Security Readiness

Outside of the big four banks and Telstra, Australia lacks world-class cyber security teams.

by James Turner

A few weeks ago I was fortunate enough to attend the world's largest cyber-security event, RSA Conference, in San Francisco. This year was the 25th anniversary of the conference, and there were 40,000 attendees, and over 500 vendors exhibiting.

My experience at RSAC reflected my experiences at many other international cyber-security gatherings over the years. I have come to the conclusion that Australia has pockets of cyber-security leadership that are world-class, and in some instances, world-leading. But these pockets of capability – almost all at the top end of town – are insufficient for the nation's needs.

In Australia we have a small number of organisations with big cyber-security teams, and established leaders with excellent bench strength in their direct reports. Principally, these pockets of cyber maturity are in the big four banks, and a hothouse of talent that has emerged in Telstra.

Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

Conclusion: As cyber security gains awareness among business leaders, many organisations are undertaking new cyber risk management initiatives. However, these initiatives can be misdirected if business leaders are not clear on why they are doing them. On the journey to improving an organisation’s cyber security maturity, the question “why?” is a powerful tool to test alignment of security to business requirements.

Conclusion: Organisations must understand that cyber risk is not merely a technical issue that can be delegated to IT but is a business issue that comes hand-in-hand from operating in a modern, online, ecosystem. Until cyber risk is treated as a business risk, we will continue to see organisations fighting a rear-guard action to threats that should have been designed-against through better digital business strategy.

Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

Conclusion: As much as the industry should not blame the victims of cyberattacks, the industry must also learn from these crimes. There are important lessons that must be drawn out from these breaches, because most organisations would be equally vulnerable to similar attacks. Three key lessons are: look for indicators of compromise and be sufficiently resourced to respond, review exposure through third parties and, consider compliance to security standards as a bare minimum for required effort.

Conclusion: Organisations must ensure they have taken reasonable steps to not release IT equipment which contains information assets. Leading software options for wiping data will be more than adequate for most organisations, and physically destroying disks is both excessively costly and environmentally unfriendly. However, as important as ensuring that sensitive data is destroyed, it is equally important that the organisation has an audit trail to demonstrate that the data destruction policy has been followed. The more sensitive the information is, the greater the need for the assurance of an audit trail.

Mandatory data breach disclosure is exactly what it says: legislation that obliges an organisation to reveal that it has experienced a data breach and lost control of its customers’ personally identifying and/or sensitive information. The industry buzz really started in 2003 with California Senate Bill 1386 which obliged organisations to inform their customers if there was, or reasonably believed to have been, a compromise in the confidentiality of the customers’ data (which meant “lost” + “unencrypted”).  

Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to survive, if the community they operate in is crippled. IT security executives are concerned that in the event of a severe attack the current, disparate, communications channels between private sector and government will not be effective. There is a need for a coordinated, national, response to a severe cyber-attack; and that everyone in the information security community knows what this response is

Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management priorities. Astute CIOs will know that technology alone will not mitigate this risk, and that an ongoing

Conclusion: Windows XP will not stop working in April 2014 when Microsoft stops supporting this popular operating system. However, as time passes, this OS will become an increasing burden on organisations, due to third party support, security challenges, increasingly specialised skillsets, and perception. Windows XP will quickly become a legacy environment, with all the associated challenges. Consequently, CIOs should have a clear plan for any remaining Windows XP machines. The value of a clear plan is two-fold: firstly for common understanding within the IT department, but also for communicating to stakeholders.

Conclusion: In engaging with an external incident response provider, it’s vital that they are not walking blind into your environment. Equally, you need to know exactly who they are, what they are capable of, and what the agreed outcomes of the engagement will be. If you have been attacked, or are still under attack, your organisation’s information assets are potentially at their most vulnerable, so the trust in your incident response provider needs to have been established prior to the attack. This places higher than normal importance on your vendor selection process, and in engaging with the incident response provider as early as possible.

In 2010, IBRS wrote that “My dog is a cloud” and noted that defining cloud was an exercise in fuzziness, there’s a gap between expectations and experience, and the self-promotion by cloud vendors is relentless. The more things change, the more they stay the same.

