Cyber & Risk

Understanding cyber security has never been as critical as it is today.

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you?

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards.

Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.

Details: James Turner; 26 May 2011

Security Readiness

Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.

Details: James Turner; 28 April 2011

Security Readiness

Conclusion: For customers, there are many advantages, both tactical and strategic, to participating in vendor reference programs. However, IT executives should give thought to scenarios which involve their organisation being held up by a vendor as either innovative, or an early adopter. While the attention may appeal to the ego, there are risks of being out on the bleeding edge, or in being a minority adopter. Being held up as either innovative, or an early adopter, could indicate that your organisation is straying from the rest of the industry. A key concern for IT executives should be that this exclusiveness could equally herald a future shortage of skilled resources.

Details: James Turner; 28 March 2011

Security Readiness

Conclusion: The market for third party mobile device management platforms is immature and there are differences in capability between products, but these middleware platforms are producing positive outcomes. While this market will commoditise quickly, the real risk for IT departments is that they design their applications and mobility strategy in such a way as to (yet again) lock themselves into a specific device/OS combination. The device shouldn’t matter.

Details: James Turner; 26 February 2011

Security Readiness

Conclusion: Cisco and RIM will fail to dominate the corporate tablet computer market and will lose out to consumer technology from Apple and Android. Cisco is currently dabbling in this area, and RIM is slowly losing relevance in the enterprise.

There is a clear shift towards consumers using their own smartphones and tablet computers, and CIOs should start planning for how they will enable secure remote access to corporate data from any device, with any operating system. Buying into the dream of corporate issued mobile devices, built for the enterprise market, is buying a white elephant: expensive to maintain, supposedly prestigious, but ultimately useless.

Details: James Turner; 27 January 2011

Security Readiness

Conclusion: Risk management and quality are two sides of the same coin. Building quality into organisational decision-making processes and systems is only possible if operational risks are well understood. The results of risk analysis should be a key input for the design of enterprise architectures and systems. It all sounds obvious, but risks associated with the decision-making processes in an organisation are only rarely quantified in terms of likelihood, impact on external parties, and potential costs.

Details: Jorn Bettin; 29 December 2010

Security Policy and Frameworks

Talk to an IBRS Advisor

Conclusion: The iPhone entered organisations like a bunker-buster, and has blown open the doors for diversity of devices and form-factors. Ultimately, most organisations will have devices that will be a blend of: a) a small set of corporate issued devices, and b) a larger set of personally owned devices. Consequently, any management of devices, and the data on them, must be independent of their various form factors, operating system, and capabilities (as per the PED trilemma). As a direct consequence, expect a long term shift away from trying to manage the device, towards a more focused effort to secure the data and authenticate the user.

Details: James Turner; 27 December 2010

Security Readiness

Conclusion: The demand from non-IT business units for cloud computing is symptomatic of their desire for better IT services and should be supported, if not driven, by IT. However, an engagement with a cloud vendor must be treated with the same level of risk assessment and diligence as any other outsourcing engagement. Organisations must ensure that corporate governance is not bypassed in a rush for the cloud.

Details: James Turner; 22 November 2010

Security Readiness

A fascinating advantage of the public cloud is the extremely high availability of the data (at least in theory!). From any device, from any Internet connection, I can surf to a site, provide my credentials, and access data. We are so used to webmail that we can be nonchalant
about this, but it is quite extraordinary. The trouble is, if the data is highly accessible to you when you are on any device on any Internet connection, then it is accessible to other people from any device on any Internet connection.

Details: James Turner; 21 November 2010

Security Readiness

Conclusion: Data Loss Prevention (DLP) technologies have matured over the last 12 months. They are more capable, but there is still a wide range of capabilities between the various products, and an even wider gap between the brochure and reality. Before proceeding with a proof of concept, IT must understand the very specific requirements that the business is expecting to achieve through a DLP deployment, and how willing the business is to pay for these. Failure to understand these requirements, and failure to get business stakeholder commitment, will result in project failure.

Details: James Turner; 26 September 2010

Security Readiness

Conclusion: The transmission of pornography in email is a serious issue for all organisations which aim to comply with their own HR policies on providing a workplace free of sexual harassment. However, the technology currently available to support these policies, through filtering and classifying images, is far from perfect. CIOs and HR professionals must clearly understand that pornography in the workplace is better managed as a cultural issue, not a technology issue.

Details: James Turner; 24 August 2010

Security Readiness

Talk to an IBRS Advisor

Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.

Details: James Turner; 24 June 2010

Security Readiness

Conclusion: Most of the pressure on IT departments to deploy or support iPhones is from organisational VIPs, and so IT departments should not resist a deployment, but they should delay. With a new iPhone operating system and a new generation of hardware just around the corner (as well as the recently released iPad) IT departments should assess third party mobile device management platforms to assist them in supporting and securing an iPhone/iPad deployment.

