Cyber & Risk
Understanding cyber security has never been as critical as it is today.
The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.
In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you?
IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards.
Conclusion: IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.
- Details
- James Turner
Conclusion: Patching is now considered a standard part of IT operations. Vendors release patches either to mitigate against new risks, or to introduce new functionality. However, the application of a patch can not only result in the intended outcome (risk mitigation or expanded functionality), it can also have unintended consequences.
Organisations looking at creating a patching strategy should ensure that the business stakeholders are clear on the potential impact of both patching, and non-patching. Either choice carries risk. What will make the difference for organisations are security professionals who can crisply articulate the balance of these technical risks as they pertain to the business requirements of the organisation.
- Details
- James Turner
Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the industry as a whole. This is the luxurious, wide-angle, perspective which is expected of an industry analyst.
Then a story such as the hacking of Verisign comes along. In October 2011, Verisign disclosed in a quarterly report to the SEC that: “The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements.”
- Details
- James Turner
Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.
- Details
- James Turner
Conclusion: Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.
- Details
- James Turner
Conclusion: Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.
- Details
- James Turner
Conclusion: Cloud computing has multiple dimensions that must be considered when analysing risk. The use of four key variables can rapidly identify the expected level of risk in a cloud computing scenario. These four variables – deployment model, geographic location of data, supplier arrangements and information criticality – can be quickly applied to assess the level of risk and determine a suitable mitigation strategy.
- Details
- Kevin McIsaac
Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.
- Details
- James Turner
Conclusion: Tim Cook, the new CEO at Apple, is noted for his excellence at managing Apple’s supply chain, and while he has spoken about engagement with the enterprise space, this will only be a token gesture from Apple. Enterprise IT does not play to Apple’s strengths. Apple will continue to focus on being great at what it already does: designing for, and selling to, consumers. This presents a challenge for enterprise IT departments because in the absence of meaningful enterprise support from Apple, enterprise IT must aim at negating the impact of any device’s form-factor.
- Details
- James Turner
Back when I was at university, I had two particularly interesting lectures in the same week; one from the school of management, and one from the school of marketing. What made them so interesting was the timing as well as the content of the two lectures. Management said, “perception is not reality”. Marketing said, “perception is reality”. (I agree with both statements.)
Management said that just because I felt a certain way about a situation, my feeling didn’t make my opinion the truth. Perception is not reality. Marketing said that even if you have the best product, if the consumers think another product is better, then the other product is better! Perception is reality.
Which brings me to the consumerisation of IT and mobile devices.
- Details
- James Turner
Conclusion: There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.
- Details
- James Turner
Conclusion: The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.
- Details
- James Turner
Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.
- Details
- James Turner
Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.
- Details
- James Turner
Conclusion: For customers, there are many advantages, both tactical and strategic, to participating in vendor reference programs. However, IT executives should give thought to scenarios which involve their organisation being held up by a vendor as either innovative, or an early adopter. While the attention may appeal to the ego, there are risks of being out on the bleeding edge, or in being a minority adopter. Being held up as either innovative, or an early adopter, could indicate that your organisation is straying from the rest of the industry. A key concern for IT executives should be that this exclusiveness could equally herald a future shortage of skilled resources.
- Details
- James Turner
Conclusion: The market for third party mobile device management platforms is immature and there are differences in capability between products, but these middleware platforms are producing positive outcomes. While this market will commoditise quickly, the real risk for IT departments is that they design their applications and mobility strategy in such a way as to (yet again) lock themselves into a specific device/OS combination. The device shouldn’t matter.
- Details
- James Turner
Conclusion: Cisco and RIM will fail to dominate the corporate tablet computer market and will lose out to consumer technology from Apple and Android. Cisco is currently dabbling in this area, and RIM is slowly losing relevance in the enterprise.
There is a clear shift towards consumers using their own smartphones and tablet computers, and CIOs should start planning for how they will enable secure remote access to corporate data from any device, with any operating system. Buying into the dream of corporate issued mobile devices, built for the enterprise market, is buying a white elephant: expensive to maintain, supposedly prestigious, but ultimately useless.
- Details
- James Turner
Conclusion: Risk management and quality are two sides of the same coin. Building quality into organisational decision-making processes and systems is only possible if operational risks are well understood. The results of risk analysis should be a key input for the design of enterprise architectures and systems. It all sounds obvious, but risks associated with the decision-making processes in an organisation are only rarely quantified in terms of likelihood, impact on external parties, and potential costs.
