The ISSA: Membership Benefits

The Information Systems Security Association (ISSA) is the largest, not for profit, international organisation for information security professionals. I’ve been a member of the ISSA for several years, before joining the management team. Its strength lies in the diversity of its membership and the wealth of experience of its members.

The diversity of its membership comes from not only industry sector (government, finance, legal, security vendor, reseller, academia, and consultancy all represented) but also job role (architect, CSO, CTO, CEO, consultant, director, researcher, student).  Our current advisory board contains Members of Parliament, peers, members of Cabinet  Office, SOCA and various vendors, financial institutions and academia. This allows for a holistic view of the industry.

The UK’s chapter of the ISSA is the second largest chapter worldwide and continues to be an innovate chapter for information security.  We are currently working on a new standard for SME security: details of this will be announced later this year.

Membership Benefits

By joining the ISSA, as a member you will have free access to the events hosted in 2011. These events reflect the diversity of the membership of the ISSA and make for engaging debate. In addition, they also count towards CPE credits for those wishing to maintain their certifications. Each event typically counts for 3 CPE, whilst the security days typically counting for 6.

2011 ISSA-UK Events:

10th March 2011, London:
“Through the Barricades” – infrastructure security

12th May, 2011, Bletchley Park:
Security Training Day: Ethical Hacking & Forensics

17th May, 2011, Edinburgh:
The Emerging Threat

9th June, 2011, London:
Trusted Computing

14th July, 2011, HMS President, London:
Security Training Day: Anti-malware Dragon’s Den

8th September 2011, London:
Regulatory Compliance

1st November, Glasgow:
Trends In Information Security

22nd November, Leeds:
Trends In Information Security

8th December, London:
Chapter Meeting & Festive Drinks

13th December, London:
Microsoft Security Training Day

Geoff Harris, former ISSA-UK President (2007 - 2010) addressing the UK Chapter in 2010

Discounts on Conferences & Training

Membership of the ISSA provides discount on attending numerous partner events including:

• RSA Europe
• SANS
• MISTi
• Gartner
• ASIS
• (ISC)2

Webcasts and eSymposiums

The ISSA run webcasts which cover current topics of discussion in the information security industry. Attendance at these webcasts is free and webcast attendance typically counts towards CPE credits for maintaining current eligible certifications.

Periodicals

Membership provides a number of periodicals:

• A monthly e-newsletter updating members on ISSA news and events
• A bi-annual magazine “The ISSA Journal” delivered to your door
• A monthly e-magazine “The Journal”

Networking

The strength of the ISSA lies in the diversity of its membership. This provides a holistic view of the information security industry and provides excellent networking opportunities:

• Participate in innovative workgroups (e.g. the new initiative on security for SMEs)
• Share advice with your peers
• Broaden your knowledge by exposure to new technologies, legislation and industry sectors

Summary

Membership of the ISSA signifies that you are:

• Connected to a highly regarded organisation
• Part of a network of global information security peers
• Committed to professional growth and development

Membership is extremely good value for the money with annual membership fees for general membership at $95. Student membership is at the discounted rate of $30. The UK chapter is one of the few chapters to provide attendance of events for free for current members. Online joining instructions can be found at the ISSA’s website: https://www.issa.org/page/?p=Join_Online_8

Our next event is on March 10th in London – “Through the Barricades” (Infrastructure Security). Details of this event are online at: http://tinyurl.com/6xhg7sq.  This first event of 2011 is free for both non members and members (AGM section for members only).

For any membership enquiries please get in touch: administration@issa-uk.org

Follow the ISSA-UK on Twitter

Phil Stewart is Director of External Communications at the ISSA-UK

WikiLeaks: The Law Lags Behind the Technology

One of the challenges the US government faces is to successfully try someone using the Espionage Act of 1917. There have been few successful convictions in such cases: though not none as is sometimes erroneously reported. In 1919, the US Supreme Court ruled that the Espionage Act did not contravene the First Amendment to the US Constitution (which prohibits the making of any law which infringes freedom of the press or freedom of speech, amongst other things).

The leaking of classified material into the public domain is clearly an offence under the Espionage Act (and ways to prevent this from a technology and process perspective were covered in Excelgate’s previous article WikiLeaks: Is There a Silver Bullet?). The law clearly was never designed for the Internet age. There remain loopholes in the law, concerning the re-publication of already leaked material. This has been recognised in the US Congress: with Senators proposing a new SHIELD Act which will specifically target those publishing already leaked material. Amongst the aims of the new Act is to “make it illegal to publish the names of U.S. military and intelligence informants.” The debate now rages in the US as to whether or not such an Act would curtail freedom of the press and thus be deemed unconstitutional.

In the UK things are more clear-cut concerning the issue of publication of already leaked classified material. The Official Secrets Act was revised in 1989, repealing the “public interest” defence from the former act of 1911. In addition, in section 5, it makes for provisions that potentially allow for prosecution of newspapers or journalists who publish secret information leaked to them by a Crown servant or government contractor, in contravention of any section of the act. This would include (under section 3) the disclosure of information concerning international relations.  This does however, only apply to UK citizens, or if the disclosure takes place in the UK, the Channel Islands or its overseas territories.