Details: James Turner; 31 May 2010

Security Readiness

Conclusion: The rise in the Australian Dollar is encouraging many organisations to investigate using IT and business process service providers outside the country as a means of reducing their cost base. There is no doubt that ongoing savings are possible, but they will only be sustained if the risks are managed and IT professionals responsible for outcomes are diligent and track performance.

Details: Alan Hansell; 27 March 2010

Conclusion: A less frequently considered aspect of protecting an organisation’s information assets is the preparation required for the immediate aftermath of a successful attack. This is the crossover point between incident response and crisis management. The prudent organisation with valuable information assets has already planned what steps will be taken in the event of a successful attack. Most of these decisions must be made by senior executives from business units other than IT, and they must be made well in advance of the attack occurring. IT will merely be executing their instructions because decisions concerning the information assets are not IT’s to make.

Details: James Turner; 24 February 2010

Security Readiness

Conclusion: The recent attack on Google’s infrastructure (and resulting announcement by Google of the attack) has a number of important lessons for organisations which are also attacked by well-resourced hackers. These lessons are important and may not be immediately palatable to many, who would prefer to hush up an attack.

Details: James Turner; 30 January 2010

Security Readiness

Talk to an IBRS Advisor

Conclusion: The introduction of a Data Loss Prevention technology into an organisation will have a significant impact on organisational culture. An important aspect of the cultural impact is that a DLP product, if deployed in active blocking mode, could prevent senior people from doing their job as they (legitimately) share sensitive information with trusted partners such as accounting and legal firms. People in senior positions must be trusted to act as they deem best for the organisation, but this trust must be verified.

Details: James Turner; 30 December 2009

Security Readiness

Conclusion: Today business knowhow is mainly stored in two places: in human brains and in software systems. Both forms of storage share the problem that raw knowhow is not easily transferable from one context to another. Valuable knowledge is repeatedly lost through staff turnover and through technology replacements. Minimising knowledge loss requires determination and an understanding of the mechanisms that lead to unnecessarily strong coupling between business knowhow and implementation technology.

Details: Jorn Bettin; 29 December 2009

Conclusion: Organisations that may be at risk of a discovery action should have strategies to minimise the impact of eDiscovery requests. They should have agreed processes in place and have implemented a comprehensive information and records management system that will enable rapid responses and minimise cost when responding to such requests. Poor electronic information management, particularly in the areas of email and collaboration tools are certain to create eDiscovery problems and expenses.

Details: Colin Boswell; 28 December 2009

Conclusion: Some organisations are deploying DLP, but the ones reporting successful deployments are the organisations that are able to invest more resources in both deployment and long-term support. Given the considerable overhead on staff, and the challenges of dealing with the deluge of alerts, organisations considering a DLP investment should first deploy endpoint encryption.

Details: James Turner; 30 November 2009

Security Readiness

Conclusion: IT security managers in larger organisations in Australia and New Zealand are approaching cloud computing very cautiously. The leading concern is the geophysical location of data and the risk this introduces to organisations – primarily from the possibility of a data loss resulting in reputational damage. This means that organisations will have carry less risk if they retain data in a jurisdictional cloud.

Details: James Turner; 30 October 2009

Security Readiness

Talk to an IBRS Advisor

Conclusion: From adversity springs creativity. History shows straitened economic times can serve as a greenhouse, rapidly germinating seeds of ideas that may otherwise have taken longer to establish themselves. Six clear trends have emerged from the Global Financial Crisis (GFC) providing business advantage to early adopters. The common thread is their potential to deliver organisational efficiencies, savings, or both. IBRS believe these trends are likely to deserve a place in the IT firmament for a considerable time. CIOs should defensively review these trends; the outcome may be selective adoption or deferral, but their potency cannot be ignored.

Details: Rob Mackinnon; 29 July 2009

Conclusion: Given that the deadline for Payment Card Industry Data Security Standard (PCI DSS) compliance has passed, and that most cardholder data in Australia/New Zealand is extracted via SQL injection attacks, local organisations should ensure that their website security gets priority attention. This is a classic instance of where a moderate degree of effort will result in an important reduction in an organisation’s risk profile.

Details: James Turner; 31 May 2009

Security Readiness

Conclusion: Microsoft’s Forefront Client Security will need to achieve a “better than” market perception before security professionals will consider it to be a reasonable and acceptable enterprise response; and this relates to both its anti-malware effectiveness, as well as its ability to be managed and automated in a heterogeneous environment. Obviously, security is a sensitive subject for Microsoft, so its efforts in achieving a “better than” market perception will be considerable, but it will also take the healing passage of time.

