Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

Conclusion: Given that the deadline for Payment Card Industry Data Security Standard (PCI DSS) compliance has passed, and that most cardholder data in Australia/New Zealand is extracted via SQL injection attacks, local organisations should ensure that their website security gets priority attention. This is a classic instance of where a moderate degree of effort will result in an important reduction in an organisation’s risk profile.

Read more ...

Conclusion: Microsoft’s Forefront Client Security will need to achieve a “better than” market perception before security professionals will consider it to be a reasonable and acceptable enterprise response; and this relates to both its anti-malware effectiveness, as well as its ability to be managed and automated in a heterogeneous environment. Obviously, security is a sensitive subject for Microsoft, so its efforts in achieving a “better than” market perception will be considerable, but it will also take the healing passage of time.

Read more ...

Conclusion: Now, there is renewed pressure on new IT projects to prove their value. For IT security projects, managers may feel that they need to make excessively complicated calculations in order to prove a return on investment (ROI) and thereby justify the project, but this is an unnecessary complication. Rubbery figures will melt under close scrutiny – potentially sinking the project.

A security business case needs to communicate the fact that organisations must also spend money to stop losing money. Security projects are undertaken for loss prevention. Like all projects with soft benefits, an IT security project should be shown to be in alignment with, and supporting of, organisational values: specifically risk appetite. More mature organisations will have less of an appetite, particularly in challenging times.

Read more ...

Conclusion: Security awareness campaigns are actually an effort to change an aspect of organisational culture. Cultural change is famously difficult, takes a long time, and will ultimately fail if it does not have senior executive commitment. Specifically, senior executives must be seen to be exhibiting the behaviour of the new culture. The implication for security professionals is that awareness campaigns must start at the top and not move out across the organisation until there is behavioural change at the top.

Read more ...

Conclusion: Despite the vendor and media hype around malware threats to the hypervisor, the biggest risk to IT departments from virtualisation is insufficient procedural controls.

The risk stems from virtual machines being poorly managed, growing in number, and the consequent haemorrhage of money to support them. Virtual machines should be processed through a planned, and managed, lifecycle so that they do not sprawl out of control and absorb excessive resources. By using a chargeback mechanism, CIOs can ensure that each virtual machine instance is not further depleting the capacity of the IT department to support the organisation.

Read more ...

Conclusion: Organisations are potentially at risk from employee fraud, and a frequent motivator for the perpetrators is their gambling problem. While not all employees who gamble are going to commit fraud, it is imperative that the subject of gambling by employees is addressed as part of any organisational risk assessment. The subject is sensitive and complicated, but must be considered because of the direct cost of fraud.

Read more ...

In the numerous conversations I have had over the past few months, concerning the government’s ISP content filtering plan, a common pattern occurs. The people I’ve spoken to object to the plan, but when I ask what their specific objections are, nearly everyone provides ideological arguments – not technical. The most common ideological argument is a rejection of the government taking on the role of “Big Brother”.

Read more ...

Conclusion: Many economists currently agree that the global economy is at least a year away from improving. Until the economy recovers, many IT professionals will have their positions made redundant and organisations must handle these redundancies with great care. The expertise of IT professionals who feel a need to take revenge means that the impact of an insider attack could be very costly to an organisation which may already be struggling.

Organisations which have already deployed technical controls, such as Identity Management suites, and procedural controls, such as separation of duties, will be better positioned to help close the window of opportunity against sabotage and fraud. But, inside attackers frequently have a pre-existing grudge which is work-related, and so IT management attention must be given now to dealing with the “soft side” of their staff and contractors.

Read more ...

Conclusion: Historically, operating systems and applications were the richest source of software vulnerabilities for attackers to exploit, but the problem organisations are now facing is that web browsers and plug-ins are being targeted; and this is a trend that will only increase in the near future.

Internet-facing browsers are effectively part of the perimeter, and organisations must have a strategy which will not only protect the browser, but also protect against a compromised browser. This has implications for all browsers – including those on portable electronic devices (PEDs) which are increasingly pitched as mobile web-access devices.

Read more ...

Conclusion: Despite the growing body of information available on data breaches, many executives remain unjustifiably overconfident in their organisations’ security capabilities. (Ironically, this overconfidence is reflected in the contributing causes of data breaches.) Organisations will not be breached through their strongest points of defence – the points organisations have most confidence in – they will be breached through their weakest points. The lesson from past data breaches is that these weaknesses are likely to be areas which have been overlooked. It is the unknown unknowns that undermine information security.

