2011 has seen a steady stream of attacks and data breaches at a whole host of well-known, large organisations: Sony, Citibank, RSA, Google, Epsilon Marketing, and more recently, the Pentagon. Why are we seeing such a steady stream of major information security breaches at large organisations? Who can we trust with our data? What can be done to remedy the situation?
Lack of Board Engagement
Opinion differs in the industry as to whether the fault lies with the information security industry itself in convincing board level of the need to act; or whether boards are actively engaged with information security professionals in the first place. Harvey Nash’s CIO 2011 Survey published earlier this year generated responses from 2,000 CIOs and industry leaders worldwide. Its findings showed that 50% of respondents sit at the operational management or board level of their organisation – meaning that the other half do not.
When Sony’s breach involving 77m Playstation user details came to light, it was subsequently revealed that Sony did not have a CIO/CISO at the time, and indeed for a number of years preceding the attack. It’s not just sufficient for board visibility of information security but also that the CIO has genuine influence and is able to raise awareness to the board and influence decisions on a regular basis. Good information security awareness starts from the top : you cannot expect your employees to have awareness of an issue that has no visibility at board level.
Taking a Holistic View
It is important for every organisation to take a holistic view of information security (technology, processes, people) and not focus on a sole product, standard or the “next greatest thing” and believe that all will be well. The culture of chasing the current standard or solution, currently in vogue, has been largely vendor-driven, where advice is given with a heavy slant towards their own solutions as the sole solution. I’m keen on vendors and professionals who see the bigger picture beyond their own product or standard or area of expertise and are keen to educate, or in those vendors who, in developing their own solution are keen to help improve upon existing standards. I’ve been particularly impressed with Sophos in this regard, who regularly give out advice via their security blogs on a whole host of issues ranging from Facebook scams, phishing attacks, credit card scams, and botnets. They are to be commended not only for taking a holistic view of the industry but commenting on the various social media scams for which social media users clearly need educating. It also did not surprise me that Sophos won the award for best speaker at the recent ISSA event onboard HMS President.
To illustrate why a holistic approach is important – for years Intrusion Detection & Intrusion Prevention systems for years has been sold as the panacea for detecting all malicious intrusions on your network. Without proper examination and collation of these logs on a regular basis – having IDS / IPS alone is nearly as bad as no IDS/IPS at all. Consider a “go-slow” attack where an attacker tries to gain access using 2 logon attempts per hour. Typically, this would not trip either an account lockout situation or an IPS detection – it needs some intelligence behind it to raise that alarm (be that human or automated – via SIEM ). For a large organisation, do you really expect a human operator to sift through thousand of event logs looking for a needle in an electronic haystack? Are you properly and intelligently monitoring your logs and can you take evasive action quickly should you come under attack? (rather than after the data has bolted, as is frequently the case).
Avoiding the “Checkbox Culture” that Standards Compliance Alone Generates.
There’s too much noise and focus on standards compliance in the industry in the mistaken belief this alone will generate security. It doesn’t: when taken in isolation, it generates a false sense of security. Information security cannot be seen as an annual tick box event, with a string of recommendations and good intentions: to be done at some later date.
Whilst standards compliance is a necessary part of good governance, the industry really should be talking about generating good security cultures. An interesting study would be of those companies mentioned above (and others) which have suffered a breach, the percentage which had recently undertaken compliance with a particular standard, combined with whether they have a CIO/CISO in place and had regular staff training in place. It would make interesting reading.
A security culture is something that starts in an organisation from top-down: the board is updated at regular and frequent intervals about what is being done across the organisation – what business processes need improving and what staff education programmes are in place or are being updated. CIOs / CISO should be constantly improving their skill sets and awareness by attending conferences, reading the latest security articles and being aware of innovative solutions that challenge the established way of thinking in the industry. The human factor – and education of staff is an area that is often overlooked: in the Information Security Breaches Survey of 2010 by PWC, it showed that 80% of large organisations reported an incident caused by staff, yet very rarely do we hear of the need to regularly educate users. It simply isn’t good enough to keep blaming staff if you don’t have a regular training programme in place. It also isn’t good enough to “educate and forget” i.e. only train when a new person joins an organisation and never again – there needs to be a programme in place to educate users at regular intervals – to accommodate new threats, changes to legislation and best working practices.