Details: James Turner; 29 April 2009

Security Readiness

Conclusion: Now, there is renewed pressure on new IT projects to prove their value. For IT security projects, managers may feel that they need to make excessively complicated calculations in order to prove a return on investment (ROI) and thereby justify the project, but this is an unnecessary complication. Rubbery figures will melt under close scrutiny – potentially sinking the project.

A security business case needs to communicate the fact that organisations must also spend money to stop losing money. Security projects are undertaken for loss prevention. Like all projects with soft benefits, an IT security project should be shown to be in alignment with, and supporting of, organisational values: specifically risk appetite. More mature organisations will have less of an appetite, particularly in challenging times.

Details: James Turner; 27 March 2009

Security Readiness

Conclusion: Security awareness campaigns are actually an effort to change an aspect of organisational culture. Cultural change is famously difficult, takes a long time, and will ultimately fail if it does not have senior executive commitment. Specifically, senior executives must be seen to be exhibiting the behaviour of the new culture. The implication for security professionals is that awareness campaigns must start at the top and not move out across the organisation until there is behavioural change at the top.

Details: James Turner; 28 February 2009

Security Readiness

Talk to an IBRS Advisor

Conclusion: Despite the vendor and media hype around malware threats to the hypervisor, the biggest risk to IT departments from virtualisation is insufficient procedural controls.

The risk stems from virtual machines being poorly managed, growing in number, and the consequent haemorrhage of money to support them. Virtual machines should be processed through a planned, and managed, lifecycle so that they do not sprawl out of control and absorb excessive resources. By using a chargeback mechanism, CIOs can ensure that each virtual machine instance is not further depleting the capacity of the IT department to support the organisation.

Details: James Turner; 29 January 2009

Security Readiness

Conclusion: Organisations are potentially at risk from employee fraud, and a frequent motivator for the perpetrators is their gambling problem. While not all employees who gamble are going to commit fraud, it is imperative that the subject of gambling by employees is addressed as part of any organisational risk assessment. The subject is sensitive and complicated, but must be considered because of the direct cost of fraud.

Details: James Turner; 29 December 2008

Security Readiness

In the numerous conversations I have had over the past few months, concerning the government’s ISP content filtering plan, a common pattern occurs. The people I’ve spoken to object to the plan, but when I ask what their specific objections are, nearly everyone provides ideological arguments – not technical. The most common ideological argument is a rejection of the government taking on the role of “Big Brother”.

Details: James Turner; 26 December 2008

Security Readiness

Conclusion: Many economists currently agree that the global economy is at least a year away from improving. Until the economy recovers, many IT professionals will have their positions made redundant and organisations must handle these redundancies with great care. The expertise of IT professionals who feel a need to take revenge means that the impact of an insider attack could be very costly to an organisation which may already be struggling.

Organisations which have already deployed technical controls, such as Identity Management suites, and procedural controls, such as separation of duties, will be better positioned to help close the window of opportunity against sabotage and fraud. But, inside attackers frequently have a pre-existing grudge which is work-related, and so IT management attention must be given now to dealing with the “soft side” of their staff and contractors.

Details: James Turner; 29 November 2008

Security Readiness

Conclusion: Historically, operating systems and applications were the richest source of software vulnerabilities for attackers to exploit, but the problem organisations are now facing is that web browsers and plug-ins are being targeted; and this is a trend that will only increase in the near future.

Internet-facing browsers are effectively part of the perimeter, and organisations must have a strategy which will not only protect the browser, but also protect against a compromised browser. This has implications for all browsers – including those on portable electronic devices (PEDs) which are increasingly pitched as mobile web-access devices.

Details: James Turner; 31 October 2008

Security Readiness

Talk to an IBRS Advisor

Conclusion: Despite the growing body of information available on data breaches, many executives remain unjustifiably overconfident in their organisations’ security capabilities. (Ironically, this overconfidence is reflected in the contributing causes of data breaches.) Organisations will not be breached through their strongest points of defence – the points organisations have most confidence in – they will be breached through their weakest points. The lesson from past data breaches is that these weaknesses are likely to be areas which have been overlooked. It is the unknown unknowns that undermine information security.

These unknown unknowns can only be identified by people who have not been instilled with the same assumptions that the organisation is already working with. It is only through encouraging designated people, and third parties, to challenge assumptions and voice dissent that organisations stand a chance of avoiding the trap of insecurity-by-consensus.

Details: James Turner; 28 September 2008

Security Readiness

Conclusion: The Payment Card Industry Data Security Standard (PCI DSS) is concise and promotes many effective controls – most of which can be achieved through business process reengineering or redesign. Software and hardware vendors talk about fines for non-compliance, but unlike the US, these fines are almost non-existent in Australia. As such, PCI DSS has no stick but there is the possibility of a carrot: a lower risk profile.

