The Insider Threat

September 5, 2011

Last month the Information Commissioner, Christopher Graham, gave an interview to the ISSA, ahead of his address to the ISSA later this week, and looks at how most data breaches start with an employee from within the organisation:

In 2006, the ICO uncovered the organised and illegal trade of confidential personal information in the report, What Price Privacy? How widespread do you believe this problem is today in the UK?

“I’ve described it as a modern scourge. The headlines, both in 2006 and more recently, have all been about the behaviour of the press, but I think it goes much further … Basically we’ve got pretty systematic trashing of our rights under the Data Protection Act.  My predecessor, in flagging the blagging, made the case for a much stronger penalty that would act as a deterrent but also send a very strong signal that data protection offences are not a victimless crime. It’s very important now that parliament gets on and activates section 77 of the Criminal Justice & Immigration Act 2008 which allows for the custodial penalty of up to 6 months in a magistrates court and up to 2 years in the crown court, but has not been commenced. It wasn’t commenced because of a stand-off between the politicians and the press.  I think we can now get through that, because the terms of the debate have changed a bit.  This isn’t something that should wait for the Leveson Inquiry because frankly it isn’t about newspapers – it’s about debt recovery, claims management companies, matrimonial disputes, child custody battles, you name it.”

Yes, I remember when you became Information Commissioner in 2009, at a Parliamentary select Committee you re-iterated the need for a custodial sentence for convictions under section 55 of the Data Protection Act.

“Indeed, I did.  I didn’t get very far, though, because basically the politicians and the press had agreed this was going to be a sort of Sword of Damocles hanging over the press and if they misbehaved then it would be activated. I think the whole point was the 2006 report – yes, it talks about the behaviour of the tabloid press because the particular private investigator that the ICO raided, that was his main line of business.  But that’s  not what all the report was about. The idea that you don’t have to take any action against staff in NHS walk-in centres selling information to claims management companies because of some arcane dispute about investigative journalism is clearly nonsense. I didn’t get very far two years ago but I’m determined to go on pushing. There’s the human factor in all of this. We can have wonderful systems and policies for data protection and data security, but if the men and women on the ground don’t take it seriously and don’t think it matters – none of those systems are going to work. A small fine in a magistrates court is simply not a deterrent. I think understanding that you might go to prison is more like it, but it also enables the courts to look at the whole range of possible penalties which might be somewhere between a small fine and the threat of going to prison or having a community sentence.”

I noticed that in the ICO’s latest annual report – you mentioned the NHS – as an organisation they had the largest number of data breaches

 “They are about the largest organisation so I’m not surprised by that – they are quite good at reporting breaches, it’s part of their procedure. I recently met with the chief executive of the National Health Service,  Sir David Nicholson.  We had a very good, workmanlike discussion. There’s a lot of change in the NHS and that makes for a particularly dangerous time but you’ve got to distinguish between the trucks and the tracks. We’re much better at thinking about the trucks: these are the great security initiatives and projects. The tracks are the routine: the day-to-day. My experience of a lot of organisations, not just the NHS, is that the messages haven’t got down to the grassroots. Data protection is seen as the sole concern of a few geeks, and as a result terrible things happen.  People have heard the messages but haven’t internalised them. Every week I’m dealing with laptops going missing, not encrypted; portable devices and papers left on the bus; sensitive files dumped in a skip. In the health service of course by definition the information is almost certainly going to be sensitive information so we’re working very closely with the NHS so that they can get the big things right – summary care records etc, but they can also get the smaller things – which actually aren’t that small – such as persuading the receptionist in the GP surgery you don’t give things out over the phone just because somebody rings you up and sounds persuasive.”

What can be done in the health sector and other sectors to generate a culture where data protection becomes second nature, rather than seen as an annual event, or a burdensome task?

“I think organisations both in the public sector and the private sector have so much at stake in terms of their reputation, which of course in commercial terms you can put a value on, and in the public sector it’s all about the threat of reversing all the work that’s gone into citizen engagement.  The fact that it’s a real issue at the top of the organisation means that the message then needs to be taken to the whole organisation: it’s not just something of peripheral concern. Yes, it’s about training, but then it’s about auditing, it’s about going back and making sure people are practising what they know they are supposed to be doing – it’s about mainstreaming the whole thing. It should be absolutely part of the performance review system. We shouldn’t have the situations we’ve had over the past few years or so where people dealing with very sensitive information are treating it in such a cavalier way.  Our first civil monetary penalty was imposed on Hertfordshire County Council where they’d faxed highly sensitive court papers in a child welfare case to what they thought was Watford County Court but unfortunately it wasn’t and they’d got the number wrong. You wouldn’t do that if you were thinking about what the material was you were handling, that it was very sensitive, personal information about vulnerable children, so faxing wasn’t a very good idea anyway. You needed to have made sure you had got the right fax number, and that someone was waiting for the fax at the other end and that you didn’t just have finger trouble and were about to send it elsewhere. The civil monetary penalties which we’ve had at [the ICO’s] disposal since April of last year have certainly had a sobering effect and made people sit up and take notice. We’ve only imposed 6 of them – we’re not trigger happy – but it’s certainly made it very real to organisations who have focused on the reputational damage – being hit with a penalty.”