The UK is not immune, however, from laws which lag behind the realities of the technology of the 21^st Century. Earlier this month, the UK Deputy Prime Minister, Nick Clegg, discussed changes to the UK’s libel laws, which currently work against scientists and others, who publish their findings online. There have been cases brought against UK citizens by foreign companies whereby the publishers’ ISPs are effectively told to remove the content and thus act as an intermediate judge and jury. The current UK libel laws have attracted much attention, with more than 50,000 backing the Libel Reform campaign. The US also passed a bill protecting its citizens from these laws, by decreeing that foreign libel laws are not enforceable in the US.

Once again the issue here is that technology has evolved so quickly that the law has not kept up. When the libel laws were drafted in the UK, written publications tended to be well-thought through, drafted and checked by their publishers and legal team prior to publication. Publications were limited to the national media: print, then radio, then  television. Very rarely did John Smith’s opinions appear in print, and if it did it would have been checked by a team of editors.

In 1996, it was estimated that there were 30 million Web pages, located on 275,000 servers, as indexed by the Alta Vista search engine. In 2011, it is estimated that the World Wide Web now consists of 13.03 billion web pages, as of January, 2011. Prior to the World Wide Web, it was straightforward what constituted a reasonable case for defamation: a false statement made which damaged reputation. It was easy to prosecute too: no supporting evidence to back that claim. Discussions between scientists were unlikely to surface into the public domain, without prior checking by their publisher. What remained as a private discussion between two scientists remained so. With the proliferation of online blogging, this approach to publishing no longer occurs, and in some cases the current laws are abused. Emails too are also in some ways a dangerous form of communication: they tend to be the 21^st century equivalent of a previously spoken discussion – sometimes flippant, and for some people, tend to reflect what they only would have  spoken prior to the Internet. However, emails can be forwarded:  opening the way for libel action.

In 1996 it was estimated there were 30 million web pages globally on the web. This has grown to over 13 billion by 2011: nearly 2 pages for every person on earth!
Image: © Nmedia - Fotolia.com

As this article is being written, it is being reported that 5 men in the UK have been arrested in connection with allegedly participating in the Anonymous’ Denial of Service (DoS) attacks which were mounted against PayPal, Amazon and MasterCard, in support of WikiLeaks. In a DoS attack, a hacker, or group of hackers aim to bring down a website or service by flooding that site with traffic, so that the site is longer able to respond. Such attacks are illegal under both US and UK Law. In the UK, the Police and Justice Act of 2006 makes it illegal to engage in a DoS attack, with a maximum sentence of up to 10 years imprisonment. Part of the reason for that Act was that it was felt at that time that the Computer Misuse Act of 1990 had potentially a loophole which did not cover DoS attacks. Such attacks in the US are covered under the Computer Abuse and Fraud Act.

The interconnectivity of the Internet and the WikiLeaks issue both illustrate that it is impossible for one jurisdiction acting alone to deal with what is a global problem. As with the financial crisis, co-ordinated action worldwide is needed across governments and geographies to deal with this problem. Those who seek to engage in criminal damage to computer systems should feel the force of the law, irrespective of where the attack took place from. Perhaps 2011 is the year where governments worldwide need to think about how their current legislation reflects data publication and Internet usage and abuse? Policy, process, and procedures are all very well, but the law also needs to reflect the realities of the 21^st century. As with the birth of the international electronic communications in the form of telegraphy, only when there is a global consensus will there be a way forward.

Phil Stewart is director of Excelgate Consulting and a member of the management team of the UK Chapter of the ISSA.

WikiLeaks: Is There a Silver Bullet?

There has obviously been much focus in the media on the data itself leaked via WikiLeaks – given its content. Little column space has been given to looking at the potential causes of the leak and solutions to prevent another such incident occurring.

To my mind, rather than there being a sole “silver bullet” solution, there are a combination of factors which came into play that allowed over 250,000 US diplomatic cables to find their way into the international news media.

1. Data Access Controls: “need to know” was relaxed

Firstly, and perhaps most importantly, a breakdown in procedure has contributed most significantly to the leak. The “need to know” basis for access to data in the US defence and agencies was- to some extent – relaxed. Following the terrorist attacks of September 11^th, 2001 on the US, greater co-operation and data sharing was encouraged between the agencies. To some extent: this was understandable, since it appears prior to this date different agencies did not share data with each other as freely as the US government would have liked. However, it appears that the pendulum swung too much the other way, with US defence personnel having access to all data marked “SECRET NOFORN” – i.e. secret data never to be shown to non-US citizens. There was no valid reason why a soldier should see diplomatic cables.

