Cyber & Risk
Understanding cyber security has never been as critical as it is today.
The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.
In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you?
IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards.
Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.
- Details
- James Turner
Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.
- Details
- James Turner
Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.
- Details
- James Turner
Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.
- Details
- James Turner
Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.
I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.
- Details
- James Turner
Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.
- Details
- James Turner
Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.
- Details
- James Turner
IBRS, along with many other organisations, has written extensively about “the cloud”. Every organisation selling a product and/or service puts its own spin on what the cloud actually is.
The appeal of cloud computing cannot be denied,and the buzz in the market for the last few years is evidence of the desire of IT organisations to find ways to deliver IT services that are: better,cheaper, more resilient, more secure, and moreuser friendly.
Cloud services are not similar to a highly virtualised internal IT operating environment, although cloud vendors may use virtualisation extensively. Nor are they similar to the tightly controlled experience of time-sharing on a mainframe back in the 1970s, although cloud vendors may price their services in a similar user-pays model. Even though webmail, a form of Software as a Service,has been available to consumers since the 90s, cloud vendors have moved well beyond that simple offering.
While there are excellent and crisp definitions of what the cloud should be, for example the definition provided by the National Institute of Standardsand Technology1 (NIST), what really makes cloud new is how the term itself has become both all encompassing, and yet completely useless at defining the nature of the service!
- Details
- James Turner
Conclusion: Blackberry 10 will, at best, bring Blackberry functionality to where iOS and Android have been for over a year. However, most organisations are moving away from Blackberry, either publically or in a steady, quiet, exodus as users choose which handset they’d rather have. BB10 will not stop this exodus as it is designed for the enterprise, not the consumer. The steady decline in fortunes for RIM will be painless for most organisations, except the few that are tightly coupled to the Blackberry ecosystem. These organisations should act now to minimise the coming impact of dealing with a company with a bleak future.
- Details
- James Turner
Conclusion: Organisations which have gone down the Mobile Device Management (MDM) path with a view to enabling their staff to bring their own device (BYOD) are discovering the shortfalls of this device-control approach. A BYOD device is not a corporate asset and cannot be treated as such: it should be viewed as untrusted and treated accordingly. Consequently, leading organisations are treating BYOD as an exercise in remote access. Instead of trying to control the untrusted device, focus on user experience, and controlling access to the data.
- Details
- James Turner
Conclusion: The success of a security professional is not measured by whether their recommendations are adopted, but whether the technical risks faced by the organisation have been identified and communicated in terms of business impact to decision makers. This enables the business to make informed decisions. Consequently, security professionals must make it their highest priority to be in communication with the business, because one of the most impactful technical risks is a communications gap between the security team and the business. IT security professionals must take on learning the language of their business, because it isn’t the business’s responsibility to learn to speak IT security.
- Details
- James Turner
Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial services organisations in Australia face a significant challenge in the coming years, primarily from a lack of good security people to architect, execute, support and monitor technical controls.
- Details
- James Turner
Conclusion: Identity management projects do not have a good reputation for successful delivery. Too often, the final implementation fails to live up to promises. Identity management projects can deliver genuine value to a business, including: compliance with regulation, improving customer satisfaction, or reducing risk. But if the business is not driving the project, then the project is probably off the rails and heading for failure. In this situation, CIOs must seriously consider terminating the project because a project not driven by the business is one being imposed on it – it is the tail wagging the dog.
- Details
- James Turner
Conclusion: IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.
- Details
- James Turner
Conclusion: Patching is now considered a standard part of IT operations. Vendors release patches either to mitigate against new risks, or to introduce new functionality. However, the application of a patch can not only result in the intended outcome (risk mitigation or expanded functionality), it can also have unintended consequences.
Organisations looking at creating a patching strategy should ensure that the business stakeholders are clear on the potential impact of both patching, and non-patching. Either choice carries risk. What will make the difference for organisations are security professionals who can crisply articulate the balance of these technical risks as they pertain to the business requirements of the organisation.
- Details
- James Turner
Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the industry as a whole. This is the luxurious, wide-angle, perspective which is expected of an industry analyst.
Then a story such as the hacking of Verisign comes along. In October 2011, Verisign disclosed in a quarterly report to the SEC that: “The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements.”
- Details
- James Turner
Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.
- Details
- James Turner
Conclusion: Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.
- Details
- James Turner
Conclusion: Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.
- Details
- James Turner
Conclusion: Cloud computing has multiple dimensions that must be considered when analysing risk. The use of four key variables can rapidly identify the expected level of risk in a cloud computing scenario. These four variables – deployment model, geographic location of data, supplier arrangements and information criticality – can be quickly applied to assess the level of risk and determine a suitable mitigation strategy.
- Details
- Kevin McIsaac
Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.
- Details
- James Turner
Conclusion: Tim Cook, the new CEO at Apple, is noted for his excellence at managing Apple’s supply chain, and while he has spoken about engagement with the enterprise space, this will only be a token gesture from Apple. Enterprise IT does not play to Apple’s strengths. Apple will continue to focus on being great at what it already does: designing for, and selling to, consumers. This presents a challenge for enterprise IT departments because in the absence of meaningful enterprise support from Apple, enterprise IT must aim at negating the impact of any device’s form-factor.
- Details
- James Turner
Back when I was at university, I had two particularly interesting lectures in the same week; one from the school of management, and one from the school of marketing. What made them so interesting was the timing as well as the content of the two lectures. Management said, “perception is not reality”. Marketing said, “perception is reality”. (I agree with both statements.)
