Friday 28 June 2013

The Ostrich Approach to Security Management


If you find that your security has been compromised, the normal approach the most businesses take to addressing it goes something like this...

Step 1: Admit you have a problem.

Step 2: Blame someone else.

Step 3: Hire a lawyer.

I'm going to spend some time on step 2, as I think that this is where the process really goes off the rails.  Before we can blame someone else, we need to decide who to blame.  All too often instead of blaming the attacker, we blame our IT department for not managing our systems appropriately.  How could they possibly have let this happen?
 
The answer is depressingly simple: senior management are taking the ostrich approach to security management.  If I can't see it, it can't hurt me.  If I stick my head in the sand, I can't see it.  I know how to stick my head in the sand.  Problem solved!

The outcome of this approach is that the perennially blamed IT department are not given guidance on what they should be protecting, how they should be protecting it, nor the training to protect it in the first place.  Most IT departments simply are not competent to answer the question: "Are we secure?".  The only honest answers they could give are "I don't know" or "As best I know how", but this isn't what management want to hear, so this isn't what the IT department says.

To quote Spaf's first principle of security administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."

Sand is cheap.  Real security is a lot more valuable.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Tuesday 25 June 2013

To Protect and Serve Coffee

So much is currently in the news about government surveillance, I'd like to look at a different intersection of law enforcement and data retention - how the police can help you when you are the victim of a cyber-attack.

Unfortunately the decision to involve the police is not trivial, and really depends on what outcome you are hoping for.  If you just want the problem to go away, involving law enforcement can get in the way of your recovery, as they will want to collect forensically sound evidence, and the process of going to court can and does take years.  Even if you go down this path, the likelihood of restitution is very low and it will cost a fortune.  So most businesses don't bother.

If it were a physical crime, we automatically report it as this is a necessary precondition to claiming on our insurance.  There is also no stigma about being broken into physically.  But things are different in the cyber world - there is no cyber-insurance to claim on, and there definitely is a stigma about being hacked.  This is even more reason for businesses to fix it and move on without police involvement.

But if we look at this in a slightly different way, the view changes.  Instead of looking to law enforcement to locate and prosecute the offenders, we can ask for their assistance in collecting and storing any evidence we might need in the future, and provide them with anonymised information that helps to build a profile of the cyber-crime landscape.

Less protect and serve, and more coffee and collaboration.

Unless you are the bad guys, the police are not your adversary, and they really can be good friends.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
 

Monday 17 June 2013

PRISM splits the Red from the Blue

It has recently been reported that the NSA has a classified electronic surveillance system called PRISM, that has been systematically and wholesale vacuuming up information on Internet users.  The vast majority of the data comes from Yahoo, Google and Microsoft.

I'm shocked, stunned, and more than a little amazed.

Not that they are doing it of course, as Blind Freddy could see that it was going to happen.  I'm shocked, stunned, and more than a little amazed at the people who are surprised by this, and are suffering a fit of moral indignation.

We live in a world of pervasive electronic surveillance.  From satellites mapping the globe, to Google cars collecting photographs and WiFi traffic, to CCTV cameras in every major city with active face recognition, to the supermarket loyalty card you use for a discount, to your friends and family posting your every move on Facebook, and finally to governments snooping on the Internet.  We can have heated discussions about whether this should be, and what it means, but the horse has well and truly bolted.

This is not new.  This is not unexpected.  This is not a surprise.  Mostly we did it to ourselves.  The real question is what are we going to do going forward, and this is something we do have a choice about.

The providers that are reported to be the major source of information are the free e-mail services, the ones that already data-mine your e-mail to serve you targeted adverts.  As you didn't pay for the service you are not their clients, you are their product - they sell your eyeballs.

If you want to take back control, choose to use a different provider.  If you want to make it harder to be snooped on, choose to always use encryption.  It might be impractical to go completely off the net, but you can choose to not make it easy.  Or you can choose to keep the benefits you have at the cost of your privacy.

Security is your choice.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com


Tuesday 4 June 2013

Mandatory Data Breach Notification

The Australian Government has just announced that mandatory data breach notification laws will commence in March 2014.  This is an excellent start, and the Government is to be congratulated on the initiative.  I'm not normally one to promote more "cyber" legislation to cover new implementations of old crimes, but this really is a new type of crime for which no existing legislation adequately applies.

We've had identity theft for as long as we've had scammers, but in the pre-Internet world this was done one at a time, and required local knowledge and a lot of effort.  But now it can be done wholesale, from anywhere, to anyone, for nearly no cost.  And this is happening every day.

So how will mandatory data breach notification help?  It won't make us any more successful in prosecuting the attackers, so it won't reduce the number of attacks.  It has nothing to do with helping the people who are the subject of identity theft, so it won't reduce the impact of the crime.
 
Today the only sensible approach to take for any company that has a data spill is to cover it up.  There is no possible positive outcome from telling anyone, and a significant likely negative outcome in terms of reputation damage, share price reduction and loss of market confidence.  So this just looks like more victim blaming.

The real point is to make businesses care about security.  If they know that they will be named and shamed, they are more likely to take the necessary steps to not be breached, and therefore reduce the number of actual breaches, and so reduce the impact on the Australian people.  Raising the cost to the attackers is a win for everyone.

Better security is an investment in the future, not a cost to be minimised.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com