The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2010 issue (Volume 4, Issue 4), which was on the topic of Protecting the Internet:

“The internet is a wonderful thing; putting knowledge at our fingertips, enabling instant communication and helping us target new customers more effectively. As with everything, it comes at a cost –
from technical exclusion through to new online threats and vulnerabilities, which have the capability of affecting our life and business.

Problems, like hacking, viruses, spam and scams become more prevalent and merge into things like phishing and online identity fraud. Users need to learn and do more to stay safe, and governments need to focus more on the virtual world, which may be outside their direct control, to ensure that the benefits of the internet are fully realised.

Control issues
Some governments feel that the right approach is to try and control the internet and its users, from limiting what they can say to blocking content they object to. In reality, much of this control does little to protect people from the real security threats out there; national ‘firewalls’ are not for security, and protecting citizens from ‘outside threats’ is a convenient excuse for control.

Big business
‘Three-strikes’ style sanctions and disproportionate financial penalties for civil infringements say more about the undue influence of big business on the legal system than a real desire to move with the internet times, to protect both users and artists.

At least the UK Government isn’t currently proposing to take over the internet in an emergency, as they are in the US. Protecting the internet comes best from educating users, businesses and government and for them to come together to create balanced workable solutions.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer10.pdf

I spoke at the SMi Group Cyber Defence 2010 (National Security in a Borderless World) conference in Tallinn, Estonia, on Monday 17th May 2010. My talk was entitled “Why the Private Sector is Key to Cyber Defence” and the slides are now available:

Why the Private Sector is Key to Cyber Defence

View more presentations from INFOSEC_Maven.

The following introduction was originally published in the BCS Information Security Now Magazine, Spring 2010 issue (Volume 4, Issue 3), which was on the topic of Cryptography:

“Cryptography now protects most organisations’ laptops, drives, removable media and communications, yet effective use of such technological solutions requires much more than selecting a vendor and implementing a product. Thought needs to be put in to how key recovery, data loss prevention, monitoring and audit work.

Cryptographic algorithms should be subjected to extensive peer review before being considered as robust and this process alone can take years, and then the new algorithm needs to be implemented – hopefully before the old one is irrevocably broken in some way. The false protection of ‘security through obscurity’ was destroyed recently when a number of GSM mobile encryption algorithms were broken.

Not only do crypto algorithms need to be robust, but they must translate effectively into implementation in a cryptographic module. The need for this was demonstrated recently when some USB memory sticks, validated to FIPS 140-2, and therefore approved to hold low-level classified data, were discovered to have a serious flaw that allowed ready access to the data.

There has been a lot of research into anonymous untraceable electronic cash and the cryptographic underpinnings required for it and things like coin divisibility, blind signatures, offline convertibility and to prevent double spending. Although there may be concerns about allowing such things, surely this is simply trying to replicate how cash works today?

Encryption techniques will continue to move forwards, fighting against the brains of mathematicians and the brawn of computing power; the emergence of elliptical curve cryptography (ECC) and quantum cryptography is already on the horizon, with more esoteric solutions to come.”

A PDF version of the magazine is available online at:

http://www.bcs.org//upload/pdf/isnow-spring2010.pdf

I provided a response to the Computer Weekly Think Tank question ‘What should corporate IT managers do to ensure data protection?’:

Hacks of Google and at least 20 other companies in December prove that sophisticated cyber espionage attacks are a real and present danger. But in the light of the fact that most commercial security tools are ineffective against these attacks, according to the SANS Institute, what can and should corporate IT managers do to ensure data protection?

“Few organisations have the resources available to Google, who were still unable to prevent or readily detect the recent wide-scale electronic espionage, and most are unlikely to work with the National Security Agency after a compromise. Yet, organisations that form part of the UK critical national infrastructure (CNI) have for years received government advice and guidance on threats, including those emanating from China, from the Centre for the Protection of National Infrastructure (CPNI). Although its private advice is not readily available, the CPNI website provides non-classified information that non-CNI businesses should be aware of.

Many organisations tend to focus on preventative measures – policy, procedure, and technology – and fail to fully address the detective and responsive controls required for good information security management. Log analysis, required for firewalls, intrusion detection and data loss prevention, is resource intensive, requires expert interpretation of results and is not particularly appealing, but is necessary to detect anomalous behaviours. A robust incident reporting and management procedure is also required, along with an associated forensic readiness plan.

Every organisation should understand the need for regular upgrades and patches, after adequate testing and planning, for all vulnerable systems. Sometimes this is set aside for operational expediency, for critical systems where downtime or the risk of failure is unacceptable, or due to backward compatibility requirements, for legacy applications or platforms  – but the risk posed by the failure to upgrade or patch must be mitigated by additional controls that compensate for the vulnerabilities. Defence is depth, or layered security, would mean that a single weakness or vulnerability does not expose everything.

Common factors in this and similar attacks is the level of research and targeting that goes into them, not just utilising multiple zero-day vulnerabilities in IE6 and Adobe Acrobat, but directing the attack at specific people with sufficiently contextually correct information to trick them into effecting the compromise. The attackers appear patient and with long-term goals, rather than seeking money or glory, which makes them all the more insidious. A long-term strategy of user awareness training and education is required to combat this threat, in conjunction with technical and procedural security measures.”

The full articles is available online at:

http://www.computerweekly.com/Articles/2010/02/15/240300/Think-Tank-What-should-corporate-IT-managers-do-to-ensure-data.htm

RIPA: Perception and Practice

View more documents from INFOSEC_Maven.