Many organisations confuse receiving credit card payment with handling cardholder data^¹. These are not the same thing and CIOs should challenge the assumption that it is necessary to handle the cardholder data. Only organisations that absolutely must handle cardholder data should become PCI DSS compliant. Otherwise, organisations should reduce their risk profile by not handling cardholder data at all.

Details: James Turner; 28 August 2008

Security Readiness

IBRS conducted an online survey of prequalified IT decision makers in Australia & New Zealand. The respondents were asked questions focusing on their experience of operational issues relating to identity and access management. The results of this survey are presented in this report, and a high level analysis is given.

Details: James Turner; 25 August 2008

Security Readiness

Conclusion: The threat of a data breach (unauthorised access to data) is not just from hackers, and not just as a result of malicious intent. Carelessness and oversight by trusted inside sources has been shown, repeatedly, to be the root cause of numerous data breaches. Recognising this, many organisations (particularly in government and finance) include security awareness training as part of an employee's induction.

But this one-time security awareness training is easily lost in the information overload experienced by new starters. Security awareness training is vital but in order to realise the benefits, and prevent the acts of carelessness, it is even more important to repeatedly expose employees to the training to keep their level of security awareness elevated. Elevated security awareness helps create the human firewall: probably the most cost effective security resource you can get.

Details: James Turner; 28 July 2008

Security Readiness

Conclusion: Deprovisioning old accounts which are no longer required on corporate information systems is an essential process to managing complexity and supporting information security objectives. While provisioning and change management are aspects of identity management that often get more focus as they are seen as business-enablers; deprovisioning, as part of an identity lifecycle process, may not help businesses make money, but it does help mitigate risk. Failing to deprovision legacy accounts which then become a conduit for fraud could well be seen as a failing of due care and governance. After all, we are pretty good at stopping payments to employees once they have left; why aren’t the two processes combined.

Details: James Turner; 28 June 2008

Security Readiness

Talk to an IBRS Advisor

Conclusion: The field of biometrics still has many challenges to overcome and is still on a steep developmental curve. As biometric authentication technology improves over the coming years, there may be a role for it in encouraging users to take responsibility for their actions. The belief that their actions on corporate networks are physically linked to them through multiple factors of authentication will help extinguish the lack of accountability which continues to undermine many organisations. This linking of action to identity will help increase the risk of detection in the mind of individuals contemplating fraud – as they will struggle to argue that someone else used their biometric credentials (and password and token) without their knowledge and/or consent. But it must be understood by CIOs that the value from biometric authentication comes from the “security theatre” that it creates in the minds of users; as the technology itself currently offers questionable additional value to existing strong authentication systems.

Details: James Turner; 28 May 2008

Security Readiness

Conclusion: Biometric authentication can be an effective inclusion for organisations to reduce the risk of unauthorised access. However, as the general public becomes more informed on privacy issues, their tolerance for data breaches involving biometric data will plummet. Organisations that are named and shamed for failing to protect biometric data will suffer the consequences of excruciating scrutiny, as well as increased legislative and regulatory conditions. For the majority of Australasian organisations the cost and complexity of deploying biometric authentication correctly are prohibitive, and the costs of deploying it incorrectly are unacceptable.

Details: James Turner; 28 April 2008

Security Readiness

Conclusion: Analysing the challenges of portable electronic devices (PEDs) through the PED trilemma model breaks down the problem into three addressable aspects which can more easily be tackled, often by non-technical means. IT departments can manage the inundation of PEDs into corporate networks; but only with unambiguous commitment from senior business managers. IT can get commitment from these managers by using charge-back models.

If we put a dollar sign in the middle of the trilemma, we can show that expansion on any of the three sides results in a total increase in support costs (represented by the area in the middle). IT should use charge-back models for PED support to the business units. An appropriate charge-back mechanism forces business units to carefully consider their choices. The days of gluing up USB ports are long gone.

Details: James Turner; 28 March 2008

Security Policy and Frameworks

IGNORING the use of personally owned portable electronic devices in the corporate network is a trap IT departments must avoid, a study shows.

Users of personally owned PEDs are increasingly expecting full functionality and interaction with corporate resources, according to analyst IBRS.

A briefing paper, titled Portable electronic devices (PEDs): a frog close to the boil, warns that Apple's iPhone and Google's Android will exacerbate the situation in the short term. It says IT managers must focus their response to PEDs on the corporate network or face a gradual but substantial drain on IT resources.

Original article here...

Details: James Turner; 28 March 2008

Security Readiness

Page 6 of 7

Start
Prev
1
2
3
4
5
6
7
Next
End

info@ibrs.com.au

© IBRS. All Rights Reserved. 2021