Friday, 20 December 2013

Search Engine Optometrists

I had to see a new optometrist this month, and as is usual with every healthcare professional, I needed to fill in yet another client information form.  Everything was as expected until I came to the very last question:

Would you be happy for us to create a Google+ account in your name?  You can change your password anytime.  With this account you can review us or any other product or service at any time.  Yes / No

We've seen companies astroturfing for a very long time - using fake reviews to bolster their products – but I’ve never seen anyone be quite so blatant about it.  There is no information on how they will manage these accounts, who else they might share the passwords with, and what other services they might review at any time.  Truly it boggles the mind.

Perhaps someone thought that SEO stood for Search Engine Optometrists.

In a world where identity matters, where health data is considered sacrosanct personally identifiable information, who would ask such a question, and more importantly, who would ever say yes?
Phil Kernick @philkernick

Monday, 16 December 2013

The Value of a Human Life

While this sounds like a discussion better had after a few beers, we do seem to value human lives very differently depending on the source of the threat.

In the US in 2012:
° 440,000 people died from smoking related illness ° 33,000 people died from car accidents ° 32,000 people died from firearms ° 9 people died from terrorism

Wait, is that a typo?  No.  Let's go back further.  In the last decade 2003-2012, the total number of deaths in the US related to terrorism was 40.

More people die from firearms or car accidents every 10 hours than have died from terrorism in 10 years.
More people die from smoking related illness every 50 minutes than have died from terrorism in 10 years.

Imagine how many lives could have been saved if last year's $50B national surveillance budget had instead been spent on addressing common, well-known, real causes of deaths, rather than fear of the monster under the bed.

Phil Kernick @philkernick

Tuesday, 10 December 2013

10 years of CQR

We have just celebrated our 10th anniversary of the founding of CQR, and this gives us an opportunity to look back at the way the world was when we started the company, and compare it to the world we find ourselves in today.

In late 2003 almost everyone working in the information security industry in Australia either worked for a system integrator, who sold consulting services as a sideline to their hardware and software business; or for a large accounting firm who were branching out from their IT audit practices.  In both cases the advice given by the security consultants wasn't independent, it was seen as a vehicle to upsell their core services.  If you had a problem with network security, you were much more likely to be told that you needed a new firewall - one that was sold by the system integrator of course - than that you needed to improve your firewall configuration.

The four founders of CQR independently realised that there was a need in the market for genuine product-independent security advice, and that business focussed technical risk assessment was something that no-one else was offering.  A decade later this is still as true as it was back then, and we even see regression as independent security firms are being rolled back into system integrators and defence contractors.

It's one thing to have a vision, but quite another to put it into practice.  To make it happen required belief and commitment.  Belief that there was a need for the services that we were providing, and commitment to give up well paid jobs for 25% of a startup with no expectation of any pay for at least the first 6 months.  We have never wavered in the belief and commitment, and it has been rewarded year after year by our loyal clients and partners.  Our first year stretch target is now well below our average month.

Of course we had our detractors, who said that we would be out of business in a month.  Then three months.  Then a year.  When displacing an existing service delivery model, those displaced can either roll with the changes and grow, or waste time and focus looking at their competitors and stagnate.  Companies that were once our competitors are now no longer in business, new companies have sprung up following our lead, and we have adapted to meet the challenge.  But we have never taken our eye off our vision of being the largest independent security consultancy in Australia.

We were the first business in Australia to certify our operations to the international standard for information security management (then AS 7799, now ISO 27001).  We believed then, as we believe now, that we should be the number one client for our own advice.  We have never advised our clients to do what we say, but not do what we do.

Our success in our home town of Adelaide allowed us to open offices in Sydney and Melbourne to better service local businesses with local resources, rather than rely on a fly-in fly-out model which doesn't meet the flexibility needs of our clients and doesn't scale.  We also went international, opening an office in the UK which has now expanded to deliver services throughout Europe, Asia and the USA.

In 2013 we see cyber-security stories in the paper every day, there are nation-states spying on our companies, and information security certifications are seen as critical to the trust model of doing business.  Information security is no longer a nice-to-have, but a fundamental part of sustainable business practice.  The need for independent information security advice has never been greater.

In the next 10 years, we have detailed plans for the Australian operation to expand to open local offices to cover the rest of Australia as well as have a permanent presence in New Zealand and Singapore; while the UK operation will be delivering services both locally and in Europe and the USA.

I'm proud to have taken the risk to quit my job.  I'm proud to say that I've been involved in building CQR up from nothing to its dominant position today.  I'm proud to be making the world a safer place.

Phil Kernick Chief Technology Officer

Friday, 6 December 2013

Cyber-Warfare Battlezone

In 1980 Atari came out with an amazing video game named Battlezone.  In it you drive a wire-frame tank around a landscape, shooting enemy tanks, UFOs and missiles.  The US Army even commissioned a version of the game as a training simulator!  I remember spending many hours and a significant amount of my pocket money trying to defend against the enemy onslaught.  Today I do much the same thing, but now it’s done by educating businesses on the cyber-threats that they face, and helping them develop the best-practice process and technology required  to safeguard their people, productivity and profits.

Good security practices are no longer optional or just “nice to have”.  The age of naivety has well and truly passed, and businesses that continue to operate with a head in the sand attitude are not able to effectively maximise the returns on their assets – assets that are increasingly digital, portable, and greedily desired by competitors and developing nations alike.  A recent Akamai “State of the Internet” report has shown that the combination of Indonesia and China represent 71% of the global attack traffic.  This is not stereotypical dysfunctional teenaged hackers, this is targeted, industrialised intellectual property theft.

One of the biggest blockers to effective security management is the belief that it is an IT problem, and that IT will solve it.  If this were true, then there would be no spam, no viruses, and no cyber-crime.  Yet 20 years of the best minds in the best IT companies, developing the best products has left us where we are, heading upstream without a paddle.  Security is a people problem, and until it becomes just business-as-usual, integrated into every business process, we will make little headway.  We already know how to deal with safety: safety is everyone’s problem.  We just haven’t realised that information security is business safety, and is also everyone’s problem.

The security foundations are able to deal with yesterday’s problems – patching, antivirus and firewalls – but they are no longer enough to keep us safe from today’s problems.  Today we live in a portable world, where the ability to work anywhere, anytime and have complete connectivity whilst doing so has meant that the implied protections of the past no longer exist.  Home networks are not as well protected as business networks.  Portable devices are left unprotected in airport lounges.  Social networks allow us to connect to our attackers in unimaginable ways.  Every protection we have built can and will eventually be bypassed.  It is no longer “if” but “when”.

The planned Data Breach Disclosure legislation in Australia will help us to help ourselves.  The intent is not to blame the victims, but instead give businesses incentives to protect their own assets, and break the culture of silence.  A company director is more likely to support a security improvement programme if they are the one who will be held personally liable for a data breach, the average cost of which in Australia was $2.13M last year.

Just like the Battlezone game, we need a radar to tell us when attackers are approaching, not discover it when having to clean up the mess.  Most businesses spend too much on protecting from attack, and not enough understanding the threat landscape they operate in, and detecting when the protections have failed.  In a video game we can just insert another coin, press start and try again.  We don’t have that luxury with our businesses.

Phil Kernick Chief Technology Officer