|
RoundTable
September - October 2008 Feeling Secure?Security remains a major topic at financial firms, and the latest economic woe is unlikely to reduce the burden on IT security departments. The latest FST roundtable pulled no punches in its assessment of the threat, and the difficulty in creating good solutions Matt Lambert, of
the data security division of the
Onyx Group (ML) The credit squeeze JP: Outsourcing, managed services and cloud computing are all doing the rounds again, and the turnover of employees obviously heightens concerns around training and IP theft, but the main issue is risk governance. The credit crunch has brought market and credit risk to the fore and left operational risk behind. IB: We recently had a data breach in the US that focused senior management’s mind on improving security controls. As long as there’s a perception that there’s risk to be mitigated the money will be found whatever is going on outside. PW: What are we seeing from the supply side? Are any of the solution vendors seeing differences in the buying patterns of banks and the things they’re buying? JS: I think there’s definitely a slowdown of growth. That is, I think the perception of risk and the number of threats that are out there are growing faster than spend is. I’ve certainly seen more of a focus on the need for a strong business case, which unfortunately isn’t always there until something really bad happens. Another thing I’ve seen as a result of the crunch is less willingness to invest in new areas FP: I concur with that, with the proviso that one area seems to be insulated from the slowdown in growth, and that’s clearly meeting the audit. A lot of organisations and establishments have June and December audit points and we’re seeing those as key drivers. We’re not seeing things drying up, because there’s not GD: Telecity Group is seeing spend, although this is primarily driven by the need to implement ISO 27001, the external audit process and customer demand for this security standard. PW: Is it driven because management really do understand the importance of this, or is it purely because they want to get a tick in the right box on the audit report? IB: Most business managers don’t want us to raise audit findings against them because it reflects on their performance. But when it comes to information security they want us to because it’s only when the auditors say that we need encrypted tapes or we need to block USB ports that the budgets get released. JP: And that’s the rub – audit. PW: It’s true that many security specialists still talk about IT security and not information security. IT security seems a bit techie and there is a perception that those “guys in white coats in the basement” deal with that. It’s easier to buy some gadget that can be presented as a fix for an audit point than it is to implement something like a governance change. A business change may address the problem more fundamentally, but it needs business buy-in, which is slower and less predictable. FP: The government talks about IA – it doesn’t talk about ITA. There are groups that talk about IT security and don’t recognise information security, and that’s a very sad state of affairs. But by and large information security means looking after information from birth to death. MF: This is also an issue about corporate governance driving your security standards. At my old place, when audits came in after SOX, demanding mandatory risk control and self assessment (RCSA) testing every 90 days, resources for technology were diverted to produce data from every system, so it could be analysed from every angle. After a few years of very heavy output, business unit heads began asking where the return on investment was. GD: And in some companies, they get a certificate and then do nothing more about it until the year end; it becomes a culture issue. ML: Is that a culture issue or a resource issue? Historically the data classification process was so resource intensive that many organisations were unable to justify further exploration of strategic options. Today, however, we have developed far less resource-intensive ways of completing the classification process. Organisations can now create data centric security policies which can be underpinned by technology to control data usage appropriately. FP: We do have lots of companies that come in to the university, and the word ‘culture’ has been mentioned once or twice. BT, for instance, has this drive for security just as much as anyone else. They have a culture that says nothing can happen – no business venture can happen, without it going to information security. JP: In all of this it’s quite revealing that the most important word, which none of us have used yet, is the customer. In terms of governance, the board isn’t going to change for fun. Until the customer starts demanding this stuff we’re forever going to be pushing a piece of string to a certain extent. This might change as we – as customers ourselves – focus on our own third parties; if we all become more demanding of our suppliers and focus on the end-to-end information lifecycle that Fred mentioned. Once people understand that the customer requires this, and you need it to win business, then boards will