Taking Professionalism Seriously
It’s long past time that our industry took professionalism seriously. Think of a visit to a doctor or a surgeon performing an operation. Would you let a surgeon operate on you who hadn’t bothered to attend medical school or didn’t think the exams were “really that important or necessary”? There certainly are some bad doctors out there, but the reverse argument of not bothering with professional qualifications to practice in the medical profession doesn’t hold water. Yet that is exactly what a small portion of our industry is doing!
As if to illustrate the point, last week I heard a hilarious story from a journalist who told me how he had uncovered someone who had been blagging their way around the industry as a “security consultant” (incidentally the journalist has given permission for me to repeat this, and the information was obtained via publishable sources and not via phone blagging or phone hacking!). Not only did the ‘consultant’ have no information security qualifications or certifications, but he had previously been working in… the hair products industry! After containing our laughter in the restaurant, I remarked: “Securing hair braids yesterday, securing data tomorrow!” It would be a funnier joke if it wasn’t happening in our industry.
The industry needs to think about standardising on acceptable criteria for practicing in this field. I would propose that people wanting to employ someone in our industry insists on a CISSP certification as a minimum benchmark certification, as it demonstrates many of the areas previously discussed – such as taking a holistic view, relevant experience, and it encourages and requires constant improvement and education. It also demonstrates a commitment to the industry. Getting information security wrong can have a really serious impact on your business, and it certainly isn’t about just selling security solutions as a quick ‘fix’. I would also urge organisations to ensure that people at all levels are qualified – from CISO/ CIO & CTO down: it’s not good enough to ensure your junior staff are qualified whilst your security leaders are not – lead by example.
Changes to Legislation Are Required
I both welcome and support a change in the law to include mandatory breach notification for the UK – as is already the case in US states such as California. I would like to see also as part of filing a company’s annual accounts or statutory annual return a list of security measures they are taking / will be undertaking to safeguard personal data in their organisation. If there’s a statutory requirement to report annual financial accounts, why not something (albeit more sophisticated) in place for information security as well? If people have to sign off on security measures that subsequently turn out to be false or inadequate (and face subsequent prosecution), it may just make boards wake up that inaction is not an option and that people’s data and privacy is something we value as a society. Granted, this alone isn’t going to be a panacea or an easy thing to legislate (a one size fits all policy for all organisations is not appropriate in terms of their obligations – but then we already accommodate different annual accounting requirements with the Companies Act of 2006 for different sized organisations).
Without enforcement, legislation alone is unlikely to succeed in changing culture. I would also like to see stiffer penalties for breaches of section 55 of the Data Protection Act enforced in the UK. In May 2006, the Information Commissioner in the UK published a report “What Price Privacy?” which uncovered the illegal trade in personal information, with a follow-up report published 6 months later. The act of blagging, (which has been the root of all the problems with the phone hacking scandal) is a criminal offence under section 55 of the Data Protection Act 1998. Currently, however, it carries a fine of up to £5,000 in a Magistrate’s Court but does not include a custodial sentence. Whilst Section 77 of the Criminal Justice and Immigration Act 2008 (CJIA) subsequently included provision for a custodial sentence of up to two years, this provision cannot come into effect until the Secretary of State makes a relevant order. Whilst the recent phone hacking scandal has focused on some journalists using blagging to obtain personal information, the “What Price Privacy?” report of 2006 showed the practice is far from confined to the journalism sector – this is just the visible tip of a much bigger iceberg lurking below – and I urge people to read that report from the ICO.
To conclude, whilst I don’t share the pessimism of some in the industry by the same token I’m not complacent either in thinking that there isn’t much still to be done: both in changing and enforcing the law, educating both board members and employees and ensuring the industry thinks holistically as individuals and organisations.