an information-gathering threat that targets specific organisations, including industrial control system manufacturers.
It is a spy tool, rather than a systems wrecker and might be seen as the first in a wave of new Stuxnet-style viruses, More sophisticated versions of it that have a ferocious intent are almost certain to be launched in the next few months.
Duqu appears to search for precious IP data, such as design documents, which could help hackers mount an attack on an industrial control facility.
We should be chilled (in the old sense) by this malware discovery and can read it in the light of expert comments from James Stevenson, from Netwitness, last Thursday (October 20th) at the Trusted Computing Seminar in London.
James said that 63 per cent of confirmed network breaches are leveraging customised malware and that 87 per cent of records stolen in the past year had been through Highly Sophisticated Attacks.
He also advised that anti-virus software could, at best, pick up only a very small number of malwares because the hackers were way ahead in terms of producing variants that were invisible to the defence systems.
James advised that up to 2007, a quarter of malware was not customised and then organised crime recognised the opportunity. Now, 60% of malware is customised and will breach network defence systems.
Worse, a malware variant he identified and announced to the anti-virus community at the start of 2011 had still not been addressed seven months later by the majority of defence applications.
James advised that the strategic focus or vision on defence against malware should shift from a target of being completely safe to agile defence, accepting a degree of data breach while responding with all speed.
His thoughts echoed the sentiments of many at the seminar and he backed the need to move quickly towards adoption of Trusted Computing standards, which offer the most robust defence at the network layer because they begin with securing the device.
We have around half a billion devices (PCs, laptops, notebooks) that have the Trusted Platform Module embedded. Not many are currently activated, and indeed the EU has prevented them from being shipped as an activated component.
The seminar was organised by client Wave Systems, a founder and board member of the Trusted Computing Group. The full-house at the Royal Aeronautical Society included UK government, state advisors, corporates like PwC and Morgan Stanley, police and local government.
This wide range of knowledge seekers suggests that the Trusted Computing standards are finally being seen as the solution to current threats. The standards are not a silver bullet that will solve every network defence problem but they are miles ahead of current layered software â€œsolutionsâ€.
For more on Stuxnet, read this.
October 13th, 2011
Is global network security in a state of crisis? I think so.
I was at the RSA Conference Europe this week, with client Wave Systems (www.wave.com) where the best minds and leading commentators networked, shared ideas and worked the business.
There were enough stories of defence breach there to back the case for crisis.
But having a crisis doesnâ€™t mean that itâ€™s not manageable and the directions offered by the conference were confident, sanguine and believable.
Weâ€™re seeing a growing understanding that software in the device and at the network layer cannot provide the level of protection we need in this â€˜anytime, everywhereâ€™ connectable universal space.
Warwick Ashford wrote a fine article around this in Computer Weekly today. He quotes Eddie Schwartz, chief information security officer at RSA and it is a telling statement:
â€œOne of the goals of any organisation’s security strategy should be to create new intelligence about attackers and attack methods rather than rely only on what is already known.â€
How this will pan out over the next year is moot but we have to move from reaction to awareness in network security strategies.
At the same time, we should be making sure that our defences are the best. Layered software, in the device and at the network level just does not cut it. We should begin with an understanding that network security starts in the device. Secure that, and everything follows, right up to the management layers.
Weâ€™re in a war zone and it is endless. We will never find the silver bullet to solve all our network security problems because the hackers on the dark side will always be probing and testing our defences. Right now, we are making them look good because we donot implement the best solutions.
But we are better than them. We just need to wake up, move faster and keep running ahead.
September 26th, 2011
BBC File on 4 just ran a brilliant programme on global cyber-crime and the theft of our futures.
This is just a quick follow-up on my last posts about network security. The meat is in the programme (podcast), which is must-listen if you care about whatâ€™s happening in the global network security space.
The programme was chilling. There are a great many very intelligent people, servants of state and criminals both, who know how to penetrate every software defence we deploy to own, control, monitor and steal everything we do online.
William Hague, UK Foreign Secretary says in the excellent Radio 4 programme that there is an â€œalarmingâ€ rise in the levels of attacks by states on states, criminals on states, terrorists on states and organisations, and criminals on business and individuals.
Hague says: â€œThere are a rapidly multiplying set of challenges in cyberspace on government and institutions.â€
Coming from the laid-back manager of our foreign relations, that quiet statement should not be taken with a pinch of salt. This is very serious.
Hague: global, serious, persistent cyber-crime
Hague did say that the UK was at the forefront of the battle in cyberspace and that, at the national level, GCHQ was extremely effective.
But he warns: â€œThis is so important in the national and economic sense.â€
One example in the programme was the penetration and ownership of the Dalai Lamaâ€™s computer network. His Holiness is Head of State, an exile from his Tibetan land.Â Whoever broke into that network had the ability to steal everything of value, at every moment.
Chinaâ€™s circumspect response to the programmeâ€™s questions speaks volumes – but we cannot know which organisation was involved. State on state cyber espionage is a larger part of the problem. That is Realpolitik and we have to engage to attempt to find solutions.
The programme also showed how easy it is to break through defences and steal money, and Intellectual Property, from business and individuals.
Hague was right about the UKâ€™s leading role in addressing these threats. There are three crucial network security events in London, UK this autumn. Ignore them at your peril. First, the RSA European Conference 11-13th October; second, the Trusted Computing Seminar hosted by client Wave Systems at the Royal Aeronautical Society on October 20th and third, the Cyber Security Summit on November 29th.