Following the use of social networking sites such as Twitter to reveal the details of super-injunctions earlier this year, the Prime Minister has called for a review of Data Privacy legislation in the UK. Will the ICO be contributing to the work of any new parliamentary committee in shaping any new data privacy legislation?

“Well, the Data Privacy legislation will be reviewed anyway in the context of the European Directive – that’s a process that’s going ahead. The Commissioner Viviane Reding is leading that process and the ICO is very much engaged with our European colleagues in the Article 29 working party – we’ve been inputting into that study. We expect to see a draft of a directive in about November and then the legislative process will follow. In a few years’ time there will be changes to data protection law, because the directive on which it’s based will have changed. We don’t think there is much wrong with the principles, but we’re looking for legislation that is much more modern and realistic in terms of what actually happens in the world of global information exchange.”


The legislation has been behind the technology in terms of usage of it, hasn’t it?

“Absolutely. It’s very important that Brussels produces a legislative proposal which is reasonably future-proof – if you get the principles right then the principles can take the technological changes on board. If you’re overly prescriptive then you’ll come up with something that is highly relevant for 2013 but by the time it comes into law it’s probably outdated because of all of these other developments. The ICO, working with anyone who will listen to us, is stressing the accountability principle – that the legal responsibilities lie with the data controller, and that the role of the data protection authority is to regulate that relationship and intervene as and when necessary on the basis of risk, rather than pretend the data protection authorities can be like some latter day King Canute holding back the waves, and let’s not kid ourselves that no information moves across borders without some tick in the box from the Data Protection Authority. The current Directive, of course, is pre-cloud, but it ought to be clear that’s it’s a very outdated text that doesn’t take into account the realities of the modern world.”

Would you like to see greater powers for the ICO, such as the power to audit an organisation to investigate a serious data breach?

“We gained some extra powers under the Coroner’s & Justice Act, and we have found that doing consensual audits is going really well, more in the public sector than the private sector. We can run the ruler over a company’s compliance which can then be a badge of pride: “we’ve been checked over by the ICO”. There are powers to compulsorily audit government departments. I will go as far and as fast with the existing powers that I’ve got, but if I come to the conclusion that I’m not able to get anywhere-  that I can‘t audit  organisations – then I will certainly return to the Secretary of State. I can get warrants – I signed a warrant today. It would be more satisfactory to require an audit, probably as part of an undertaking to improve.”

At a recent ISSA chapter meeting, one speaker remarked that social engineering over the phone is often the seed for an attacker that allows them  either to guess a password or a weakness in a system or a process to exploit.  Many of the data breaches we have touched on this afternoon all start from an internal employee in an organisation. Do you think we are doing enough to educate employees in organisations to create a security culture?

“No I think we’re not and you absolutely put your finger on it when, in relation to this row about hacking, you have to ask the question: ‘how is it possible for the phones to be hacked?’ and the answer is: somebody has blagged, which they shouldn’t have done. That gets us back to section 55 of the Data Protection Act – it’s just too easy to blag and the penalty isn’t very impressive if you get caught. So I believe very strongly we’ve got to push for that [a custodial sentence] and I’m trying to get the politicians to see that this is something we need to do anyway – it’s going to take some time. Frankly we can’t wait [for the Leveson Inquiry] . We’ve got information leaking from databases, every day – and not, as I said earlier, to journalists particularly – because information is valuable and it’s making people a lot of money.  That’s the root of our problems – so if we’re concerned about cyber security then getting these basic things right is absolutely essential, and members of staff in all organisations need to see the connection between something which seems to them as a bit naughty, but not terribly bad, and the terrible things that happen as a result.”

Christopher Graham – thank you for your time this afternoon and we look forward to your address at the ISSA next month.


The Information Commissioner, Christopher Graham, was talking to Phil Stewart, Director, External Communications, ISSA UK. Christopher Graham will be addressing the ISSA at their next meeting on 8th September 2011 in London.


Stemming the Tide of Data Breaches

July 28, 2011

2011 has seen a steady stream of attacks and data breaches at a whole host of well-known, large organisations: Sony, Citibank, RSA, Google, Epsilon Marketing, and more recently, the Pentagon. Why are we seeing such a steady stream of major information security breaches at large organisations? Who can we trust with our data? What can be done to remedy the situation?

Data Stream, Data Breaches, Binary Data

2011 has seen a steady stream of data breaches at large organisations: from Sony to Citibank, to RSA, Google and Epsilon Marketing and the Pentagon. Lockheed Martin also thwarted an intrusion attempt into their network to steal data.
Image: © Junede -

Lack of Board Engagement

Opinion differs in the industry as to whether the fault lies with the information security industry itself in convincing board level of the need to act; or whether boards are actively engaged with information security professionals in the first place. Harvey Nash’s CIO 2011 Survey published earlier this year generated responses from 2,000 CIOs and industry leaders worldwide. Its findings showed that 50% of respondents sit at the operational management or board level of their organisation – meaning that the other half do not.