IBRS recently ran a series of roundtables where CIOs were able to meet and discuss the impact of the cloud on IT departments and their organisations. An interesting theme was that the CIOs often experienced great frustration with the cloud. Promises of lower costs, transparent billing, responsive support, and integration often varied from reality. Some of the stories sounded like a commercial version of Russian Roulette, or what it would be like dealing with an unregulated banking industry.

Conclusion: Recent exposure of US intelligence community actions, to monitor data of non-US entities, has highlighted the tenuous control organisations have over maintaining the confidentiality of their data. Whether US intelligence explicitly, or informally, assists US commercial interests, non-US organisations have been served with a clear warning as to how they should see this new world.

Organisations should review what information assets they are entrusting to US cloud vendors, and what the impact on the organisation would be if the confidentiality of these assets were to be compromised without the organisation’s knowledge.

Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.

Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.

Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.

Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.

I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.

IBRS, along with many other organisations, has written extensively about “the cloud”. Every organisation selling a product and/or service puts its own spin on what the cloud actually is.

The appeal of cloud computing cannot be denied,and the buzz in the market for the last few years is evidence of the desire of IT organisations to find ways to deliver IT services that are: better,cheaper, more resilient, more secure, and moreuser friendly.

Cloud services are not similar to a highly virtualised internal IT operating environment, although cloud vendors may use virtualisation extensively. Nor are they similar to the tightly controlled experience of time-sharing on a mainframe back in the 1970s, although cloud vendors may price their services in a similar user-pays model. Even though webmail, a form of Software as a Service,has been available to consumers since the 90s, cloud vendors have moved well beyond that simple offering.

While there are excellent and crisp definitions of what the cloud should be, for example the definition provided by the National Institute of Standardsand Technology1 (NIST), what really makes cloud new is how the term itself has become both all encompassing, and yet completely useless at defining the nature of the service!

Conclusion: Blackberry 10 will, at best, bring Blackberry functionality to where iOS and Android have been for over a year. However, most organisations are moving away from Blackberry, either publically or in a steady, quiet, exodus as users choose which handset they’d rather have. BB10 will not stop this exodus as it is designed for the enterprise, not the consumer. The steady decline in fortunes for RIM will be painless for most organisations, except the few that are tightly coupled to the Blackberry ecosystem. These organisations should act now to minimise the coming impact of dealing with a company with a bleak future.

Conclusion: Organisations which have gone down the Mobile Device Management (MDM) path with a view to enabling their staff to bring their own device (BYOD) are discovering the shortfalls of this device-control approach. A BYOD device is not a corporate asset and cannot be treated as such: it should be viewed as untrusted and treated accordingly. Consequently, leading organisations are treating BYOD as an exercise in remote access. Instead of trying to control the untrusted device, focus on user experience, and controlling access to the data.

Conclusion: Identity management projects do not have a good reputation for successful delivery. Too often, the final implementation fails to live up to promises. Identity management projects can deliver genuine value to a business, including: compliance with regulation, improving customer satisfaction, or reducing risk. But if the business is not driving the project, then the project is probably off the rails and heading for failure. In this situation, CIOs must seriously consider terminating the project because a project not driven by the business is one being imposed on it – it is the tail wagging the dog.

Conclusion: IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.

Conclusion: Patching is now considered a standard part of IT operations. Vendors release patches either to mitigate against new risks, or to introduce new functionality. However, the application of a patch can not only result in the intended outcome (risk mitigation or expanded functionality), it can also have unintended consequences.

Organisations looking at creating a patching strategy should ensure that the business stakeholders are clear on the potential impact of both patching, and non-patching. Either choice carries risk. What will make the difference for organisations are security professionals who can crisply articulate the balance of these technical risks as they pertain to the business requirements of the organisation.

Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the industry as a whole. This is the luxurious, wide-angle, perspective which is expected of an industry analyst.

Then a story such as the hacking of Verisign comes along. In October 2011, Verisign disclosed in a quarterly report to the SEC that: “The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements.”

Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.

Conclusion: Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.

Conclusion: Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.

Conclusion: Cloud computing has multiple dimensions that must be considered when analysing risk. The use of four key variables can rapidly identify the expected level of risk in a cloud computing scenario. These four variables – deployment model, geographic location of data, supplier arrangements and information criticality – can be quickly applied to assess the level of risk and determine a suitable mitigation strategy.

Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

Conclusion: Tim Cook, the new CEO at Apple, is noted for his excellence at managing Apple’s supply chain, and while he has spoken about engagement with the enterprise space, this will only be a token gesture from Apple. Enterprise IT does not play to Apple’s strengths. Apple will continue to focus on being great at what it already does: designing for, and selling to, consumers. This presents a challenge for enterprise IT departments because in the absence of meaningful enterprise support from Apple, enterprise IT must aim at negating the impact of any device’s form-factor.

Back when I was at university, I had two particularly interesting lectures in the same week; one from the school of management, and one from the school of marketing. What made them so interesting was the timing as well as the content of the two lectures. Management said, “perception is not reality”. Marketing said, “perception is reality”. (I agree with both statements.)

Management said that just because I felt a certain way about a situation, my feeling didn’t make my opinion the truth. Perception is not reality. Marketing said that even if you have the best product, if the consumers think another product is better, then the other product is better! Perception is reality.

Which brings me to the consumerisation of IT and mobile devices.

Conclusion: There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.

Conclusion: The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.

Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.

Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.

Conclusion: For customers, there are many advantages, both tactical and strategic, to participating in vendor reference programs. However, IT executives should give thought to scenarios which involve their organisation being held up by a vendor as either innovative, or an early adopter. While the attention may appeal to the ego, there are risks of being out on the bleeding edge, or in being a minority adopter. Being held up as either innovative, or an early adopter, could indicate that your organisation is straying from the rest of the industry. A key concern for IT executives should be that this exclusiveness could equally herald a future shortage of skilled resources.

Conclusion: The market for third party mobile device management platforms is immature and there are differences in capability between products, but these middleware platforms are producing positive outcomes. While this market will commoditise quickly, the real risk for IT departments is that they design their applications and mobility strategy in such a way as to (yet again) lock themselves into a specific device/OS combination. The device shouldn’t matter.

Conclusion: Cisco and RIM will fail to dominate the corporate tablet computer market and will lose out to consumer technology from Apple and Android. Cisco is currently dabbling in this area, and RIM is slowly losing relevance in the enterprise.

There is a clear shift towards consumers using their own smartphones and tablet computers, and CIOs should start planning for how they will enable secure remote access to corporate data from any device, with any operating system. Buying into the dream of corporate issued mobile devices, built for the enterprise market, is buying a white elephant: expensive to maintain, supposedly prestigious, but ultimately useless.

Conclusion: The iPhone entered organisations like a bunker-buster, and has blown open the doors for diversity of devices and form-factors. Ultimately, most organisations will have devices that will be a blend of: a) a small set of corporate issued devices, and b) a larger set of personally owned devices. Consequently, any management of devices, and the data on them, must be independent of their various form factors, operating system, and capabilities (as per the PED trilemma). As a direct consequence, expect a long term shift away from trying to manage the device, towards a more focused effort to secure the data and authenticate the user.  

Conclusion: The demand from non-IT business units for cloud computing is symptomatic of their desire for better IT services and should be supported, if not driven, by IT. However, an engagement with a cloud vendor must be treated with the same level of risk assessment and diligence as any other outsourcing engagement. Organisations must ensure that corporate governance is not bypassed in a rush for the cloud.

A fascinating advantage of the public cloud is the extremely high availability of the data (at least in theory!). From any device, from any Internet connection, I can surf to a site, provide my credentials, and access data. We are so used to webmail that we can be nonchalant
about this, but it is quite extraordinary. The trouble is, if the data is highly accessible to you when you are on any device on any Internet connection, then it is accessible to other people from any device on any Internet connection.

Conclusion: Data Loss Prevention (DLP) technologies have matured over the last 12 months. They are more capable, but there is still a wide range of capabilities between the various products, and an even wider gap between the brochure and reality. Before proceeding with a proof of concept, IT must understand the very specific requirements that the business is expecting to achieve through a DLP deployment, and how willing the business is to pay for these. Failure to understand these requirements, and failure to get business stakeholder commitment, will result in project failure.

Conclusion: The transmission of pornography in email is a serious issue for all organisations which aim to comply with their own HR policies on providing a workplace free of sexual harassment. However, the technology currently available to support these policies, through filtering and classifying images, is far from perfect. CIOs and HR professionals must clearly understand that pornography in the workplace is better managed as a cultural issue, not a technology issue.

Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.

Conclusion: Most of the pressure on IT departments to deploy or support iPhones is from organisational VIPs, and so IT departments should not resist a deployment, but they should delay. With a new iPhone operating system and a new generation of hardware just around the corner (as well as the recently released iPad) IT departments should assess third party mobile device management platforms to assist them in supporting and securing an iPhone/iPad deployment.

Conclusion: The rise in the Australian Dollar is encouraging many organisations to investigate using IT and business process service providers outside the country as a means of reducing their cost base. There is no doubt that ongoing savings are possible, but they will only be sustained if the risks are managed and IT professionals responsible for outcomes are diligent and track performance.

Conclusion: A less frequently considered aspect of protecting an organisation’s information assets is the preparation required for the immediate aftermath of a successful attack. This is the crossover point between incident response and crisis management. The prudent organisation with valuable information assets has already planned what steps will be taken in the event of a successful attack. Most of these decisions must be made by senior executives from business units other than IT, and they must be made well in advance of the attack occurring. IT will merely be executing their instructions because decisions concerning the information assets are not IT’s to make.

Conclusion: The recent attack on Google’s infrastructure (and resulting announcement by Google of the attack) has a number of important lessons for organisations which are also attacked by well-resourced hackers. These lessons are important and may not be immediately palatable to many, who would prefer to hush up an attack.

Conclusion: The introduction of a Data Loss Prevention technology into an organisation will have a significant impact on organisational culture. An important aspect of the cultural impact is that a DLP product, if deployed in active blocking mode, could prevent senior people from doing their job as they (legitimately) share sensitive information with trusted partners such as accounting and legal firms. People in senior positions must be trusted to act as they deem best for the organisation, but this trust must be verified.

Conclusion: Today business knowhow is mainly stored in two places: in human brains and in software systems. Both forms of storage share the problem that raw knowhow is not easily transferable from one context to another. Valuable knowledge is repeatedly lost through staff turnover and through technology replacements. Minimising knowledge loss requires determination and an understanding of the mechanisms that lead to unnecessarily strong coupling between business knowhow and implementation technology.

Conclusion: Some organisations are deploying DLP, but the ones reporting successful deployments are the organisations that are able to invest more resources in both deployment and long-term support. Given the considerable overhead on staff, and the challenges of dealing with the deluge of alerts, organisations considering a DLP investment should first deploy endpoint encryption.

Conclusion: IT security managers in larger organisations in Australia and New Zealand are approaching cloud computing very cautiously. The leading concern is the geophysical location of data and the risk this introduces to organisations – primarily from the possibility of a data loss resulting in reputational damage. This means that organisations will have carry less risk if they retain data in a jurisdictional cloud.

Conclusion: Given that the deadline for Payment Card Industry Data Security Standard (PCI DSS) compliance has passed, and that most cardholder data in Australia/New Zealand is extracted via SQL injection attacks, local organisations should ensure that their website security gets priority attention. This is a classic instance of where a moderate degree of effort will result in an important reduction in an organisation’s risk profile.

Conclusion: Microsoft’s Forefront Client Security will need to achieve a “better than” market perception before security professionals will consider it to be a reasonable and acceptable enterprise response; and this relates to both its anti-malware effectiveness, as well as its ability to be managed and automated in a heterogeneous environment. Obviously, security is a sensitive subject for Microsoft, so its efforts in achieving a “better than” market perception will be considerable, but it will also take the healing passage of time.

Conclusion: Now, there is renewed pressure on new IT projects to prove their value. For IT security projects, managers may feel that they need to make excessively complicated calculations in order to prove a return on investment (ROI) and thereby justify the project, but this is an unnecessary complication. Rubbery figures will melt under close scrutiny – potentially sinking the project.

A security business case needs to communicate the fact that organisations must also spend money to stop losing money. Security projects are undertaken for loss prevention. Like all projects with soft benefits, an IT security project should be shown to be in alignment with, and supporting of, organisational values: specifically risk appetite. More mature organisations will have less of an appetite, particularly in challenging times.