change. PW: But what exactly is the client demanding? And who sets the benchmark? IB: Well, I’d like to be able to go to the business and say this is what the Financial Services Authority requires and this is currently what we’re not doing, and this is what we should be doing. It’s easier for me than trying to guess what the FSA wants and then get it wrong. Inside outside IB: One thing is that when things happen in other parts of the world, organisations need to look at what’s occurring to understand what the new threats are and how they need to respond. MF: That is a fear; I’m dealing with a very aristocratic culture that’s high in finance and they almost feel a little bit affronted when presented with foreign examples of cybercrime. They don’t often see the relevance or necessarily believe in the gravity of risk to their business affairs within the UK. GD: Having spent ten years in law enforcement in this area, a great majority of the times when I came into contact with people who had transgressed the law, they worked on the inside in some way or other, and those who were external from the company were very often ex-employees. I know this term ‘the disgruntled employee’ has become a bit of a cliché, but it is a simple fact that this is the major threat. There are very, very few genuine external attacks. That is the definitive law enforcement opinion; perpetrators are most often people who have had some kind of bad experience with a former employer. IB: Is it really people who are genuinely disgruntled about the way they’ve PW: It’s opportunists. IB: So they have an unblemished character coming in to the company? GD: To a large extent yes, that’s the shock, you’re dealing with people who hitherto haven’t come into contact with law enforcement and they are people that you wouldn’t expect to see in a police station because they’re not the typical kind of criminal. These are people who do not get involved with traditional crime, it’s quite specific to this one crime. CH: Fraud is where dishonesty meets opportunity. Part of what I see us doing from an information security point of view is denying people the opportunity. In some ways they can almost be as dishonest as they like, but if they don’t have the opportunity to do some of these things... IB: I like that phrase because I think people trust their colleagues. It’s a bit like your family. Now, I love my family, I trust them. But I don’t want my kids knowing my password. I think when kids are growing up they always push the boundaries and an employee is a grown up kid. So, I think you’re right. I think the key is to take away any opportunity. MF: I hear that all the time. This is one of my security mantras that I quote to my staff, especially when they come asking for admin rights. “I’m here to save you from yourselves”! Pure information security gospel! Staff are more likely to damage or lose data before someone on the inside steals it. The principles of information security are designed to protect against this ubiquitous threat, which is far more likely than insider theft or external hacking. Sadly, there is always one person who will ruin it for the rest of us, as they will try to get away with what they can, when we are not watching. JP: There’s a rule of thumb that out of every four people that you meet, one is an out and out criminal; one is honest to the point of stupidity and the other two are constantly doing little risk assessments to see what they can get away with. Most people are ethically sound but have done something illegal at some point in their lives – so pre-employment criminal checks just eliminate those who are poor at risk management. MF: I was in an American organisation, where we took the approach that you trust your people by confirming that what they’re doing is right, now I’m in a UK organisation where we do the standard criminal checks on people before we hire them and then we just trust them openly after that. It is a big cultural change. I think the bottom line here is that people must know they are subject to regular and frequent monitoring, and that disciplinary action will result in any cases of misconduct. A Mars a day JS: I think that a lot of the recent data loss events have not actually been criminal. It’s people doing things they don’t believe other people would mind – or notice. ML: Internal awareness is key and is an area we’re increasingly being asked to help out with. There are two considerations here; firstly ensuring that all employees from the top down understand the intrinsic need for data and information security policies and controls, and we need to be able to demonstrate for internal audit and regulatory requirements that our employees are aware of, and really understand, business policy. Secondly, good classification of business data: what really needs to be safeguarded in the first place? Once we have identified what high impact data exists we can create the appropriate policies and control how this data is used, right across the enterprise JS: The thing is that these days everything hides; you don’t know that you’ve got a problem. The web plays a huge part in that, and maybe the user isn’t being stupid – it looks like a valid place to go, but the web is being used as