When Sony’s breach involving 77m Playstation user details came to light, it was subsequently revealed that Sony did not have a CIO/CISO at the time, and indeed for a number of years preceding the attack. It’s not just sufficient for board visibility of information security but also that the CIO has genuine influence and is able to raise awareness to the board and influence decisions on a regular basis. Good information security awareness starts from the top : you cannot expect your employees to have awareness of an issue that has no visibility at board level.

Taking a Holistic View

It is important for every organisation to take a holistic view of information security (technology, processes, people) and not focus on a sole product, standard or the “next greatest thing” and believe that all will be well. The culture of chasing the current standard or solution, currently in vogue, has been largely vendor-driven, where advice is given with a heavy slant towards their own solutions as the sole solution. I’m keen on vendors and professionals who see the bigger picture beyond their own product or standard or area of expertise and are keen to educate, or in those vendors who, in developing their own solution are keen to help improve upon existing standards. I’ve been particularly impressed with Sophos in this regard, who regularly give out advice via their security blogs on a whole host of issues ranging from Facebook scams, phishing attacks, credit card scams, and botnets. They are to be commended not only for taking a holistic view of the industry but commenting on the various social media scams for which social media users clearly need educating. It also did not surprise me that Sophos won the award for best speaker at the recent ISSA event onboard HMS President.

To illustrate why a holistic approach is important – for years Intrusion Detection & Intrusion Prevention systems for years has been sold as the panacea for detecting all malicious intrusions on your network. Without proper examination and collation of these logs on a regular basis – having IDS / IPS alone is nearly as bad as no IDS/IPS at all. Consider a “go-slow” attack where an attacker tries to gain access using 2 logon attempts per hour. Typically, this would not trip either an account lockout situation or an IPS detection – it needs some intelligence behind it to raise that alarm (be that human or automated – via SIEM ). For a large organisation, do you really expect a human operator to sift through thousand of event logs looking for a needle in an electronic haystack? Are you properly and intelligently monitoring your logs and can you take evasive action quickly should you come under attack? (rather than after the data has bolted, as is frequently the case).

Avoiding the “Checkbox Culture” that Standards Compliance Alone Generates.

There’s too much noise and focus on standards compliance in the industry in the mistaken belief this alone will generate security. It doesn’t: when taken in isolation, it generates a false sense of security. Information security cannot be seen as an annual tick box event, with a string of recommendations and good intentions: to be done at some later date.

Whilst standards compliance is a necessary part of good governance, the industry really should be talking about generating good security cultures. An interesting study would be of those companies mentioned above (and others) which have suffered a breach, the percentage which had recently undertaken compliance with a particular standard, combined with whether they have a CIO/CISO in place and had regular staff training in place. It would make interesting reading.

A security culture is something that starts in an organisation from top-down: the board is updated at regular and frequent intervals about what is being done across the organisation – what business processes need improving and what staff education programmes are in place or are being updated. CIOs / CISO should be constantly improving their skill sets and awareness by attending conferences, reading the latest security articles and being aware of innovative solutions that challenge the established way of thinking in the industry. The human factor – and education of staff is an area that is often overlooked: in the Information Security Breaches Survey of 2010 by PWC, it showed that 80% of large organisations reported an incident caused by staff, yet very rarely do we hear of the need to regularly educate users. It simply isn’t good enough to keep blaming staff if you don’t have a regular training programme in place. It also isn’t good enough to “educate and forget” i.e. only train when a new person joins an organisation and never again – there needs to be a programme in place to educate users at regular intervals – to accommodate new threats, changes to legislation and best working practices.

Taking Professionalism Seriously

It’s long past time that our industry took professionalism seriously. Think of a visit to a doctor or a surgeon performing an operation. Would you let a surgeon operate on you who hadn’t bothered to attend medical school or didn’t think the exams were “really that important or necessary”? There certainly are some bad doctors out there, but the reverse argument of not bothering with professional qualifications to practice in the medical profession doesn’t hold water. Yet that is exactly what a small portion of our industry is doing!

As if to illustrate the point, last week I heard a hilarious story from a journalist who told me how he had uncovered someone who had been blagging their way around the industry as a “security consultant” (incidentally the journalist has given permission for me to repeat this, and the information was obtained via publishable sources and not via phone blagging or phone hacking!). Not only did the ‘consultant’ have no information security qualifications or certifications, but he had previously been working in… the hair products industry!  After containing our laughter in the restaurant, I remarked: “Securing hair braids yesterday, securing data tomorrow!” It would be a funnier joke if it wasn’t happening in our industry.

Would the medical profession allowed unqualified staff?

“Don’t worry sir, I’m fully unqualified! I’m good with people though and ...... I used to cut hair for a living, so you have nothing to fear. How hard can this medical thing be?”
Image: © Joel Calheiros -

The industry needs to think about standardising on acceptable criteria for practicing in this field. I would propose that people wanting to employ someone in our industry insists on a CISSP certification as a minimum benchmark certification, as it demonstrates many of the areas previously discussed – such as taking a holistic view, relevant experience, and it encourages and requires constant improvement and education. It also demonstrates a commitment to the industry. Getting information security wrong can have a really serious impact on your business, and it certainly isn’t about just selling security solutions as a quick ‘fix’. I would also urge organisations to ensure that people at all levels are qualified – from CISO/ CIO & CTO down: it’s not good enough to ensure your junior staff are qualified whilst your security leaders are not – lead by example.