- Details
- Jorn Bettin
Conclusion: The iPhone entered organisations like a bunker-buster, and has blown open the doors for diversity of devices and form-factors. Ultimately, most organisations will have devices that will be a blend of: a) a small set of corporate issued devices, and b) a larger set of personally owned devices. Consequently, any management of devices, and the data on them, must be independent of their various form factors, operating system, and capabilities (as per the PED trilemma). As a direct consequence, expect a long term shift away from trying to manage the device, towards a more focused effort to secure the data and authenticate the user.
- Details
- James Turner
Conclusion: The demand from non-IT business units for cloud computing is symptomatic of their desire for better IT services and should be supported, if not driven, by IT. However, an engagement with a cloud vendor must be treated with the same level of risk assessment and diligence as any other outsourcing engagement. Organisations must ensure that corporate governance is not bypassed in a rush for the cloud.
- Details
- James Turner
A fascinating advantage of the public cloud is the extremely high availability of the data (at least in theory!). From any device, from any Internet connection, I can surf to a site, provide my credentials, and access data. We are so used to webmail that we can be nonchalant
about this, but it is quite extraordinary. The trouble is, if the data is highly accessible to you when you are on any device on any Internet connection, then it is accessible to other people from any device on any Internet connection.
- Details
- James Turner
Conclusion: Data Loss Prevention (DLP) technologies have matured over the last 12 months. They are more capable, but there is still a wide range of capabilities between the various products, and an even wider gap between the brochure and reality. Before proceeding with a proof of concept, IT must understand the very specific requirements that the business is expecting to achieve through a DLP deployment, and how willing the business is to pay for these. Failure to understand these requirements, and failure to get business stakeholder commitment, will result in project failure.
- Details
- James Turner
Conclusion: The transmission of pornography in email is a serious issue for all organisations which aim to comply with their own HR policies on providing a workplace free of sexual harassment. However, the technology currently available to support these policies, through filtering and classifying images, is far from perfect. CIOs and HR professionals must clearly understand that pornography in the workplace is better managed as a cultural issue, not a technology issue.
- Details
- James Turner
Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.
- Details
- James Turner
Conclusion: Most of the pressure on IT departments to deploy or support iPhones is from organisational VIPs, and so IT departments should not resist a deployment, but they should delay. With a new iPhone operating system and a new generation of hardware just around the corner (as well as the recently released iPad) IT departments should assess third party mobile device management platforms to assist them in supporting and securing an iPhone/iPad deployment.
- Details
- James Turner
Conclusion: The rise in the Australian Dollar is encouraging many organisations to investigate using IT and business process service providers outside the country as a means of reducing their cost base. There is no doubt that ongoing savings are possible, but they will only be sustained if the risks are managed and IT professionals responsible for outcomes are diligent and track performance.
- Details
- Alan Hansell
Conclusion: A less frequently considered aspect of protecting an organisation’s information assets is the preparation required for the immediate aftermath of a successful attack. This is the crossover point between incident response and crisis management. The prudent organisation with valuable information assets has already planned what steps will be taken in the event of a successful attack. Most of these decisions must be made by senior executives from business units other than IT, and they must be made well in advance of the attack occurring. IT will merely be executing their instructions because decisions concerning the information assets are not IT’s to make.
- Details
- James Turner
Conclusion: The recent attack on Google’s infrastructure (and resulting announcement by Google of the attack) has a number of important lessons for organisations which are also attacked by well-resourced hackers. These lessons are important and may not be immediately palatable to many, who would prefer to hush up an attack.
- Details
- James Turner
Conclusion: The introduction of a Data Loss Prevention technology into an organisation will have a significant impact on organisational culture. An important aspect of the cultural impact is that a DLP product, if deployed in active blocking mode, could prevent senior people from doing their job as they (legitimately) share sensitive information with trusted partners such as accounting and legal firms. People in senior positions must be trusted to act as they deem best for the organisation, but this trust must be verified.
- Details
- James Turner
Conclusion: Today business knowhow is mainly stored in two places: in human brains and in software systems. Both forms of storage share the problem that raw knowhow is not easily transferable from one context to another. Valuable knowledge is repeatedly lost through staff turnover and through technology replacements. Minimising knowledge loss requires determination and an understanding of the mechanisms that lead to unnecessarily strong coupling between business knowhow and implementation technology.
