Tag Archives: CNI

ISNow – Protecting the Internet

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2010 issue (Volume 4, Issue 4), which was on the topic of Protecting the Internet:

“The internet is a wonderful thing; putting knowledge at our fingertips, enabling instant communication and helping us target new customers more effectively. As with everything, it comes at a cost –
from technical exclusion through to new online threats and vulnerabilities, which have the capability of affecting our life and business.

Problems, like hacking, viruses, spam and scams become more prevalent and merge into things like phishing and online identity fraud. Users need to learn and do more to stay safe, and governments need to focus more on the virtual world, which may be outside their direct control, to ensure that the benefits of the internet are fully realised.

Control issues
Some governments feel that the right approach is to try and control the internet and its users, from limiting what they can say to blocking content they object to. In reality, much of this control does little to protect people from the real security threats out there; national ‘firewalls’ are not for security, and protecting citizens from ‘outside threats’ is a convenient excuse for control.

Big business
‘Three-strikes’ style sanctions and disproportionate financial penalties for civil infringements say more about the undue influence of big business on the legal system than a real desire to move with the internet times, to protect both users and artists.

At least the UK Government isn’t currently proposing to take over the internet in an emergency, as they are in the US. Protecting the internet comes best from educating users, businesses and government and for them to come together to create balanced workable solutions.”

A PDF version of the magazine is available online at:


Talk on ‘Why the Private Sector is Key to Cyber Defence’ (Slides)

I spoke at the SMi Group Cyber Defence 2010 (National Security in a Borderless World) conference in Tallinn, Estonia, on Monday 17th May 2010. My talk was entitled “Why the Private Sector is Key to Cyber Defence” and the slides are now available:

Computer Weekly – Think Tank

I provided a response to the Computer Weekly Think Tank question ‘What should corporate IT managers do to ensure data protection?’:

Hacks of Google and at least 20 other companies in December prove that sophisticated cyber espionage attacks are a real and present danger. But in the light of the fact that most commercial security tools are ineffective against these attacks, according to the SANS Institute, what can and should corporate IT managers do to ensure data protection?

“Few organisations have the resources available to Google, who were still unable to prevent or readily detect the recent wide-scale electronic espionage, and most are unlikely to work with the National Security Agency after a compromise. Yet, organisations that form part of the UK critical national infrastructure (CNI) have for years received government advice and guidance on threats, including those emanating from China, from the Centre for the Protection of National Infrastructure (CPNI). Although its private advice is not readily available, the CPNI website provides non-classified information that non-CNI businesses should be aware of.

Many organisations tend to focus on preventative measures – policy, procedure, and technology – and fail to fully address the detective and responsive controls required for good information security management. Log analysis, required for firewalls, intrusion detection and data loss prevention, is resource intensive, requires expert interpretation of results and is not particularly appealing, but is necessary to detect anomalous behaviours. A robust incident reporting and management procedure is also required, along with an associated forensic readiness plan.

Every organisation should understand the need for regular upgrades and patches, after adequate testing and planning, for all vulnerable systems. Sometimes this is set aside for operational expediency, for critical systems where downtime or the risk of failure is unacceptable, or due to backward compatibility requirements, for legacy applications or platforms  – but the risk posed by the failure to upgrade or patch must be mitigated by additional controls that compensate for the vulnerabilities. Defence is depth, or layered security, would mean that a single weakness or vulnerability does not expose everything.

Common factors in this and similar attacks is the level of research and targeting that goes into them, not just utilising multiple zero-day vulnerabilities in IE6 and Adobe Acrobat, but directing the attack at specific people with sufficiently contextually correct information to trick them into effecting the compromise. The attackers appear patient and with long-term goals, rather than seeking money or glory, which makes them all the more insidious. A long-term strategy of user awareness training and education is required to combat this threat, in conjunction with technical and procedural security measures.”

The full articles is available online at:


Talk on ‘Why the Private Sector is Key to Cyber Defence’

I will be speaking at the SMi Group Cyber Defence 2010 (National Security in a Borderless World) conference, being held at the Swissôtel in Tallinn, Estonia from 17th – 18th May 2010. My talk is entitled “Why the Private Sector is Key to Cyber Defence”, and I will be covering:

  • The private sector and critical national infrastructure
  • Why is the sector key to cyber defence?
  • Information sharing between private sectors and government
  • Private sector support for cyber defence and investigations
  • Lessons learned and how collaboration may be improved

Further information can be found on the SMi Group website:


ISSG Magazine – Terrorism

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Autumn 2005 issue:

Recent Events
The terrible events of 7th July, and fortunate failures of 21st July, exploiting vulnerabilities in our transport system to cause death and mayhem, remind us all that we may be subject to attack, even while going about our normal business.

Our assets are not only our population, which we must do our utmost to protect, but also our way of life, which is not only being threatened by the attacks against us, but may be undermined by a hasty or draconian response to terrorist attacks.

The threat is from ‘international terrorism’, which has both the capability and intent, has grown over the last two decades, and considers its actions justified, as payback, for many years of the ‘West’ interfering in the affairs of the ‘East’.

As well as trying to convince the public that they’re safe from the risk of another attack, governments must be more open and honest, and target the causes of terrorism, as well as its symptoms, as part of their risk management strategy.

Real War or Cyberwar?
The oft-quoted ‘cyberwar’ has, as yet, failed to materialise. Personally, I don’t expect a digital equivalent of Pearl Harbour or 9/11 for some time. For now, I expect major attacks to remain physical, which makes for good ‘terrorism by TV’.

An electronic attack is much less likely to terrorise the general population unless the attackers acquire some new expertise or knowledge, which could be harnessed to create widespread carnage in Critical National Infrastructure (CNI).

What is not at doubt is that the current breed of ‘international terrorists’ has learned how to use the Internet and media outlets effectively for communications, information distribution, propaganda and recruitment.

New Powers?
The UK, and its own ‘coalition of the willing’, is still pushing, through the EU, for sweeping data retention powers. A past attempt, at slipping it through with minimal discussion and review, has been declared illegal, but we persist.

The current powers and retention requirements seem to have been sufficient in recent attacks, both at home and abroad. Those that wish for greater powers should put forward convincing arguments as to why they should get them.

Coupled with other moves – to introduce ID cards, reduce burden of proof, have detention without trial, limit legal representation, present secret evidence, impose control orders, and broaden surveillance – we must avoid a ‘1984’ scenario.

“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety” – Benjamin Franklin (attributed)

If we become a police state, which spies on our people as the norm, at the same time as ‘encouraging’ such states to become democratic and open, would we meet in the middle, or would they become free as we become repressed?

In this growing surveillance society quis custodiet ipso custodes?”