Changes to Legislation Are Required

I both welcome and support a change in the law to include mandatory breach notification for the UK – as is already the case in US states such as California. I would like to see also as part of filing a company’s annual accounts or statutory annual return a list of security measures they are taking / will be undertaking to safeguard personal data in their organisation. If there’s a statutory requirement to report annual financial accounts, why not something (albeit more sophisticated) in place for information security as well? If people have to sign off on security measures that subsequently turn out to be false or inadequate (and face subsequent prosecution), it may just make boards wake up that inaction is not an option and that people’s data and privacy is something we value as a society. Granted, this alone isn’t going to be a panacea or an easy thing to legislate (a one size fits all policy for all organisations is not appropriate in terms of their obligations – but then we already accommodate different annual accounting requirements with the Companies Act of 2006 for different sized organisations).

Without enforcement, legislation alone is unlikely to succeed in changing culture. I would also like to see stiffer penalties for breaches of section 55 of the Data Protection Act enforced in the UK. In May 2006, the Information Commissioner in the UK published a report “What Price Privacy?” which uncovered the illegal trade in personal information, with a follow-up report published 6 months later. The act of blagging, (which has been the root of all the problems with the phone hacking scandal) is a criminal offence under section 55 of the Data Protection Act 1998. Currently, however, it carries a fine of up to £5,000 in a Magistrate’s Court but does not include a custodial sentence. Whilst Section 77 of the Criminal Justice and Immigration Act 2008 (CJIA) subsequently included provision for a custodial sentence of up to two years, this provision cannot come into effect until the Secretary of State makes a relevant order. Whilst the recent phone hacking scandal has focused on some journalists using blagging to obtain personal information, the “What Price Privacy?” report of 2006 showed the practice is far from confined to the journalism sector – this is just the visible tip of a much bigger iceberg lurking below – and I urge people to read that report from the ICO.

To conclude, whilst I don’t share the pessimism of some in the industry by the same token I’m not complacent either in thinking that there isn’t much still to be done: both in changing and enforcing the law, educating both board members and employees and ensuring the industry thinks holistically as individuals and organisations.

Phil Stewart is Director of Excelgate Consulting and Director of External Communications, ISSA UK

Twitter Tourettes

June 15, 2011

Twitter celebrated its fifth birthday earlier this year. It has revolutionised the way people interact in the 21st century: being at the heart of both revolutions across the Middle East and the centre of a media and legal maelstrom in the UK regarding super injunctions. It, along with FaceBook, has become the mode of communication of choice for the “Google generation”. The appetite for both instant news and celebrity gossip have both proved insatiable and brought with it a whole host of dangers to both individual and organisation for the unwary and unprepared.

"Twitter Tourettes" elearning "Social Networking Security" eCourse

Twitter celebrated its fifth birthday on 21st March 2011. Twitter users now send more than 140 million tweets a day.

Twitter Tourette’s, to coin a phrase, is used in this context to describe a phenomenon which has been increasing on the Internet regarding a (seemingly unknown) compulsion to publicise private or inappropriate material online (not to make light of Tourette’s Syndrome, in which 10% of people with Tourette’s swear uncontrollably). Serious thought needs to be given to not only the use of social networking tools within the workplace, but training to employees as to how they use it within their private lives.

High Profile Cases:

Bomb ‘joke’ on Twitter results in conviction under the Communications Act 2003

On 6th January 2010 Paul Chambers, a 27-year old accountant, posted on Twitter a ‘joke’ regarding threatening to blow Robin Hood airport “sky high” . He was arrested at work a week later and subsequently convicted of an offence under section 127 of the Communications Act 2003 (for “sending a public electronic message that was grossly offensive or of an indecent, obscene or menacing character”). Paul was fined £1,000 and lost his job as a result of the tweet, and lost his subsequent appeal against the conviction at Doncaster Crown Court.

Press Complaints Commission rules Twitter messages are “not private”

Sarah Baskerville, a Department of Transport official, filed a complaint to the press regulator, arguing that her tweets regarding comments about being her being hung-over at work were private for her 700 Twitter followers, and not meant for publication in the press (the Daily Mail and Independent on Sunday both reported this story). The Press Complaints Commission ruled that as Twitter was publically accessible and that the potential audience was actually much further than her own followers, (since messages on Twitter can be re-tweeted to others) the publication of the story in the press did not constitute an invasion of privacy.

IT Consultant unwittingly tweets details of the raid on Osama Bin Laden hide-out live

An IT Consultant, Sohaib Athar, living in Abottobad, Pakistan, was the first person to unwittingly tweet about the raid on the hide-out of Osama Bin Laden. He reported live as events unfolded that a helicopter was hovering over Abottobad, followed by a loud explosion. He pondered: “Since Taliban (probably) don’t have helicopters, and since they’re saying it was not “ours”, so must be a complicated situation”. Later that day, after the White House Press conference on the raid, it dawned on him he had tweeted the operation live: “Uh oh, now I’m the guy who liveblogged the Osama raid without knowing it”. Within hours of his initial tweets his followers surged by over 15,000.