Conclusion: Security awareness campaigns are actually an effort to change an aspect of organisational culture. Cultural change is famously difficult, takes a long time, and will ultimately fail if it does not have senior executive commitment. Specifically, senior executives must be seen to be exhibiting the behaviour of the new culture. The implication for security professionals is that awareness campaigns must start at the top and not move out across the organisation until there is behavioural change at the top.

Conclusion: Despite the vendor and media hype around malware threats to the hypervisor, the biggest risk to IT departments from virtualisation is insufficient procedural controls.

The risk stems from virtual machines being poorly managed, growing in number, and the consequent haemorrhage of money to support them. Virtual machines should be processed through a planned, and managed, lifecycle so that they do not sprawl out of control and absorb excessive resources. By using a chargeback mechanism, CIOs can ensure that each virtual machine instance is not further depleting the capacity of the IT department to support the organisation.

Conclusion: Organisations are potentially at risk from employee fraud, and a frequent motivator for the perpetrators is their gambling problem. While not all employees who gamble are going to commit fraud, it is imperative that the subject of gambling by employees is addressed as part of any organisational risk assessment. The subject is sensitive and complicated, but must be considered because of the direct cost of fraud.

In the numerous conversations I have had over the past few months, concerning the government’s ISP content filtering plan, a common pattern occurs. The people I’ve spoken to object to the plan, but when I ask what their specific objections are, nearly everyone provides ideological arguments – not technical. The most common ideological argument is a rejection of the government taking on the role of “Big Brother”.

Conclusion: Many economists currently agree that the global economy is at least a year away from improving. Until the economy recovers, many IT professionals will have their positions made redundant and organisations must handle these redundancies with great care. The expertise of IT professionals who feel a need to take revenge means that the impact of an insider attack could be very costly to an organisation which may already be struggling.

Organisations which have already deployed technical controls, such as Identity Management suites, and procedural controls, such as separation of duties, will be better positioned to help close the window of opportunity against sabotage and fraud. But, inside attackers frequently have a pre-existing grudge which is work-related, and so IT management attention must be given now to dealing with the “soft side” of their staff and contractors.

Conclusion: Historically, operating systems and applications were the richest source of software vulnerabilities for attackers to exploit, but the problem organisations are now facing is that web browsers and plug-ins are being targeted; and this is a trend that will only increase in the near future.

Internet-facing browsers are effectively part of the perimeter, and organisations must have a strategy which will not only protect the browser, but also protect against a compromised browser. This has implications for all browsers – including those on portable electronic devices (PEDs) which are increasingly pitched as mobile web-access devices.

Conclusion: Despite the growing body of information available on data breaches, many executives remain unjustifiably overconfident in their organisations’ security capabilities. (Ironically, this overconfidence is reflected in the contributing causes of data breaches.) Organisations will not be breached through their strongest points of defence – the points organisations have most confidence in – they will be breached through their weakest points. The lesson from past data breaches is that these weaknesses are likely to be areas which have been overlooked. It is the unknown unknowns that undermine information security.

These unknown unknowns can only be identified by people who have not been instilled with the same assumptions that the organisation is already working with. It is only through encouraging designated people, and third parties, to challenge assumptions and voice dissent that organisations stand a chance of avoiding the trap of insecurity-by-consensus.

Conclusion: The Payment Card Industry Data Security Standard (PCI DSS) is concise and promotes many effective controls – most of which can be achieved through business process reengineering or redesign. Software and hardware vendors talk about fines for non-compliance, but unlike the US, these fines are almost non-existent in Australia. As such, PCI DSS has no stick but there is the possibility of a carrot: a lower risk profile.

Many organisations confuse receiving credit card payment with handling cardholder data1. These are not the same thing and CIOs should challenge the assumption that it is necessary to handle the cardholder data. Only organisations that absolutely must handle cardholder data should become PCI DSS compliant. Otherwise, organisations should reduce their risk profile by not handling cardholder data at all.

IBRS conducted an online survey of prequalified IT decision makers in Australia & New Zealand. The respondents were asked questions focusing on their experience of operational issues relating to identity and access management. The results of this survey are presented in this report, and a high level analysis is given.

Conclusion: The threat of a data breach (unauthorised access to data) is not just from hackers, and not just as a result of malicious intent. Carelessness and oversight by trusted inside sources has been shown, repeatedly, to be the root cause of numerous data breaches. Recognising this, many organisations (particularly in government and finance) include security awareness training as part of an employee's induction.