These unknown unknowns can only be identified by people who have not been instilled with the same assumptions that the organisation is already working with. It is only through encouraging designated people, and third parties, to challenge assumptions and voice dissent that organisations stand a chance of avoiding the trap of insecurity-by-consensus.

Read more ...

Conclusion: The Payment Card Industry Data Security Standard (PCI DSS) is concise and promotes many effective controls – most of which can be achieved through business process reengineering or redesign. Software and hardware vendors talk about fines for non-compliance, but unlike the US, these fines are almost non-existent in Australia. As such, PCI DSS has no stick but there is the possibility of a carrot: a lower risk profile.

Many organisations confuse receiving credit card payment with handling cardholder data1. These are not the same thing and CIOs should challenge the assumption that it is necessary to handle the cardholder data. Only organisations that absolutely must handle cardholder data should become PCI DSS compliant. Otherwise, organisations should reduce their risk profile by not handling cardholder data at all.

Read more ...

IBRS conducted an online survey of prequalified IT decision makers in Australia & New Zealand. The respondents were asked questions focusing on their experience of operational issues relating to identity and access management. The results of this survey are presented in this report, and a high level analysis is given.

Conclusion: The threat of a data breach (unauthorised access to data) is not just from hackers, and not just as a result of malicious intent. Carelessness and oversight by trusted inside sources has been shown, repeatedly, to be the root cause of numerous data breaches. Recognising this, many organisations (particularly in government and finance) include security awareness training as part of an employee's induction.

But this one-time security awareness training is easily lost in the information overload experienced by new starters. Security awareness training is vital but in order to realise the benefits, and prevent the acts of carelessness, it is even more important to repeatedly expose employees to the training to keep their level of security awareness elevated. Elevated security awareness helps create the human firewall: probably the most cost effective security resource you can get.

Read more ...

Conclusion: Deprovisioning old accounts which are no longer required on corporate information systems is an essential process to managing complexity and supporting information security objectives. While provisioning and change management are aspects of identity management that often get more focus as they are seen as business-enablers; deprovisioning, as part of an identity lifecycle process, may not help businesses make money, but it does help mitigate risk. Failing to deprovision legacy accounts which then become a conduit for fraud could well be seen as a failing of due care and governance. After all, we are pretty good at stopping payments to employees once they have left; why aren’t the two processes combined.

Read more ...

Conclusion: The field of biometrics still has many challenges to overcome and is still on a steep developmental curve. As biometric authentication technology improves over the coming years, there may be a role for it in encouraging users to take responsibility for their actions. The belief that their actions on corporate networks are physically linked to them through multiple factors of authentication will help extinguish the lack of accountability which continues to undermine many organisations. This linking of action to identity will help increase the risk of detection in the mind of individuals contemplating fraud – as they will struggle to argue that someone else used their biometric credentials (and password and token) without their knowledge and/or consent. But it must be understood by CIOs that the value from biometric authentication comes from the “security theatre” that it creates in the minds of users; as the technology itself currently offers questionable additional value to existing strong authentication systems.

Read more ...

Conclusion: Biometric authentication can be an effective inclusion for organisations to reduce the risk of unauthorised access. However, as the general public becomes more informed on privacy issues, their tolerance for data breaches involving biometric data will plummet. Organisations that are named and shamed for failing to protect biometric data will suffer the consequences of excruciating scrutiny, as well as increased legislative and regulatory conditions. For the majority of Australasian organisations the cost and complexity of deploying biometric authentication correctly are prohibitive, and the costs of deploying it incorrectly are unacceptable.

Read more ...

Conclusion: Analysing the challenges of portable electronic devices (PEDs) through the PED trilemma model breaks down the problem into three addressable aspects which can more easily be tackled, often by non-technical means. IT departments can manage the inundation of PEDs into corporate networks; but only with unambiguous commitment from senior business managers. IT can get commitment from these managers by using charge-back models.

If we put a dollar sign in the middle of the trilemma, we can show that expansion on any of the three sides results in a total increase in support costs (represented by the area in the middle). IT should use charge-back models for PED support to the business units. An appropriate charge-back mechanism forces business units to carefully consider their choices. The days of gluing up USB ports are long gone.

Read more ...

IGNORING the use of personally owned portable electronic devices in the corporate network is a trap IT departments must avoid, a study shows.

Users of personally owned PEDs are increasingly expecting full functionality and interaction with corporate resources, according to analyst IBRS.
 

A briefing paper, titled Portable electronic devices (PEDs): a frog close to the boil, warns that Apple's iPhone and Google's Android will exacerbate the situation in the short term. It says IT managers must focus their response to PEDs on the corporate network or face a gradual but substantial drain on IT resources.