the transport mechanism so that the information is then sent back somewhere else. You have to allow an awful amount of stuff to go through the primitive defences you’ve got. You have to let people use their personal email, but then how do you know they’re not uploading sensitive data into that personal email and that’s going straight past corporate email scanners? IB: One of our businesses doesn’t allow access to personal email accounts, but it does have an Internet Café. JP: But firewalled off from everything else? IB: Absolutely! I mean, someone recognised the risk and addressed it. JP: This is where, with every respect, I wish I could trust vendors more! Vendors – present company excepted – perpetuate fear and doubt, but use very few specific facts. Because of the nature of our work, all we ever hear about is the once-in-a-decade Jérôme Kerviel incidents, and not much else in between. You can’t go to the board and say: “Stuff is probably going on all the time and you don’t know it. Can I have some money please?” IB: One of the things that we recently heard about was where everyone walking in Liverpool Street Station was asked to reveal their password for a Mars bar. A lot of people are quite savvy and wouldn’t reveal their passwords, but some gave a false password because no-one would ever know. So it’s – shock, horror – 80 per cent of employees would give away their password for the price of a Mars bar. But actually the survey is meaningless because no-one can prove the answers and whether people were one step ahead and thinking ‘a free Mars bar’. MF: That was commissioned by a vendor! ML: I think quite successfully! PW: But the annual DTI [now BERR] government survey is quite authoritative. JP: It’s great, it’s just a shame they keep changing the questions so it’s hard to identify trends. FP: There’s a clear suspicion, which you’re probably aware of, about the survey JP: I talk to my board about the car park analogy. We don’t want to be the Porsche with the window wound down in the unlit corner of the car park. If you’re the most attractive target, you’ll be hit. You want FP: Well, there are companies that collect information. It wouldn’t tell you how secure you were with absolute judgment, but it gives you parameters so you can judge whether you are better off compared to last year. But in order to answer your question, you never know how reliable these are because there’s always a suspicion of what information is shared. CH: On the subject of self-reporting, I think it was the Freakonomics blog in the New York Times that reported on everybody who’d applied for the equivalent social security in Mexico. A whole bunch of people claimed they hadn’t got certain things in their house to enable them to get social security, such as TVs, cars, but there were other people who claimed that they had things like toilets and running water when they didn’t because they were just too embarrassed. Self-reporting absolutely fails at that point. JP: One thing that was incredibly helpful was the recent publication of a FSA survey. You don’t tend to lie to the FSA, and so they have become a highly trusted, benchmarking agency. It’s a shame they’ve started to get prescriptive, like telling us how many characters we need in our password, but the pros outweigh Social networking CH: The MoD put out a statement recently about Facebook and what they called it was the danger of ‘the Facebook generation’. MF: There are some soldiers out there now (UK, Canadian and US) having been released from service, or sent home from operations early, for breaching operational security by posting sensitive information and pictures on Facebook. A friend of mine just came back from operations in the Middle East a while ago and he said hardly anyone in his unit takes photos or is allowed to take them any more because of the Facebook issue. JS: It’s certainly one of those things that you’ve got to decide: Do you let people use the web for personal use? Do you let people use their personal email or go to social networking sites? Are you going to stop people going to LinkedIn if that’s helping them do their job? So, there’s some interesting trade-offs to make here. IB: It’s also about human rights – what they can and can’t do, and obviously most companies have a policy. We found a case where, again, some of our employees were disgruntled. They were having a blog and were talking about things at work. You can’t stop people talking about their jobs as long as it’s kept completely unidentifiable, but as soon as you mention a bank or a company, people start to worry about what they are going to say. MF: You’ve got to be careful what you say and who you say it to, especially when dealing with complaints or conflicts. Our CIO released a communication recently about the perils of uncontrolled email use combined with posting company data to social networking sites. Employees must realise that they can still be charged with gross misconduct based on their ‘private’ actions, and to remind everybody that all email can be used as legal evidence in a court of law. IB: If you had a village, the village green was the place where people used to communicate. Well, in an organisation we use the intranet and wikkis. The flaw of the