Management said that just because I felt a certain way about a situation, my feeling didn’t make my opinion the truth. Perception is not reality. Marketing said that even if you have the best product, if the consumers think another product is better, then the other product is better! Perception is reality.
Which brings me to the consumerisation of IT and mobile devices.
- Details
- James Turner
Conclusion: There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.
- Details
- James Turner
Conclusion: The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.
- Details
- James Turner
Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.
- Details
- James Turner
Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.
- Details
- James Turner
Conclusion: For customers, there are many advantages, both tactical and strategic, to participating in vendor reference programs. However, IT executives should give thought to scenarios which involve their organisation being held up by a vendor as either innovative, or an early adopter. While the attention may appeal to the ego, there are risks of being out on the bleeding edge, or in being a minority adopter. Being held up as either innovative, or an early adopter, could indicate that your organisation is straying from the rest of the industry. A key concern for IT executives should be that this exclusiveness could equally herald a future shortage of skilled resources.
- Details
- James Turner
Conclusion: The market for third party mobile device management platforms is immature and there are differences in capability between products, but these middleware platforms are producing positive outcomes. While this market will commoditise quickly, the real risk for IT departments is that they design their applications and mobility strategy in such a way as to (yet again) lock themselves into a specific device/OS combination. The device shouldn’t matter.
- Details
- James Turner
Conclusion: Cisco and RIM will fail to dominate the corporate tablet computer market and will lose out to consumer technology from Apple and Android. Cisco is currently dabbling in this area, and RIM is slowly losing relevance in the enterprise.
There is a clear shift towards consumers using their own smartphones and tablet computers, and CIOs should start planning for how they will enable secure remote access to corporate data from any device, with any operating system. Buying into the dream of corporate issued mobile devices, built for the enterprise market, is buying a white elephant: expensive to maintain, supposedly prestigious, but ultimately useless.
- Details
- James Turner
Conclusion: Risk management and quality are two sides of the same coin. Building quality into organisational decision-making processes and systems is only possible if operational risks are well understood. The results of risk analysis should be a key input for the design of enterprise architectures and systems. It all sounds obvious, but risks associated with the decision-making processes in an organisation are only rarely quantified in terms of likelihood, impact on external parties, and potential costs.
- Details
- Jorn Bettin
Conclusion: The iPhone entered organisations like a bunker-buster, and has blown open the doors for diversity of devices and form-factors. Ultimately, most organisations will have devices that will be a blend of: a) a small set of corporate issued devices, and b) a larger set of personally owned devices. Consequently, any management of devices, and the data on them, must be independent of their various form factors, operating system, and capabilities (as per the PED trilemma). As a direct consequence, expect a long term shift away from trying to manage the device, towards a more focused effort to secure the data and authenticate the user.
- Details
- James Turner
Conclusion: The demand from non-IT business units for cloud computing is symptomatic of their desire for better IT services and should be supported, if not driven, by IT. However, an engagement with a cloud vendor must be treated with the same level of risk assessment and diligence as any other outsourcing engagement. Organisations must ensure that corporate governance is not bypassed in a rush for the cloud.
- Details
- James Turner
A fascinating advantage of the public cloud is the extremely high availability of the data (at least in theory!). From any device, from any Internet connection, I can surf to a site, provide my credentials, and access data. We are so used to webmail that we can be nonchalant
about this, but it is quite extraordinary. The trouble is, if the data is highly accessible to you when you are on any device on any Internet connection, then it is accessible to other people from any device on any Internet connection.
- Details
- James Turner
Conclusion: Data Loss Prevention (DLP) technologies have matured over the last 12 months. They are more capable, but there is still a wide range of capabilities between the various products, and an even wider gap between the brochure and reality. Before proceeding with a proof of concept, IT must understand the very specific requirements that the business is expecting to achieve through a DLP deployment, and how willing the business is to pay for these. Failure to understand these requirements, and failure to get business stakeholder commitment, will result in project failure.
- Details
- James Turner
Conclusion: The transmission of pornography in email is a serious issue for all organisations which aim to comply with their own HR policies on providing a workplace free of sexual harassment. However, the technology currently available to support these policies, through filtering and classifying images, is far from perfect. CIOs and HR professionals must clearly understand that pornography in the workplace is better managed as a cultural issue, not a technology issue.
- Details
- James Turner
Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.
- Details
- James Turner
Conclusion: Most of the pressure on IT departments to deploy or support iPhones is from organisational VIPs, and so IT departments should not resist a deployment, but they should delay. With a new iPhone operating system and a new generation of hardware just around the corner (as well as the recently released iPad) IT departments should assess third party mobile device management platforms to assist them in supporting and securing an iPhone/iPad deployment.
- Details
- James Turner
Conclusion: The rise in the Australian Dollar is encouraging many organisations to investigate using IT and business process service providers outside the country as a means of reducing their cost base. There is no doubt that ongoing savings are possible, but they will only be sustained if the risks are managed and IT professionals responsible for outcomes are diligent and track performance.
- Details
- Alan Hansell
Conclusion: A less frequently considered aspect of protecting an organisation’s information assets is the preparation required for the immediate aftermath of a successful attack. This is the crossover point between incident response and crisis management. The prudent organisation with valuable information assets has already planned what steps will be taken in the event of a successful attack. Most of these decisions must be made by senior executives from business units other than IT, and they must be made well in advance of the attack occurring. IT will merely be executing their instructions because decisions concerning the information assets are not IT’s to make.
- Details
- James Turner