Original article here... 

Conclusion: Personally owned Portable Electronic Devices (PEDs) are being introduced into the corporate network and users are increasingly expecting full functionality and interaction with corporate resources. Apple’s iPhone, and Google’s Android will exacerbate the situation in the short term. Looking at the problem using the perspective of the PED trilemma - ubiquity, multiformity and capability – presents an opportunity for IT departments to work on a strategy for control. Just like the fire triangle (heat, fuel, oxygen) if you can control one aspect, then the situation becomes manageable. IT managers must use the three aspects of the PED trilemma to focus their response to PEDs on the corporate network, or face a gradual though significant drain on IT resources

Read more ...

At AusCERT 2007, a software programmer from Australia’s Defence Signals Directorate delivered a fascinating presentation on a simple strategy they had developed to help manage the influx of malware, browser exploits and malicious web content. The strategy was designed around risk transference through personal accountability, rather than threat mitigation1.

Read more ...

Conclusion: Both black lists and white lists are effective security measures, but these two approaches are opposites and therefore, have different issues and applications. If only a few items need to be forbidden, then a black list is adequate. But if only a few items need to be permitted, then a white list is the efficient way to enforce policy.

When used in conjunction with business policy and procedures for acceptable content, white lists can be a very powerful mechanism creating a culture of individual responsibility that enables users to access necessary business information while holding individuals to account for the information they access.

Read more ...

Conclusion: In 20-30 years time Generation Y will be running not only IT departments (in whatever form that takes) but they will also be running other business units, and in fact entire organisations. How we engage with them, train them, empower them, and become mentors to them; will sculpt their ability to make decisions. It is vital that the hard-earned knowledge of the last 50 years of IT is not lost from lack of mentoring and succession planning by the retiring Baby Boomers. This research note looks past the immediate skills shortage and into the area of lost industry knowledge.

Read more ...

Conclusion: Data leakage prevention (DLP) it is an information management tool, not a threat mitigation tool like anti-virus or intrusion prevention. The DLP market is still very immature, and the products are not integrated with other related technologies, such as: enterprise content management (ECM), enterprise rights management (ERM), and identity management systems. When the vendors who specialise in information management have integrated DLP into their existing suites, then the story will be compelling. We’re not there yet.

Read more ...

Conclusion: Rather than resist selective sourcing, IT organisations should accept that many IT tasks are either highly repetitive or commoditised; and are not unique to your organisation. These tasks do not need to be done in-house and by IT professionals whose value is high because they know how to deliver quality while respecting organisational idiosyncrasies. Managed Service Providers (MSPs) could be an excellent ally in augmenting internal IT resources. Once freed from the routine tasks, internal IT staff can be assigned to high value tasks or implementing innovative solutions: these help organisations to become better at what they do.

Read more ...

Conclusion: Privacy is now a public issue. Consequently, many of the recommendations for the Australian Privacy Act will likely be accepted because they reflect good practice, and are in harmony with international data privacy trends. However, these amendments to the Privacy Act will introduce added complexity and expense to the management of personal data.

The danger right now is that organisations may try to dodge the cost of compliance by doing as little preparation as possible. Widespread, legally mandated, disclosures of data breaches would wreak havoc with consumer confidence in online transactions. Australian organisations, both large and small, cannot afford that loss of faith.

Read more ...

Conclusion: The combination of new requirements for quality control in software development and the looming skills crisis in Asia will drive multiple initiatives in the software industry. These initiatives include: vendor consolidation (particularly in platforms); a fundamental shift in the role of internal IT organisations; and an explosion of innovative and pragmatic mini-applications that are developed and owned by the business unit rather than traditional IT departments. Because these mini-apps are driven and owned by the business unit, they are more aligned to business needs than the current wave of mismatched ‘collaborative Web 2.0’ applications.

Read more ...

Conclusion: At the start of the year a resurgence of interest in Identity Management was heralded as one of a series of IBRS technology predictions for 2007. Subsequent vendor activity1 has borne this out and more market activity is likely to follow.

Read more ...

Conclusion: The securing of online banking through one time passwords delivered via SMS: provides two factors of authentication, is cheaper to deploy than tokens, increases the customers’ sense of security, and introduces online banking customers to the idea of secure banking on their mobile phones.

However, introducing a widely adopted, variable-cost, service like one time password via SMS is not sustainable because it is inevitable that the cost of the SMS service will exceed the cost of online fraud, which is already at very low levels1. Until mobile banking and EMV smartcards become more commonplace, banks should choose the better strategy of using SMS authentication, as it supports the product roadmap for online and mobile banking.