- Details
- Jorn Bettin
Conclusion: Organisations that may be at risk of a discovery action should have strategies to minimise the impact of eDiscovery requests. They should have agreed processes in place and have implemented a comprehensive information and records management system that will enable rapid responses and minimise cost when responding to such requests. Poor electronic information management, particularly in the areas of email and collaboration tools are certain to create eDiscovery problems and expenses.
- Details
- Colin Boswell
Conclusion: Some organisations are deploying DLP, but the ones reporting successful deployments are the organisations that are able to invest more resources in both deployment and long-term support. Given the considerable overhead on staff, and the challenges of dealing with the deluge of alerts, organisations considering a DLP investment should first deploy endpoint encryption.
- Details
- James Turner
Conclusion: IT security managers in larger organisations in Australia and New Zealand are approaching cloud computing very cautiously. The leading concern is the geophysical location of data and the risk this introduces to organisations – primarily from the possibility of a data loss resulting in reputational damage. This means that organisations will have carry less risk if they retain data in a jurisdictional cloud.
- Details
- James Turner
Conclusion: From adversity springs creativity. History shows straitened economic times can serve as a greenhouse, rapidly germinating seeds of ideas that may otherwise have taken longer to establish themselves. Six clear trends have emerged from the Global Financial Crisis (GFC) providing business advantage to early adopters. The common thread is their potential to deliver organisational efficiencies, savings, or both. IBRS believe these trends are likely to deserve a place in the IT firmament for a considerable time. CIOs should defensively review these trends; the outcome may be selective adoption or deferral, but their potency cannot be ignored.
- Details
- Rob Mackinnon
Conclusion: Given that the deadline for Payment Card Industry Data Security Standard (PCI DSS) compliance has passed, and that most cardholder data in Australia/New Zealand is extracted via SQL injection attacks, local organisations should ensure that their website security gets priority attention. This is a classic instance of where a moderate degree of effort will result in an important reduction in an organisation’s risk profile.
- Details
- James Turner
Conclusion: Microsoft’s Forefront Client Security will need to achieve a “better than” market perception before security professionals will consider it to be a reasonable and acceptable enterprise response; and this relates to both its anti-malware effectiveness, as well as its ability to be managed and automated in a heterogeneous environment. Obviously, security is a sensitive subject for Microsoft, so its efforts in achieving a “better than” market perception will be considerable, but it will also take the healing passage of time.
- Details
- James Turner
Conclusion: Now, there is renewed pressure on new IT projects to prove their value. For IT security projects, managers may feel that they need to make excessively complicated calculations in order to prove a return on investment (ROI) and thereby justify the project, but this is an unnecessary complication. Rubbery figures will melt under close scrutiny – potentially sinking the project.
A security business case needs to communicate the fact that organisations must also spend money to stop losing money. Security projects are undertaken for loss prevention. Like all projects with soft benefits, an IT security project should be shown to be in alignment with, and supporting of, organisational values: specifically risk appetite. More mature organisations will have less of an appetite, particularly in challenging times.
- Details
- James Turner
Conclusion: Security awareness campaigns are actually an effort to change an aspect of organisational culture. Cultural change is famously difficult, takes a long time, and will ultimately fail if it does not have senior executive commitment. Specifically, senior executives must be seen to be exhibiting the behaviour of the new culture. The implication for security professionals is that awareness campaigns must start at the top and not move out across the organisation until there is behavioural change at the top.
- Details
- James Turner
Conclusion: Despite the vendor and media hype around malware threats to the hypervisor, the biggest risk to IT departments from virtualisation is insufficient procedural controls.
The risk stems from virtual machines being poorly managed, growing in number, and the consequent haemorrhage of money to support them. Virtual machines should be processed through a planned, and managed, lifecycle so that they do not sprawl out of control and absorb excessive resources. By using a chargeback mechanism, CIOs can ensure that each virtual machine instance is not further depleting the capacity of the IT department to support the organisation.
- Details
- James Turner
Conclusion: Organisations are potentially at risk from employee fraud, and a frequent motivator for the perpetrators is their gambling problem. While not all employees who gamble are going to commit fraud, it is imperative that the subject of gambling by employees is addressed as part of any organisational risk assessment. The subject is sensitive and complicated, but must be considered because of the direct cost of fraud.
- Details
- James Turner