The “need to know” basis means exactly that: that no-one should have access to data that they don’t need to perform their role. Just because you have TOP SECRET clearance, doesn’t mean you should have access to all data marked as “TOP SECRET”.  So it seems here that a soldier (allegedly Bradley Manning) had access to all diplomatic cables marked “SECRET NOFORN”. The only saving grace was that the network from which the data was taken – SIPRNet – fortunately only holds data up to and including SECRET classified data – not TOP SECRET.

It is important where data is shared on a network that only the correct personnel have access to the data they require to perform their role. You could imagine, for example, the chaos that would ensue in an organisation if every employee had access to the payroll and HR data, rather than just accounts and HR respectively. The stakes are much higher in areas where the data is more valuable – such as national security.

2. There were no Removable Media Restrictions in place.

It is alleged that 1.6GB of CSV text files were downloaded onto a USB memory stick (initially piecemeal via CD RW) – containing the 250,000 diplomatic cables. It seems amazing that the network in question either had no solution to restrict the use of, and access to, removable media, where large volumes of data can be copied; or if it had, that the policy was relaxed so that a soldier had full write access to any removable media. There are legitimate reasons why – in the operational field – a USB memory stick or a CD/DVD burner may be required by a soldier, but equally, there are also solutions on the market to prevent unauthorised data loss from happening. Lumension’s Device Control solution can do exactly that – set a daily copy limit which only allows a certain amount of data per day to be copied, whilst at the same time monitoring what data is being copied. In addition, it can also restrict content via file type – thus if the soldier is using a bespoke application in the field, there is no need to allow him to copy out CSV files onto that stick.

Despite being "old news", unrestricted access to removable media became headline news.
Image: © Red Rice Media - Fotolia.com

3. Physical Security on-site appears to have been lax

It is alleged that Bradley Manning boasted how easy it was to smuggle in a CD-RW marked “Lada Gaga”, then erase the music, and replace it with a compressed split file. Again – if this had been monitored with an appropriate solution – the alarm could have been raised easily. Daily log inspection is something the industry has been evangelising for years as an extremely important information security measure: here in a defence scenario it’s critical. It seems however that the physical security has been lax in allowing soldiers to introduce their own devices and media into a secure location in the first place. Most defence locations have screening procedures and ask all visitors to leave their own media and devices at the gatehouse. Why does this not seem to apply for their own personnel?

The solution here is to only allow defence approved devices which are both monitored and controlled. Once a private device is introduced into the network, not only do you risk data leakage but also malware and inappropriate content introduction. Anyone bringing in their own device or removable media should have it secured away for return upon leaving the location. Devices which are vulnerable to malware infection and have no suitable encryption capabilities have no place in a defence scenario.

4. Encrypt data in rest as well as in motion: file encryption too?

By now most organisations have got the message that data needs to be encrypted at rest where it is likely to be exposed (e.g. full disk encryption for laptops, removable media encryption) as well as in motion (e.g. email encryption). However, in a defence scenario, it may well be appropriate also to utilise full file encryption, so that should it be copied off the network via a breach in security, then it is worthless to a third party. This is particularly true for data which is particularly sensitive such as this where diplomatic cables have caused the US and her allies embarrassment at best and a compromise to national security in the worst case scenarios. It seems odd that such important documents were held in on the network in an unencrypted format.

Of course solutions exist to enforce removable media encryption, but any thorough analysis of the security requirements will also take into account the possibility of a deliberate breach of security by an insider, which leads to:

5. Separation of duties

It is always best practice to have separation of duties. Had the files been encrypted, then it is best practice to ensure that no single person has access to both the data and the encryption keys. An algorithm is only as strong as the security of its keys.  The crypto custodian (sounds like a superhero from a comic strip!) should not be the same as the system administrator who can grant/ revoke access to the data itself. This separation of duties safeguards against one person being able to bypass internal security. In addition, any technical control worth its salt must be able to provide separation of duties/ roles within the solution, (i.e. an auditor can only see logs, but not make administrative changes, etc.)

Nevertheless, there may be an occasion where despite the measures implemented above, and extensive background checks on personnel being used for the task, collusion occurs to take data off the network: this is where electronic data labelling becomes important. At the heart of the WikiLeaks issue also is the fact that the legal system is significantly behind the technology … but more on that subject later!

Phil Stewart is director of Excelgate Consulting
www.excelgate.co.uk

Coldplay’s Secret Santa

Christmas came early for 100 Coldplay fans last month by taking part in the video shoot for Coldplay’s latest single Christmas Lights. I was lucky enough to be one of them.

The South Bank of the Thames looking towards St. Paul’s cathedral: location for Coldplay’s video shoot for Christmas Lights on 25th November, 2010.

The invitation from Coldplay HQ went out as an opportunity to have a question and answer session with Coldplay’s creative director and fifth member (Phil Harvey) as well as to meet two of the touring road crew (Matthew Miller and Matt McGinn) as well as“a few surprises up our sleeves for the evening”. The venue was a cruise boat in London, starting at 5pm and lasting until around 11:30pm, and we were told to dress up warmly for the evening. So out came the glad rags!