European head of Twitter indicates revealing to police details of Twitter users who broke superinjuction

Lawyers acting for a UK Premiership footballer, filed court papers against Twitter and a number of its members last week after they allegedly broke the terms of a “super-injunction” banning publication of details of his private life. Tony Wang, the new European head of Twitter, has indicated that it could give police details of users who broke the gagging order, in line with its global policy for dealing with legal requests. In a statement at the e-G8 forum in Paris, Mr Wang said that it was Twitter’s policy was to comply with local laws to hand over details where it was “legally required” to do so.

South Tyneside Council acts in US Court to reveal identity of Twitter users behind allegedly libellous statements

South Tyneside council went to court in California to request Twitter release details of the identity of five twitter users who were allegedly libelling a number of councillors at South Tyneside Council via Twitter. The “Mr Monkey” blog had made a number of accusations against the council leaders. Council spokesman Paul Robinson has revealed information has been disclosed by Twitter to its lawyers including IP addresses and email addresses.

A Tweet is a publication, not a private message!

Twitter should be regarded as a publishing platform, not a means of private communication. All the examples mentioned illustrate  the dangers of the unguarded use of Twitter and social networking sites, from revealing the details of secret military operations; opening the way for legal action either by defamation or breaking the terms of a gagging order; uncontrolled release of new media into the press; or damage to reputation: corporate or private.

New e-learning Course

Excelgate Consulting has teamed up with Ira Winkler & VigiTrust to provide an e-learning solution training course: Security of Social Networks. The e-learning solutions can be run using a standard web browser and completed in stages at the participant’s pace.

elearning eSec Security of Social Networks

The Security of Social Networking elearning course model: introduction.

Upon completion of the course, your employees will participate in a test to determine their awareness and upon passing the course will generate a certificate. On successful completion of the Security of Social Networks course, users will:

• Be able to distinguish between direct and indirect attacks from hackers and other unscrupulous individuals and how to avoid exposure to them

• Recognise the threats posed by seemingly inconsequential personal or confidential work information and identify the various ways in which criminals may exploit social networks

• Gain a good understanding of the main features of the major social networking sites, and how careless activity can impact negatively on corporate applications and customer sensitive information

The new Security of Social Networks e-Learning course is available now, and a short demo is available here: . Please contact us for further information.

CPA: Commercial Product Assurance

March 31, 2011

Earlier this month, CESG presented their new assurance scheme for security products at the IA Practitioner’s Forum in York. Commercial Product Assurance (CPA) is the new assurance scheme designed for security products for protecting data in UK government at Impact Level (IL) 3 or below.

I was involved with the pilot of the (then CSIA) Claims Test Mark Scheme,  back in 2004: SecureWave was invited to participate in the pilot phase, (then run by Cabinet Office), to produce working Claims Documents that could be easily turned into test plans from their marketing collateral. We, together with our test lab IBM, achieved two of the first three certificates awarded for the scheme launch in September 2005. The scheme addressed a market need at that time: a UK government backed assurance scheme that was effectively a hallmark of security software: up to  Impact Level 2.

Six years later and the security landscape is greatly different to that of 2005. Threats emerge at a much faster rate, so any new scheme needs to be able be both flexible and adaptive in its approach. Long lead times to certify a solution will undermine the scheme itself, and the new scheme also needs to have a mechanism in place to deal with patching of solutions as new threats emerge and vulnerabilities are identified. From a vendor perspective too: the market has also changed. Security solutions have become commoditised: and the huge sums to spend on assurance schemes available in 2005 are now under close scrutiny for their long-term return as an investment in 2011.

Being involved with the CCTM pilot and launch, I’ve taken a keen interest in the development of this new scheme, and particularly welcome the responsiveness of CESG to the concerns expressed by vendors and consultants at the workshop at CIPCOG 2010 on their existing assurance schemes. What I believe this new scheme addresses:

  • To provide a scheme for product assurance for the “missing” part of product assurance – at Impact Level 3 (CCTM evaluated products were up to IL2 ). CAPS, suitable for higher impact levels was seen as too costly and time-consuming by vendors who had engineered a solution suitable for say local government, but had no desire to operate/ engineer for the higher impact levels. This prevented some vendors from entering the UK government market at all.
  • To recognise that vendors may have already submitted their products through other certification schemes, such as Common Criteria, and recognise the evidence in that submission, where appropriate
  • It recognises that not all data at Impact Level 3 should be treated in exactly the same way. Depending upon the threat level, either a Foundation or Augmented grade CPA evaluation will be required, reflecting the threat model and product usage.
  • It encourages competition in the industry by opening up the relatively closed space of IL3 to more players.
  • It addresses the need to select a product relevant to the risk profile associated with a particular organisation. Over-engineered solutions for a relatively lower risk profile will have a credible alternative solution.

In the new scheme there are, at the time of writing, 26 categories (“security characteristics”) of security products eligible for entry into the CPA scheme. These include: software full disk encryption and VPNs for remote working (the categories this time around for the pilot phase); data destruction and desktop email encryption (priority A) ; SSL VPN and desktop virtualisation (priority B); and client AV product and bootable media for remote working (priority C).