Read more ...

Conclusion: Easy venture capital money and a highly fragmented market are driving consolidation in the Managed Service Provider (MSP) industry.

Whether your MSP is the target or the buyer, the M&A activity will be accompanied by organisational changes and strong pressure from the VCs to maximise returns. In the low margin MSP industry, this could have implications on the MSPs’ willingness to retain the resources which provide the resiliency that you need. In any outsourced relationship, it is advisable to clearly define the service being sourced, the service level expectations and to perform due diligence on the capabilities of the service provider that enable them to deliver this. In a consolidating market, IT organisations need to pay even greater attention to these activities.

Commoditising your infrastructure and technology achieves two important outcomes: standardised skills, which are easier to find; and easier transition to (and between) MSPs as they also have resource constraints.

Read more ...

Conclusions: Microsoft’s new BitLocker feature, available in select versions of Vista, offers easy access to ‘whole disk’ encryption, which benefits several areas including; identity management, data security, and asset management.

While BitLocker is a workable and well-integrated security feature, it is not a complete solution to data protection requirements. Whole disk encryption products have limitations and must be viewed as a part of a wider security initiative.

BitLocker’s benefits and limitations must be evaluated and factored into Vista migration plans, especially for organisations looking towards virtualisation and mobility.

Read more ...

Conclusion: Dedicated IT security people are too expensive for SMB organisations. The market trend is towards outsourcing security tasks, and the SMB market must embrace this. Large organisations (500+ people) should make internal security people the managers of internal security programs, and managers of the relationship with managed security service providers (MSSPs) and outsourcers. Security is an operational responsibility which should be shared by everybody in an organisation.

Read more ...

Conclusion: Effective and responsible management of IT security should concern executives at the highest levels of management. Leading practice suggests, but does not mandate, separation of the IT security function from the IT management function. One of the ways that this can be achieved is with the appointment of a Chief Information Security Officer (CISO) with total accountability for all IT security matters within the organisation. A pro forma Position Description for the CISO role is provided herein.

Read more ...

Conclusion: Last month I wrote advising IT practitioners to learn the language of risk management, particularly in the context of ANZ/NZS 4360:2004. The article also contained advice to ensure that IT has a place at the decision-making table when considering the implementation of corporate risk management software.

An assumption was made in the article that in your organisation some corporate risk management initiatives were already under consideration. However, suppose this is not the case. How can the IT practitioner pitch a case for an Enterprise Risk Management (ERM) project as a strategic system? This article provides a guide for doing so, allowing the IT practitioner to assert leadership in a burgeoning area of corporate practice.

Read more ...

IS organisations attack increasing client systems support costs by implementing a desktop "lockdown" or Standard Operating Environment (SOE). However, if they do not give enough attention to the process and planning that is required to lock down their desktops their project will fail because of political and cultural problems, and because lockdown may prevent users from doing their jobs efficiently.

Read more ...

Conclusion: In business and government, the subject of risk continues to be a hot topic. It’s covered regularly by the commerce and technology-oriented sections of the media and is increasingly being discussed and actioned at Board and executive levels. Because of the corporate appetite for risk methodologies and tools, a burgeoning IT industry has developed providing risk management software.

Read more ...

Conclusion: Organisations that do not treat information security risks seriously could pay a heavy price if a major incident occurs and they are unprepared to deal with it.  

Read more ...

In April new Federal anti-spam legislation will ban local spammers from operating; otherwise they could face penalties of over a million Australian dollars a day. According to the Coalition Against Unsolicited Bulk E-mail, the purpose of putting this legislation in place is to stop spammers, and make Australia appear credible when looking to other countries to adopt the same type of law.

Read more ...

Changing business processes and systems to comply with legislative requirements is a major hidden cost in the public and private sector. Ironically, it is also one of the least referenced in the research literature.

Read more ...

SPAM is a terrible problem, from cutting productivity, threatening security, offending the morals of millions, planting doubt in the most macho man, and just irritating anyone with email. 2003 has seen many headlines about SPAM and how companies and governments are going to tackle it head on.

Read more ...

We touched briefly last month on our approach to security and its role in protecting the network from external attack. It is equally essential that clearly stated network policies and procedures, both for internal users and other external stakeholders on projects who require network access, be rigorously applied. Our policies are, visibly endorsed by the Chief Executive Officer and published on the company Intranet. They are designed to protect the enterprise by ensuring that the data on the network is appropriate to the business, network performance is not compromised in any way and the possibilities of virus infection are minimised.

Read more ...