Speculation began given the dates (either November 25th or 26th) that it may be related to a video shoot for Coldplay’s next single, Christmas Lights. This was intensified on the evening of the 24th November, when Coldplay posted the following note on their website:

The scribbled out section reads: “We are doing the video right now.
It is a mid tempo number.”

I met up with other fans before boarding the boat and one of the many pleasantly surreal things from the evening was signing a thank you card to Coldplay. We speculated whether the uncertainty around the date was if the band/production company were waiting to see the weather forecast (it had been forecast to snow on the evening of the 25th in London, but not the 26th). My own guess for the evening was that it was going to be a video shoot: that we would be whisked away to some secret location on the East Coast (given the cruise was scheduled to be over 5 hours): somewhere where a stage would be set up and that we would be filmed as part of a live audience at a festive gig. I never dreamt Coldplay could keep filming in the heart of central London such a secret!

As we boarded the boat we had to hand in our cameras and phones. Some fans were wondering why we were doing this – but working in an industry where this is commonplace it didn’t bother me at all; and I guessed something special was in store. Once the boat had left its mooring we were told we were going to take part in the video shoot for their song Christmas Lights, and be the first 100 people outside of EMI to hear the song in full.

After listening to the new song several times, we were told we were going to be involved in singing the section that kicks in around 3:20 into the video, and letting off helium balloons from the top deck of the cruise ship. The boat went up the Thames – from Tower Bridge to the site of Coldplay’s stage – between the Oxo Tower and The National Theatre on the South Bank. Amazingly, apart from a few paparazzi (more on that later!)– no one had got wind of this. At the  point of filming our section, there were no obvious signs it was Coldplay there – other than a large crew production vehicle, and passers-by were just walking or jogging past, completely oblivious to why there was a stage erected on the South Bank, or a boat moored in the middle of the Thames with people holding LED helium balloons on it: just another night in the capital city!

The sequence that lasts around 10s in the finished video, took about 3 hours to shoot: holding on to helium balloons by their tips on the cold, windy Thames is a tricky business! Filming was done via a crane-mounted camera from the bank of the Thames, with arc lights lighting up the boat. There were enough balloons for four video takes and we also did two sound takes for the accompanying singing. After the shot wrapped up, Chris Martin thanked us for our “great singing” – he obviously didn’t hear me!

In our industry we tend to think solely in terms of industries where security is paramount: finance and government. However, international rock stars need to keep secrets too! The reasons for their secrecy cover areas we are used to in the world of information security: intellectual copyright (they didn’t want anyone releasing a song based on their work); reputation (the director of the video – Mat Whitecross and his company had theirs at stake) and physical safety (they didn’t want the band getting mugged at night, given their section didn’t wrap up until 3am!). In addition, when filming a popular TV show or video for a band as big as Coldplay, the producers don’t want masses of people in the background either in shot or making a noise, disrupting the shoot. It truly is amazing, in an age of social networking media that Coldplay managed to pull all this off.

In many ways this was a textbook implementation of security (with one notable exception): there was a security policy (“we need to keep the song and band location secret”), there were processes/ procedures to back this up (we all signed an NDA); there was physical security (we were on a boat, our identity was checked as we came in, and all phones and cameras were handed in upon arrival); and there was user training (the production company reminded us several times the importance of keeping the band’s location of filming and song under wraps, until the release on 1st December). The fan side of it was a job well done: I think Coldplay’s fan liaison officer deserves some extra tangerines in her Christmas stocking from the band this Christmas!

Nevertheless there was a leak, and for once, not from WikiLeaks! The paparazzi did turn up at the Coldplay set, and with long lenses, managed to get pictures of both the set and the boat. I wondered who may have leaked their location – it can’t have been a fan – given we were on a boat and were incommunicado. Was it someone out to make a fast buck from a leak? Then I saw the following tweet from Simon Pegg – also an extra in the video:

Simon Pegg’s tweet on Twitter gave the game away that morning. Given it was re-tweeted 86 times it was not required to have the deduction skills of Sherlock Holmes to find Coldplay that day!

So what next for Coldplay? Well Chris Martin said recently in an interview that their next album – due next year – could be their “last big shot”. Chris loves saying something like this prior to every album launch, but if ever he feels likes laying down the guitar and closing the piano for good, he can always mastermind information security in the music industry. You heard it here first: Chris Martin is music’s answer to James Bond.