There are two levels of entry into the scheme: foundation and augmented. Foundation level involves predominantly “black-box” testing and examination of the product, whereas Augmented levels involves more specialised testing, and analysis of source code and other low-level artefacts. These take into account that not all data at Impact level 3 is subject to the same nature of threats (e.g. aggregation of citizen data in a local authority; a central government payment system; an intelligence agency’s RESTRICTED email system). It does raise the question whether Impact Levels have been a good way of reflecting the threat landscape and as a guidance means, if such a rider is needed to re-iterate that impact levels  represent the impact to the organisation of a breach; not necessarily the environment or nature of data to be protected.

Testing will be done by a CESG approved CPA Testing lab, where upon  the test lab will submit the results of a questionnaire concerning the product on behalf of the vendor to CESG. Provided CESG confirm the eligibility of the solution for foundation grade then the test lab will evaluate the solution against the security characteristic specified for that solution; and CESG will review the deliverables. It is a pre-requisite of the augmented level entry, to have passed foundation level evaluation. Due to the more detailed analysis required for augmented level, the contract for evaluation will be between CESG and the developer.

As far as the existing CCTM scheme is concerned, there will be a gradual phase out transition of the scheme. Products already in CCTM evaluation will continue. New submissions to CCTM have been/ will be rejected as follows:

  1. Products that could be tested against ‘Priority A’ CPA SCs will not be accepted into CCTM from 14th February 2011.
  2. Products that could be tested against ‘Priority B’ CPA SCs will not be accepted into CCTM from 31st March 2011.
  3. Products that could be tested against ‘Priority C’ CPA SCs will not be accepted into CCTM from 31st December 2011.

I am supportive of the new scheme but would stress the need to ensure that the new scheme delivers on the key concerns of reducing time to certify and the costs of the scheme (particularly for foundation level). Although CESG are not responsible for the costs of the new scheme, it is in the interests of all concerned to deliver in this regard. Towards the end of the CCTM scheme, the average cost to the vendor was £18k-£20k in submitting a product through CCTM. I’ve heard similar figures being mentioned for the new scheme. A streamlined process that takes into account existing schemes ought to reduce costs for foundation level (augmented level evaluations will obviously be at the higher end owing to the more vigorous evaluation required).

It is true that this new scheme also includes a higher level of assurance greater than did CCTM, but on the other hand it is the foundation level that is likely to be of most interest to vendors: reducing the time and costs to certify a solution over CCTM, as well as taking into account existing certification schemes, where appropriate. It is this also which will open up the large local government market to more competition, which hitherto has seen a near monopoly/ duopoly in certain key product areas. Lack of competition is at risk of creating a dangerous monoculture in government.  This assurance scheme will encourage innovation in the industry, as well as delivering value for money for the taxpayer.

CPA is the new product assurance scheme from CESG and launches Spring 2011. More information can be found at CESG’s website.

Phil Stewart is director of Excelgate Consulting and
Director, External Communications, of the UK Chapter of the ISSA

ISSA 5173: A New Security Standard for SMEs

March 17, 2011

Last week at our chapter meeting, ISSA UK published a new standard specifically designed for Small and Medium Enterprises (SMEs): ISSA 5173. It is the result of a workgroup of 30 information security professionals in the ISSA.

ISSA 5173

A year ago, at March 2010’s ISSA AGM and chapter meeting, David Lacey, Director of Research at ISSA UK presented the need for action in the SME community regarding information security. This resonated with many members of the audience, and as a result, a workgroup was set up comprised of vendors, consultants, directors, researchers and chief security officers.

SMEs (typically defined as 250 employees or less) make up 99.9% of the UK businesses, according to BIS’s Small and Medium Enterprise Statistics for SMEs, published in October 2010, and account for 49% of the UK turnover. Too often, the need for information security within SMEs is regarded as a “grudge purchase” and too often is perceived as “someone else’s problem”. In the UK, the definition of a small and medium business for accounting purposes is defined in the Companies Act of 2006. A small company has “a turnover of not more than £6.5 million, a balance sheet total of not more than £3.26 million and not more than 50 employees.” A medium company has “a turnover of not more than £25.9 million, a balance sheet total of not more than £12.9 million”. These companies clearly have intellectual property of considerable worth, and there is a clear need for SMEs to take action: not just for the sake of compliance but also to safeguard their own assets. Information in the 21st century has considerable value, and the loss of it, as recent events have shown, can be very damaging for reputation. In the case of a small business, it may well put it out of business.

Part of the problem has been a general lack of innovation in the industry in recent times. In creating this draft standard, whilst the ISSA has looked at existing standards, the consensus was that a fresh approach was needed to deal with information security for SMEs. Clearly, the situation for SMEs is not getting any better: in fact, it’s getting worse. In the bi-annual Information Security and Breaches Survey (ISBS) published in 2010 by PWC, in 2008, 35% small businesses surveyed had suffered a malicious attack; this rose to 74% in 2010. Similarly, the average number and cost of a security breach in a small organisation rose from an average of 6 incidents with the worst one costing an of average £20,000 in 2008 to 11 incidents in 2010, with the worst one costing £55,000 on average.