But this one-time security awareness training is easily lost in the information overload experienced by new starters. Security awareness training is vital but in order to realise the benefits, and prevent the acts of carelessness, it is even more important to repeatedly expose employees to the training to keep their level of security awareness elevated. Elevated security awareness helps create the human firewall: probably the most cost effective security resource you can get.

Conclusion: Deprovisioning old accounts which are no longer required on corporate information systems is an essential process to managing complexity and supporting information security objectives. While provisioning and change management are aspects of identity management that often get more focus as they are seen as business-enablers; deprovisioning, as part of an identity lifecycle process, may not help businesses make money, but it does help mitigate risk. Failing to deprovision legacy accounts which then become a conduit for fraud could well be seen as a failing of due care and governance. After all, we are pretty good at stopping payments to employees once they have left; why aren’t the two processes combined.

Conclusion: The field of biometrics still has many challenges to overcome and is still on a steep developmental curve. As biometric authentication technology improves over the coming years, there may be a role for it in encouraging users to take responsibility for their actions. The belief that their actions on corporate networks are physically linked to them through multiple factors of authentication will help extinguish the lack of accountability which continues to undermine many organisations. This linking of action to identity will help increase the risk of detection in the mind of individuals contemplating fraud – as they will struggle to argue that someone else used their biometric credentials (and password and token) without their knowledge and/or consent. But it must be understood by CIOs that the value from biometric authentication comes from the “security theatre” that it creates in the minds of users; as the technology itself currently offers questionable additional value to existing strong authentication systems.

Conclusion: Biometric authentication can be an effective inclusion for organisations to reduce the risk of unauthorised access. However, as the general public becomes more informed on privacy issues, their tolerance for data breaches involving biometric data will plummet. Organisations that are named and shamed for failing to protect biometric data will suffer the consequences of excruciating scrutiny, as well as increased legislative and regulatory conditions. For the majority of Australasian organisations the cost and complexity of deploying biometric authentication correctly are prohibitive, and the costs of deploying it incorrectly are unacceptable.

IGNORING the use of personally owned portable electronic devices in the corporate network is a trap IT departments must avoid, a study shows.

Users of personally owned PEDs are increasingly expecting full functionality and interaction with corporate resources, according to analyst IBRS.

A briefing paper, titled Portable electronic devices (PEDs): a frog close to the boil, warns that Apple's iPhone and Google's Android will exacerbate the situation in the short term. It says IT managers must focus their response to PEDs on the corporate network or face a gradual but substantial drain on IT resources.

Original article here... 

Conclusion: Personally owned Portable Electronic Devices (PEDs) are being introduced into the corporate network and users are increasingly expecting full functionality and interaction with corporate resources. Apple’s iPhone, and Google’s Android will exacerbate the situation in the short term. Looking at the problem using the perspective of the PED trilemma - ubiquity, multiformity and capability – presents an opportunity for IT departments to work on a strategy for control. Just like the fire triangle (heat, fuel, oxygen) if you can control one aspect, then the situation becomes manageable. IT managers must use the three aspects of the PED trilemma to focus their response to PEDs on the corporate network, or face a gradual though significant drain on IT resources

Conclusion: Both black lists and white lists are effective security measures, but these two approaches are opposites and therefore, have different issues and applications. If only a few items need to be forbidden, then a black list is adequate. But if only a few items need to be permitted, then a white list is the efficient way to enforce policy.

When used in conjunction with business policy and procedures for acceptable content, white lists can be a very powerful mechanism creating a culture of individual responsibility that enables users to access necessary business information while holding individuals to account for the information they access.

At AusCERT 2007, a software programmer from Australia’s Defence Signals Directorate delivered a fascinating presentation on a simple strategy they had developed to help manage the influx of malware, browser exploits and malicious web content. The strategy was designed around risk transference through personal accountability, rather than threat mitigation1.

Conclusion: In 20-30 years time Generation Y will be running not only IT departments (in whatever form that takes) but they will also be running other business units, and in fact entire organisations. How we engage with them, train them, empower them, and become mentors to them; will sculpt their ability to make decisions. It is vital that the hard-earned knowledge of the last 50 years of IT is not lost from lack of mentoring and succession planning by the retiring Baby Boomers. This research note looks past the immediate skills shortage and into the area of lost industry knowledge.