Christmas Lights is the new Coldplay single and is available on iTunes. The video can be seen on Coldplay’s website

Saving Bletchley Park

In 1938 as the threat of World War 2 loomed, the Government Code and Cypher school needed a new base for its operations. Busy Ealing Broadway (its previous location in London) was not an ideal location for its top secret activities. Bletchley Park, just as with the new city of Milton Keynes itself, was chosen for its excellent transport and communication links with both London and the North, as well as being roughly equidistant from the University cities of Oxford and Cambridge.
A crossword competition appeared in the Telegraph newspaper. Those that could complete the crossword within 12 minutes were invited to a hotel in London to collect their prize, whereupon they were asked to complete another crossword under supervision. If they completed the second test successfully within the allotted time, they were asked if they were prepared to undertake “a particular type of work as a contribution to the war effort”. They were told to report to Bletchley Park as “Captain Ridley’s shooting party” in order to maintain the secrecy of their activities. In August 1938, they arrived in earnest. Station X, as Bletchley Park was known, was born

The Mansion, Bletchley Park

Over the next 7 years, leading mathematicians, puzzle solvers and cryptanalysts such as Dr. Alan Turing and Tommy Flowers were assembled at Bletchley Park for the purposes of deciphering the German Enigma codes. By January 1945 – at the height of the code breaking – over 9,000 people were working on the site each day. The Enigma cipher – a substitution cipher – was staggeringly complex – the odds of someone decrypting the encrypted message who did not know the key were 150,000,000,000,000,000,000 to 1.

In 1943, the Colossus machines – the world’s first programmable, electronic computing devices, were designed at Bletchley Park to assist in the process of decrypting the German codes. The first prototype was working by December 1943, with an improved design ready just in time for the Normandy landings by June 1944: computing history was being made too at Bletchley Park.

Decrypting the German codes played a significant success in numerous battles throughout the Second World War, by advance knowledge of German air force, naval and military positions. In the Battle of the Atlantic, for example, it enabled the Allies to know the exact locations of German U-boats. Prior to the D-Day landings of June1944, the Allies knew the positions of 56 of the 58 German divisions on the Western Front. The contribution made by those working at Bletchley Park to the War effort therefore cannot be stressed enough. Historians have calculated that the work done here shortened the War by at least 2 years, saving countless lives. The Second World War, by 1944, was claiming 11 million lives a year.

Nearly 50 years later and by 1991, most of the buildings and huts at Bletchley Park were empty, and were in serious risk of demolition. In 1992, Milton Keynes Council declared the Park a conservation area, and shortly afterwards the Bletchley Park Trust was formed. In 1994, the site was opened as a museum to the public, opening its doors every other weekend.  By 2004, the site was opening every day as a museum. However, this proved to be a critical point for the site, as many of the buildings were in a state of disrepair: the “temporary” huts, where the work of the code breaking was done were simply rotting away, and the iconic Bletchley Park mansion had severe leaks in the roof threatening the building completely.

Hut 6, May 2010 in its current state of disrepair: Code-breakers working on Air Force & Army Enigma codes took place here

In 2008, Sue Black, head of information and software systems at the University of Westminster, began a campaign “Saving Bletchley Park” which sought to raise public awareness of the site and its condition. A number of initiatives were highly successful: an open letter to The Times newspaper drew the support of over one hundred prominent academics; an e-Petition to the Prime Minister raised over 22,000 votes, and a motion to “call on the government to provide operational funding” in parliament was launched in late 2009.

The Saving Bletchley Park campaign has been successful in raising awareness of the state of the site and its current funding issues. The Bletchley Park Trust faces the dual problems of deteriorating buildings, many of which were only ever envisaged as temporary and now require extensive restoration, and crumbling infrastructure. In November 2008, English Heritage provided an investment of £330,000 to repair the roof of the mansion, and another £100,000 per annum for three years, subject to another body matching the funding, to help upgrade the crumbling infrastructure of the site. The National Lottery Heritage Fund has provided first round pass funding, providing £460,000 to enable detailed plans for the restoration and redevelopment of the museum.  These will be submitted in around 12 months’ time and, subject to Bletchley Park raising £1.5 million in match funding, the National Lottery Heritage fund have allocated £4.1 million for the project. English Heritage and Milton Keynes Council have also provided funding, and more recently the Department for Culture & Sport – the first time central government has provided funding. Individual supporters are also helping with personal donations.

The Victorian diary, May 2010: funding is required for the roof repairs

How Can I support the Bletchley Park Trust?

There are a number of ways in which you can support the Bletchley Park Trust:

As a self-funded museum, Bletchley Park receives most of its income through museum admissions. The museum and tour are great for those interested in history, computing, cryptography ,World War 2 or any or all of these! The tours are sometimes conducted by those actually involved at Bletchley Park during the war, and their witty take on events is often highly amusing: the work of Bletchley Park is presented in a way that is engaging for a modern audience, but never makes light of the subject matter at the same time. Exhibits include a working replica of the Colossus machine, and a replica of the Bombe machine, a personal donation of Mick Jagger from the film Enigma.

Another way is by way of personal donation. Details are available on their website: http://www.bletchleypark.org.uk/content/paypal-donate.rhtm . The Bletchley Park Trust is a registered charity, and is therefore able to take advantage of the Gift Aid scheme

The working replica of the Colossus machine: the decrypted message is produced on ticker tape (shown on the right hand side here)

For those wishing to hold conferences in the information security space, what better venue than Bletchley Park? Large conference venue facilities are available– with a guided tour of the site afterwards available. The Annual ACCU Fundraising Conference is being held at Bletchley Park on 6th November 2010, with cryptographer Bruce Schneir attending. Further details are available on: http://www.bletchleypark.org.uk/calendar/event_detail.rhtm?cat=special&recID=618139 . All proceeds of this conference will be shared equally between the Bletchley Park Trust and The National Museum of Computing to help with the upkeep of the Bletchley Park site, and to support the Museum.