The way that security has been pitched to the SME has been completely wrong in the past and fails to understand the difference both in the key drivers for, and the way a small business operates. Large corporates have huge resources at their disposal in terms of time, staff and expertise – both in IT and in law. Their board is driven by compliance because they are both aware of appropriate legislation and the need to comply with it. SMEs by contrast, unless operating within our own industry, are unlikely to be aware of key legislation or have the necessary IT expertise to act on it. Drowning a small business in mountains of paperwork and a complex risk assessment is not appropriate to all but the largest SMEs. The drum of “regulatory compliance” as the pitch has no resonance either to the small business owner. The irony of course is that compliance with key legislation is not optional, and that the Data Protection Act applies to all businesses, large and small. Similarly, any company offering payments via credit cards need to review their PCI DSS compliance.

Even if the SME owner is inclined to do something about information security, where do they go for up to date guidance? There is certainly  a great deal of information available online, but it is spread across numerous websites; it is focused primarily at large corporates or government bodies where huge processes and large amounts of paperwork are the norm; and is often out of date and does not address current threats and security issues. The guidance too is often completely out of date – not by months but in some cases a whole decade. For example: is dial-back access security or cloud computing security considerations more appropriate for the security landscape in 2011?

In drafting the new standard the ISSA have looked closely at the status quo and decided that the only option was to create a new standard from scratch, specifically for the SME market. It has been written in language that is appropriate for the small business owner. Over the coming months we will be reviewing the feedback received after a consultation exercise. Moving forward the ISSA UK chapter sees the need to provide up to date guidance on the key issues affecting small businesses.

ISSA 5173 is the new draft standard for information security from the ISSA UK Chapter, and is available for review and download. Feedback on the new standard is welcome at:

Phil Stewart is Director of Excelgate Consulting and Director, External Communications, at the UK Chapter of the ISSA.

The ISSA: Membership Benefits

February 28, 2011

The Information Systems Security Association (ISSA) is the largest, not for profit, international organisation for information security professionals. I’ve been a member of the ISSA for several years, before joining the management team. Its strength lies in the diversity of its membership and the wealth of experience of its members.


The diversity of its membership comes from not only industry sector (government, finance, legal, security vendor, reseller, academia, and consultancy all represented) but also job role (architect, CSO, CTO, CEO, consultant, director, researcher, student).  Our current advisory board contains Members of Parliament, peers, members of Cabinet  Office, SOCA and various vendors, financial institutions and academia. This allows for a holistic view of the industry.

The UK’s chapter of the ISSA is the second largest chapter worldwide and continues to be an innovate chapter for information security.  We are currently working on a new standard for SME security: details of this will be announced later this year.

Membership Benefits

By joining the ISSA, as a member you will have free access to the events hosted in 2011. These events reflect the diversity of the membership of the ISSA and make for engaging debate. In addition, they also count towards CPE credits for those wishing to maintain their certifications. Each event typically counts for 3 CPE, whilst the security days typically counting for 6.

2011 ISSA-UK Events:

10th March 2011, London:
“Through the Barricades” – infrastructure security

12th May, 2011, Bletchley Park:
Security Training Day: Ethical Hacking & Forensics

17th May, 2011, Edinburgh:
The Emerging Threat

9th June, 2011, London:
Trusted Computing

14th July, 2011, HMS President, London:
Security Training Day: Anti-malware Dragon’s Den

8th September 2011, London:
Regulatory Compliance

1st November, Glasgow:
Trends In Information Security

22nd November, Leeds:
Trends In Information Security

8th December, London:
Chapter Meeting & Festive Drinks

13th December, London:
Microsoft Security Training Day

ISSA-UK: 2010 Event

Geoff Harris, former ISSA-UK President (2007 - 2010) addressing the UK Chapter in 2010

Discounts on Conferences & Training

Membership of the ISSA provides discount on attending numerous partner events including:

  • RSA Europe
  • SANS
  • MISTi
  • Gartner
  • ASIS
  • (ISC)2

Webcasts and eSymposiums

The ISSA run webcasts which cover current topics of discussion in the information security industry. Attendance at these webcasts is free and webcast attendance typically counts towards CPE credits for maintaining current eligible certifications.


Membership provides a number of periodicals:

  • A monthly e-newsletter updating members on ISSA news and events
  • A bi-annual magazine “The ISSA Journal” delivered to your door
  • A monthly e-magazine “The Journal”


The strength of the ISSA lies in the diversity of its membership. This provides a holistic view of the information security industry and provides excellent networking opportunities:

  • Participate in innovative workgroups (e.g. the new initiative on security for SMEs)
  • Share advice with your peers
  • Broaden your knowledge by exposure to new technologies, legislation and industry sectors


Membership of the ISSA signifies that you are:

  • Connected to a highly regarded organisation
  • Part of a network of global information security peers
  • Committed to professional growth and development

Membership is extremely good value for the money with annual membership fees for general membership at $95. Student membership is at the discounted rate of $30. The UK chapter is one of the few chapters to provide attendance of events for free for current members. Online joining instructions can be found at the ISSA’s website:

Our next event is on March 10th in London – “Through the Barricades” (Infrastructure Security). Details of this event are online at:  This first event of 2011 is free for both non members and members (AGM section for members only).