Conclusion: Data leakage prevention (DLP) it is an information management tool, not a threat mitigation tool like anti-virus or intrusion prevention. The DLP market is still very immature, and the products are not integrated with other related technologies, such as: enterprise content management (ECM), enterprise rights management (ERM), and identity management systems. When the vendors who specialise in information management have integrated DLP into their existing suites, then the story will be compelling. We’re not there yet.

Conclusion: Rather than resist selective sourcing, IT organisations should accept that many IT tasks are either highly repetitive or commoditised; and are not unique to your organisation. These tasks do not need to be done in-house and by IT professionals whose value is high because they know how to deliver quality while respecting organisational idiosyncrasies. Managed Service Providers (MSPs) could be an excellent ally in augmenting internal IT resources. Once freed from the routine tasks, internal IT staff can be assigned to high value tasks or implementing innovative solutions: these help organisations to become better at what they do.

Conclusion: Privacy is now a public issue. Consequently, many of the recommendations for the Australian Privacy Act will likely be accepted because they reflect good practice, and are in harmony with international data privacy trends. However, these amendments to the Privacy Act will introduce added complexity and expense to the management of personal data.

The danger right now is that organisations may try to dodge the cost of compliance by doing as little preparation as possible. Widespread, legally mandated, disclosures of data breaches would wreak havoc with consumer confidence in online transactions. Australian organisations, both large and small, cannot afford that loss of faith.

Conclusion: The combination of new requirements for quality control in software development and the looming skills crisis in Asia will drive multiple initiatives in the software industry. These initiatives include: vendor consolidation (particularly in platforms); a fundamental shift in the role of internal IT organisations; and an explosion of innovative and pragmatic mini-applications that are developed and owned by the business unit rather than traditional IT departments. Because these mini-apps are driven and owned by the business unit, they are more aligned to business needs than the current wave of mismatched ‘collaborative Web 2.0’ applications.

Conclusion: Easy venture capital money and a highly fragmented market are driving consolidation in the Managed Service Provider (MSP) industry.

Whether your MSP is the target or the buyer, the M&A activity will be accompanied by organisational changes and strong pressure from the VCs to maximise returns. In the low margin MSP industry, this could have implications on the MSPs’ willingness to retain the resources which provide the resiliency that you need. In any outsourced relationship, it is advisable to clearly define the service being sourced, the service level expectations and to perform due diligence on the capabilities of the service provider that enable them to deliver this. In a consolidating market, IT organisations need to pay even greater attention to these activities.

Commoditising your infrastructure and technology achieves two important outcomes: standardised skills, which are easier to find; and easier transition to (and between) MSPs as they also have resource constraints.

Conclusions: Microsoft’s new BitLocker feature, available in select versions of Vista, offers easy access to ‘whole disk’ encryption, which benefits several areas including; identity management, data security, and asset management.

While BitLocker is a workable and well-integrated security feature, it is not a complete solution to data protection requirements. Whole disk encryption products have limitations and must be viewed as a part of a wider security initiative.

BitLocker’s benefits and limitations must be evaluated and factored into Vista migration plans, especially for organisations looking towards virtualisation and mobility.

Conclusion: Dedicated IT security people are too expensive for SMB organisations. The market trend is towards outsourcing security tasks, and the SMB market must embrace this. Large organisations (500+ people) should make internal security people the managers of internal security programs, and managers of the relationship with managed security service providers (MSSPs) and outsourcers. Security is an operational responsibility which should be shared by everybody in an organisation.

IS organisations attack increasing client systems support costs by implementing a desktop "lockdown" or Standard Operating Environment (SOE). However, if they do not give enough attention to the process and planning that is required to lock down their desktops their project will fail because of political and cultural problems, and because lockdown may prevent users from doing their jobs efficiently.

Conclusion: Organisations that do not treat information security risks seriously could pay a heavy price if a major incident occurs and they are unprepared to deal with it.  

SPAM is a terrible problem, from cutting productivity, threatening security, offending the morals of millions, planting doubt in the most macho man, and just irritating anyone with email. 2003 has seen many headlines about SPAM and how companies and governments are going to tackle it head on.