Please take the time to support this important part of our National heritage in whichever way you can.

Phil Stewart is director of Excelgate Consulting.
www.excelgate.co.uk

Information Security Spending & Procurement Post 6th May

Whatever the outcome of today’s General Election in the UK one thing is certain: there will be increased scrutiny of IT spending post 6th May, especially in the public sector. Increased scrutiny does not necessarily mean decreased spending though, particularly with regards to information security.

In this General Election campaign, the parties have talked about “back office cuts” and “wasteful IT projects”, but the need for information security spending has never been greater.  At Info Security Europe 2010 last week in London, Pricewaterhouse Coopers presented their findings of the biannual Information Security Breaches Survey. To illustrate the need for information security spending, 92% (72% in 2008) of respondents who are large organisations (defined as greater than 250 staff) reported a security incident in their findings, costing the organisations, on average between £280,000 – £690,000 (£90,000 – £170,000 in 2008). Smaller organisations (less than 50 staff) fare little better, with 83% of respondents (45% in 2008) reporting a security incident, costing them on average between £27,500 – £55,000 (£10,000 – 20,000 in 2008). In addition, Chris Potter , a senior partner at PWC’s information security practice recently reported to the Financial Times that the total cost of cybercrime to the UK’s economy had more than doubled from “around £3bn to £5bn” in 2008 to “at least £10bn” in 2010.

Furthermore, in research commissioned by the Information Commissioner’s Office, presented at the keynote speech at Info Security 2010, there were a total of 962 serious data breaches reported to the ICO since November 2007. Of these, 271 or 28.1% (excluding other and third sector) occurred in the private sector; whilst the public sector (including the NHS, but excluding third sector) accounted for 621 or 64.5%. Clearly, there is more work that needs to be done in both sectors, but given the balance of the UK economy is roughly 50/50 between public and private sector currently; the number of breaches is greater in public than private sector. Here therefore is an opportunity for the next government to reduce waste by improving information security.

A common theme at Info Security Europe last week was:  how can I secure funding for security projects? Aside from the studies mentioned above, organisations need to be much smarter in the procurement process – both with raising their business case clearly internally to their board level, and secondly with their dealings with suppliers. “Regulatory compliance” have been the industry buzz words for a while, but evangelising this as the sole reason for security purchases is to miss the point: complying with regulations will not only decrease risk but protect your organisation’s reputation and thus add to the bottom line of the business. Usually, the damage to reputation is costlier than the fine resulting from the security breach.

Sometimes, it’s easy for IT managers to be driven by what IT needs rather than what the business requires. In the last security blog, Excelgate looked at how the ISO 27001 standard forms the  baseline framework for compliance across a number of areas. It also fosters an information security awareness culture in the organisation, by having buy-in from board-level downwards, thus removing a knee-jerk approach to security. It also provides the opportunity for an organisation to do a risk assessment. This involves looking at the risks to an organisation, and then (potentially) putting a number on both the cost of risks to the business vs. the cost of the controls required. Thus the business can make a decision about what controls need mitigation and which – for their environment – are not appropriate.

Changes to the procurement process are also required. In this General Election campaign we have heard about this, with regards to transparency. I would also argue that there needs to be a smarter scrutiny process in place as well. At present, proposal questions are simply too vague to allow an informed decision to be made on the business case properly. Hardware and software proposals should include a detailed project plan for the time and costs associated with the implementation and ongoing support of a solution. This should not be the proverbial rocket science, since if implemented frequently there will be past history and case studies to back up those numbers. Similarly, when working in a particular sector, it is always easy to ask contacts with a similar estate their experiences and recommendations working with particular solutions. Even on the technical side, there is often vagueness – proposals ought to ask about performance – which if responding as per the published materials online-may produce a “negligible” response – as though the products in question magically doesn’t use either memory or processor. Where is the in-house or third-party performance testing metrics to back up this assertion? If it isn’t available on-line, now is the chance to ask this during the procurement process. Would you buy a car without knowing its tested performance, especially its fuel consumption? Vehicle manufacturers would not get away with “negligible fuel consumption!”

In order to raise the business case for security spending in your business, remember compliance is a necessity since it adds to the bottom line of the business by safeguarding its reputation, and without it- you cannot do business effectively – or at all; the ISO 27001 standard forms a good security baseline with which to drive security awareness and culture within your organisation; share opinions and best practices freely with peers for a good sounding board; and expect changes to the procurement processes, particularly within the public sector. Greater scrutiny and openness drives greater competition and innovation, and as an industry we should welcome change in this area.

 

Phil Stewart is director of Excelgate Consulting

www.excelgate.co.uk

ISO 27001 for SMEs?