For any membership enquiries please get in touch:

Follow the ISSA-UK on Twitter

Phil Stewart is Director of External Communications at the ISSA-UK

WikiLeaks: The Law Lags Behind the Technology

January 31, 2011

One of the challenges the US government faces is to successfully try someone using the Espionage Act of 1917. There have been few successful convictions in such cases: though not none as is sometimes erroneously reported. In 1919, the US Supreme Court ruled that the Espionage Act did not contravene the First Amendment to the US Constitution (which prohibits the making of any law which infringes freedom of the press or freedom of speech, amongst other things).

"Top Secret"

The leaking of classified material into the public domain is clearly an offence under the Espionage Act (and ways to prevent this from a technology and process perspective were covered in Excelgate’s previous article WikiLeaks: Is There a Silver Bullet?). The law clearly was never designed for the Internet age. There remain loopholes in the law, concerning the re-publication of already leaked material. This has been recognised in the US Congress: with Senators proposing a new SHIELD Act which will specifically target those publishing already leaked material. Amongst the aims of the new Act is to “make it illegal to publish the names of U.S. military and intelligence informants.” The debate now rages in the US as to whether or not such an Act would curtail freedom of the press and thus be deemed unconstitutional.

In the UK things are more clear-cut concerning the issue of publication of already leaked classified material. The Official Secrets Act was revised in 1989, repealing the “public interest” defence from the former act of 1911. In addition, in section 5, it makes for provisions that potentially allow for prosecution of newspapers or journalists who publish secret information leaked to them by a Crown servant or government contractor, in contravention of any section of the act. This would include (under section 3) the disclosure of information concerning international relations.  This does however, only apply to UK citizens, or if the disclosure takes place in the UK, the Channel Islands or its overseas territories.

The UK is not immune, however, from laws which lag behind the realities of the technology of the 21st Century. Earlier this month, the UK Deputy Prime Minister, Nick Clegg, discussed changes to the UK’s libel laws, which currently work against scientists and others, who publish their findings online. There have been cases brought against UK citizens by foreign companies whereby the publishers’ ISPs are effectively told to remove the content and thus act as an intermediate judge and jury. The current UK libel laws have attracted much attention, with more than 50,000 backing the Libel Reform campaign. The US also passed a bill protecting its citizens from these laws, by decreeing that foreign libel laws are not enforceable in the US.

Once again the issue here is that technology has evolved so quickly that the law has not kept up. When the libel laws were drafted in the UK, written publications tended to be well-thought through, drafted and checked by their publishers and legal team prior to publication. Publications were limited to the national media: print, then radio, then  television. Very rarely did John Smith’s opinions appear in print, and if it did it would have been checked by a team of editors.

In 1996, it was estimated that there were 30 million Web pages, located on 275,000 servers, as indexed by the Alta Vista search engine. In 2011, it is estimated that the World Wide Web now consists of 13.03 billion web pages, as of January, 2011. Prior to the World Wide Web, it was straightforward what constituted a reasonable case for defamation: a false statement made which damaged reputation. It was easy to prosecute too: no supporting evidence to back that claim. Discussions between scientists were unlikely to surface into the public domain, without prior checking by their publisher. What remained as a private discussion between two scientists remained so. With the proliferation of online blogging, this approach to publishing no longer occurs, and in some cases the current laws are abused. Emails too are also in some ways a dangerous form of communication: they tend to be the 21st century equivalent of a previously spoken discussion – sometimes flippant, and for some people, tend to reflect what they only would have  spoken prior to the Internet. However, emails can be forwarded:  opening the way for libel action.

Digital World

In 1996 it was estimated there were 30 million web pages globally on the web. This has grown to over 13 billion by 2011: nearly 2 pages for every person on earth!
Image: © Nmedia -

As this article is being written, it is being reported that 5 men in the UK have been arrested in connection with allegedly participating in the Anonymous’ Denial of Service (DoS) attacks which were mounted against PayPal, Amazon and MasterCard, in support of WikiLeaks. In a DoS attack, a hacker, or group of hackers aim to bring down a website or service by flooding that site with traffic, so that the site is longer able to respond. Such attacks are illegal under both US and UK Law. In the UK, the Police and Justice Act of 2006 makes it illegal to engage in a DoS attack, with a maximum sentence of up to 10 years imprisonment. Part of the reason for that Act was that it was felt at that time that the Computer Misuse Act of 1990 had potentially a loophole which did not cover DoS attacks. Such attacks in the US are covered under the Computer Abuse and Fraud Act.

The interconnectivity of the Internet and the WikiLeaks issue both illustrate that it is impossible for one jurisdiction acting alone to deal with what is a global problem. As with the financial crisis, co-ordinated action worldwide is needed across governments and geographies to deal with this problem. Those who seek to engage in criminal damage to computer systems should feel the force of the law, irrespective of where the attack took place from. Perhaps 2011 is the year where governments worldwide need to think about how their current legislation reflects data publication and Internet usage and abuse? Policy, process, and procedures are all very well, but the law also needs to reflect the realities of the 21st century. As with the birth of the international electronic communications in the form of telegraphy, only when there is a global consensus will there be a way forward.

Phil Stewart is director of Excelgate Consulting and a member of the management team of the UK Chapter of the ISSA.