wikki is that it is unmoderated and people can cross the line between what’s sensible and what isn’t. It’s the same concept the FSA mentioned in its report – people should decide what’s appropriate and it’s difficult to strike the balance between that and having an open corporate culture that encourages people to talk. ML: One of the most common problems remains that employees do not understand the risks that they come into contact with day in and day out. Employee policy JP: Social networking isn’t one big threat; it’s several small ones. There’s timewasting, and if you’re not on Facebook you’ll waste it somewhere else instead. Then there’s IP theft – it might make it easier to upload an attachment, but again, if you’re going to do it, you’ll find another way. Then there’s profiling for corporate insights – in LinkedIn you can now look at who’s joined or left recently, and to where. You could look at my firm and say: “They’ve hired commodities people. They might be launching a commodity fund”, and although that’s public knowledge, it’s a new worry that needs awareness. JS: You can solve that to some degree by looking at which employees have to get what access. For example, call centre employees probably don’t need access to Facebook, so you can at least restrict the risk with that kind of approach. CH: Pixar animation reserve four hours a week in contracted hours, when you can go into the studio and play with all the animation software. So instead of Facebook, these guys are actually enjoying themselves doing something that’s related to the business and that seems to be a more constructive way of addressing the issue, a better way of engaging employees. IB: We have operations in Asia, and employees will move to another company for not much more money. So, how do you get loyalty? If staff can’t take in their mobile phones; if they’re searched at the point of entry, then expected to work effectively encaged; and you restrict Mobile menace FP: There are two separate issues: one is mobility and the other’s wireless. You’re right though, I sat next to a guy on a plane who was using a laptop. He was doing the year’s accounts for some company or other. I had no interest in it, but I could easily have. It’s the same with all firms; business moves faster than security. So people won’t wait for security solutions before they take advantage of the business opportunity and it’s a hell of a problem. CH: I think a government office has recently shown us that it doesn’t have IB: It’s quite interesting to me that if you use a laptop abroad when you cross into certain countries they could ask to see what’s on it and take the information off there. In addition, Blackberries have their security policies governed by the country in which you’re in as well, so again it could be reconfigured without you knowing. GD: The website for the Centre for the Protection of National Infrastrcuture is useful, and it does talk about this potential exploitation of data for mobile devices. IB: One of the issues is that people now want to work from home and companies allow people to process company data on home PCs. I’m waiting for an organisation to be fined for having what we call NPPI, that is non-public personal information on a user’s home PC. GD: If you work in government circles they have a form of protective marking system on laptops: there’s strictly confidential, secret and top secret, so there are things you are not allowed to have on the laptop and some laptops that cannot leave the building. MF: That’s an interesting concept, but unfortunately it is very difficult to teach private sector employees how to handle sensitively marked material. In order to really prevent data loss or leakage, an automated approach is needed. Something which will both transparently enforce and support the practice behind the theory. Small companies that become very successful in a short space of time really struggle with this concept when they begin developing their employee base from a few dozen to a couple of hundred or more. ML: Many of our customers have found that automating their policy management process has helped to increase auditable policy acceptance and understanding. JP: Should the UK have a breach disclosure law, as in California? This was Arnold Schwarzenegger’s idea whereby if any firm discloses information about a resident in California, they have to take out an advert in the national press and apologise. After Arnie enacted the law, blue chip after blue chip was coming out saying “Yep, sorry. We lost your data”. Just about every week it was someone new – but it started to slow down in a few months, as people learnt. IB: Also, if you’re a firm serving all of the States, with clients in California, and you have a breach but only tell the Californians you are then disadvantaging your other clients – and they can sue you. So, that Californian breach law actually creates a de facto national law, and possibily international law. Even if you’re a good company and you’ve told your clients in California that you’ve had a breach, you should be telling them in the UK too. In conclusion FP: It really depends upon who, and what, you’re talking about! Some firms and sectors will be more vulnerable than others.
|