Back in 1993, the DTI assembled seven companies to write a standard for information security. David Lacey, a founder member of The Jericho Forum and The Institute for Information Security Professionals (IISP), worked with others in the industry, and wrote the introduction, and many of the ten chapters that made up the British Standard BS 7799. The Standard was launched in 1993, and Shell (David’s company at the time), gained the world’s first certification, awarded by KPMG under the Dutch scheme for Shell’s IT services across Europe.

The International Standard ISO 27001 is the international standard for information security and is based largely upon BS 7799. It represents  a clearly defined set of requirements (and best practice in ISO27002) in information security for an organisation.  It covers:  outlining requirements for security policies, procedures, risk analysis, and specifies technical, physical and procedural controls that should be considered in the context of the organisation. Looking at high-publicised breaches in information security over the last few years in the UK, a number of breaches occurred because whilst there were appropriate technical controls in place (in some cases), there wasn’t the corresponding security policies, procedures and user security awareness training in place; or technical controls had been considered for one area of the business (e.g. laptop encryption) only to lose the data via another route (unencrypted removable media); or a data centre well-guarded in terms of technical controls,  had poor physical access security (an unsecured door propped open by the cleaners).

A company going through the ISO 27001 certification process allows them to consider all these aspects, in the context of their relevance to the organisation. A few years ago, I wrote a white paper for a vendor, mapping the use of their technology to the controls specified in the standard. It raised the profile of ISO 27001: for those not considering certifying their organisation to the standard, it raised the awareness of it, and encouraged them to at least research further and purchase a copy of the standard. For those already considering, or certifying to the standard, it clearly mapped out how the use of our technology helped meet (either wholly or partially) the particular control in the standard. It also helped raise our profile as a vendor by demonstrating we were passionate about information security, and offered value beyond the supply and implementation of our own technology. It was very much a win-win situation for all concerned.

SMEs (Small and medium sized Enterprises) are defined by headcount, turnover and balance sheet by the EU, but are typically 250 employees or less. In these organisations, information security has historically been seen as a “grudge purchase”, and “someone else’s problem” yet the legislation and regulatory compliance affecting large organisations apply as much to SMEs as they do to global, multi-national corporates. To illustrate this, a recent study by Eclipse Internet discovered 62 per cent of the 154 small and medium-sized enterprises (SMEs) polled did not know that changes were due to come into force in on 6^th April 2010 regarding the Data Protection Act in the UK. While most had at least heard about the Data Protection Act, only 22% were aware that its powers were being extended in April 2010, giving the Information Commissioner’s Office the ability to hand out fines of up to £500,000 to firms for breaches of the Act.

Similarly, any SME offering payment via credit card transactions needs to think about PCI DSS compliance. Many SMEs will most likely fall under Level 4 compliance (under 20,000 transactions a year) or possibly Level 3 compliance (20,000 to 1,000,000 transactions a year). The broad outline for PCI DSS compliance are: to build and maintain a secure IT network; to protect cardholder data; to maintain a vulnerability management program; to implement strong access control measures; to regularly monitor and test networks; and  maintain an information security policy. All of these are covered in ISO 27001.

Why do many SMEs take the view that information security is an onerous task or a grudge purchase? To account for the difference in thinking between big business and SMEs, one needs to take into account the key business drivers that acutely drives SMEs: the drive to secure new customers and win new business; a close eye on expenditure and not anything deemed to be “unnecessary”; and for many a short-term outlook which is driven by events today and the current quarter, rather than a holistic, long-term view.  This view is also compounded by a lack of purchase of security solutions by other SMEs (which in turn drives up the low volume per seat purchase price) and by the security vendors who historically have seen the SME market place as a high effort/low revenue ratio and thus not focused on selling to this market as strongly as say multinationals, and local and central government.  Thus the low volume (“entry level”) purchase remains high, and thus remains a blocker for SMEs to purchase.  Special pricing for SMEs typically does not exist.

The irony is that whilst many SMEs need to ensure their legal and regulatory compliance, and currently do so (if at all) on a piecemeal basis currently, the framework provided by the ISO 27001 standard sets out the controls necessary for information security. PCI-DSS, for example, whilst not specifically written to map to the ISO27001 standard (or indeed ISO27002: Best code of practice guidance for the standard), anyone who has used the guidance provided in ISO 27002, should, with very minor additional work, be able to demonstrate their conformance to the PCI standard.  Thus the ISO 27001 standard and the ISO27002 best practice, form the basis of compliance across PCI DSS and many other areas regarding information security.

The process of going through the ISO27001 preparation and certification ought not to be an onerous one for an SME. Clearly regarding security policies and awareness training, your requirements are going be very different from those of a 30,000 employee multi-national corporation. Similarly, controls regarding physical security are going to be different (and less costly) for an organisation employing 5 people to one which employs thousands and needs to address controls in place for say, a datacenter to cover DR, and address risks from fire, flooding and physical access.  At a recent chapter meeting of the ISSA, David Lacey proposed a workshop to produce a  new “streamlined” version of the standard for SME guidance, so that there is less paperwork for the SME to go through, both in the preparation for, (and subsequent auditing of) ISO27001. This is to ensure that the standard is not seen to be onerous, since some of it will not be appropriate for the SME organisations. ISSA members, including myself, will be working to produce a new streamlined version specifically for the SME market.

The benefits of going through the certification process are numerous for an organisation. Not only will certifying to the ISO 27001 standard afford the framework for legal and regulatory compliance across a number of areas with regards to information security, but also a number of definable business benefits, including: key differentiation from competitors;  systems interoperability (systems are more likely to work together if viewed as a whole rather than individually); security awareness (implementation of the policy results in a workforce more aware of the risks and their obligations regarding information security), and business alignment (because the implementation of ISO 27001 requires the involvement of both business and technical management, greater Information Technology and Business alignment often results) and of course improved information security (adopting the standard reduces the risk).

Phil Stewart is director of Excelgate Consulting and holds the Certified ISO27001 Implementation Practitioner (CIIP) certification

www.excelgate.co.uk

To Tweet or not to Tweet?

Many organisations currently face a dilemma over allowing the use of social networking sites within their companies. On the one hand, they represent useful sales and marketing tools and represent the communication method of choice for the so-called “generation Y” – those that were born from the late 1970’s to 2000 and hence grew up with the Internet in their childhood. It is estimated that in 10 years’ time, every detail about generation Y, from date of birth, credit card details, their shopping habits and mother’s maiden name will be available somewhere online (legally or illicitly). This generation entering the workplace may not understand the rationale behind placing restrictions on its use within the workplace, and may become resentful if they are denied what they see as useful way of maintaining contact with colleagues and business associates.

On the other hand, the use of such sites presents many security risks: both to the individual and to the organisation. Facebook has outstripped Google in terms of hits in the US according to Hitwise, which gives an indication of its popularity. Many Facebook users freely post up their hometown, first school, date of birth, etc.  without giving a second thought to the fact that these are often security questions used by financial institutions and worse still, the users don’t protect this information by only allowing their friends to see it. Thus any cyber criminal can help themselves to their private information:  handed to them on a plate.  In addition, many users seem to connect to new users in an indiscriminate way, and rarely, if ever, validate the identity of the user through another means. Would you establish a friendship with someone you didn’t recognise and given them all your personal details in the first minute of conversation? Or would you make friends with someone you had never met, let alone trust? No! Yet people do it in Cyberspace!

Facebook allows users to create their own applications. Cyber thieves have moved in by creating their own fake applications, which contain malware. This, combined with exploiting human nature means users are tricked into clicking on seemingly innocuous links  e.g. “take a look at my holiday photos: xxx” which then directs them to a fake website (e.g. a YouTube video) and prompt the user to download some malware which can harvest personal information.

Twitter too is a useful  sales and marketing tool for organisations but it too has risks. The use of URL shortening services, such as tinyURL, which people use in the tweets to save space, means that users are dropping their safeguards with regards to clicking on links. How many times have you questioned a colleague’s or friend’s shortened URL in a tweet is an actually a valid link to a bona-fide website or one to a malicious site? The “LOL- is this you?” virus on Twitter did exactly that, and exploited Twitter users’ implicit trust of a follower’s tweet. Twitter also allows users to record their GPS location with their tweets, and occasionally people have not only posted up their physical locations but what security products their organisations are using as well! Hackers have such an easy time these days: they don’t need to be good at social engineering anymore; the social networking users frequently do half their job for them.

Clearly, these sites are here to stay, and to move completely against the tide would be churlish. A “one size fits all” approach to security is not appropriate and the use and control of these media must be done in a context that is appropriate to the organisation, industry and to the risk. If you work in the government or defence sectors, using Twitter and posting your current location is clearly not a good idea.  Similarly, those working in the information security sector need to think carefully when marketing their services or products when it is and isn’t a good idea to report what security products an organisation is using.  For large organisations, it may be prudent to restrict the use of Twitter and Facebook to the marketing team only, with user education to the risks involved in its use. Twitter, for example, allows Tweets to be protected to be only visible to those approved by the organisation: thus it doesn’t appear in the public timeline for all to see but only to an approved audience.  If you work in the media industry, this probably won’t be for you:  clearly there’s a huge difference between a band letting the world know when their latest album is due and an information security organisation letting the world know what firewall a bank is using! Twitter does also contain a verification service so that high profile twitters, like 10 Downing Street, are verified by them and published as such. Be careful of who you allow to follow you, until you have established they are who they say there are.

As with all things in our industry, technical controls alone are not enough. There needs to be user awareness and education. If you are to allow the use of social networking for your organisation,  be sure to train your users that whilst these media have business benefits they also have risk – and that what is posted on the web stays up there – via web caching. In years gone by yesterday’s news was tomorrow’s fish and chip paper – gone and forgotten; today it has permanence via Web caching. Do you really want libellous material to remain up on the web posted from your organisation? Think carefully about  your social media usage strategy, educate users  – and tweet safely!

www.excelgate.co.uk