new face of information security
DESCRIPTION
Security must evolve with new business models and must be operationalised to reap proper beneits.TRANSCRIPT
FREE WITH YOUR COPY OF CHIEF TECHNOLOGY OFFICER FORUM
IN-PERSON
Security inSocial SpacePAGE 04
OPINION
DR Vs. BCPPAGE 07
IN-SHORT
The DirtyDozenPAGE 03
A 9.9 Media Publication
IN-PERSON
Security inSecurity inSecuritySocial SpaceSecuritySocial SpaceSecurityPAGE 04Social SpacePAGE 04Social Space
OPINION
DR Vs. BCPPAGE 07
IN-SHORT
The DirtyDozenPAGE 03
A 9.9 Media Publication
Security must evolve with new business models and mustbe operationalised to reap
proper benefits. PAGE 05
NEW FACE OFINFORMATION
SECURITY
2 21 NOVEMBER 2010 CSO FORUM
TO HELP customers simplify data protection and comply with security regulations, Dell has announced Dell Data Protection/Encryption, a flexible, manageable and auditable endpoint encryption solution. The solution is designed to help companies protect endpoint devices, which serve as the “front door” to sensitive information.
With the increase in and rising cost of data breaches, private and public-sector organisations are being forced to reevaluate endpoint device policies. In fact, more than 14 million records have been exposed and 575 data breaches have been document-ed in 2010. The cost of each data breach in the U.S. can be up to $6.75 million.
Dell Data Protection/Encryption is an intelligent file-based encryption solu-tion that is designed to protect data on laptops and desktops, as well as external media, in case of loss or theft. The solu-tion includes centralised management
and comprehensive reporting that enables an organisation’s IT department to detect devices that need encryption.
Benefits Easy deployment and integration into heteroge-neous IT environments (Dell and non-Dell sys-tems) with support for existing authentication and patching processes.
Quick recovery of systems with errors by avoiding a multi-step, time-consum-ing process of decrypting, transporting data and re-encrypting. One solution to encrypt data on the disk, plus removable media such as USB thumb drives, external hard drives, eSata drives, 1394 devices, opti-cal storage and Secure Digital (SD). Pre-set policy templates to provide an easy starting point for compliance management and maintenance.
IN-SHORT
Data Briefing
52%data-steal-
ing attacks were done
over the Web
The Google Chrome browser has been named
the most vulnerable applica-tion on the "Dirty Dozen" list of 12 applications with the most discovered soft-ware flaws requiring security updates and notifications from January to October 2010.
The annual "Dirty Dozen" list, compiled by security ven-dor Bit9 based on informa-tion available in the National Institute of Standards and Technology's public National Vulnerability Database, puts Google Chrome in the top spot with 76 reported vulner-abilities.
The second spot is held by Apple Safari browser at 60 reported vulnerabilities while MS Office was at number three with 57.
The rest of the "Dirty Dozen" ranking are as fol-lows:
4. Adobe Acrobat — 545. Mozilla Firefox — 516. Sun JDK — 367. Adobe Shockwave Player
— 358. Internet Explorer — 329. RealPlayer — 1410. Apple Webkit — 911. Adobe Flash Player — 812. Apple Quicktime and
the Opera Web Browser (tied) — 6
Chrome, Safari, MS Office top 'dirty dozen' list
First Encryption Products from Dell in the Market
PH
OT
O B
Y P
HO
TO
S.C
OM
3 21 NOVEMBER 2010 CSO FORUM
MARSH INDIA, risk advisors and insurance brokers, have said that compared to other sectors/industry verticals, risk management in Indian technology companies has gained significant importance and has emerged as one of the highest priorities for the C-suite.
According to Marsh, regulatory changes in the western world, especially related to privacy and data security, have made it mandatory for most Indian Tech companies to have a robust and formally documented
risk management plan. In fact, for many companies this risk management plan goes beyond management of operational risks and focuses on business continuity and issues like succession planning as well.
Marsh India has monitored emerging trends and broad themes related to risk and insurance among Indian technology com-panies over the last one year, the following findings were highlighted at the technology conference;
Risk management has moved up the agenda at the most senior level; risk man-agement functions are being utilized as differentiations while pitching for custom-er contracts, many companies now have a formal position of Chief Risk Officer reporting to the board Risk is being more formally and objec-tively addressed at board meetings and in other forums A majority of companies have reviewed their approach to risk because of the downturn and are keen to replicate global best practices, and in some cases pioneer them in India Customers, suppliers and credit/political risk have moved from being one of the lowest to the top risks being monitored by many Indian technology companies Post Satyam incident, there is an increased emphasis on corporate governance, dis-closures and transparency beyond what is mandated by the different regulations or listing requirements Regulatory changes, especially in the US, UK & EU are driving many companies to relook at how they do business. Some of these like the US healthcare HITECH Act could be a blessing in disguise which some outsourcing companies are gearing towards capitalizing upon new technolo-gies or developments in older ones like the cloud, social networking, open source etc. spell opportunity but are also throwing up challenges related to risk for technology firms in India.
Security Implications of New Facebook Email Service FACEBOOK has announced its new email service which brings
together Facebook messages, instant messaging chat and SMS mes-sages in one place. Following this news, Sophos has produced an FAQ guide to help users understand the implications for security before they sign up—
"Before signing up, users need to realise that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into," said Graham Cluley, Senior Technology Consultant at Sophos. "Facebook accounts will now be linked with many more people in the users' social circles - opening up new opportunities for identity fraudsters to launch attacks."
Sophos notes that cybercriminals are compromising the accounts
of Facebook users, and using their accounts to spread spam mes-sages. Spam sent via social networks can be more effective than traditional email spam, as users are more likely to open and trust a message which appears to have been sent by someone they know - one of their Facebook friends.
Users will need to take greater care of the security of their Face-book account than ever before. Keeping security up-to-date on com-puters, policing which applications link with their Facebook profile, and choosing sensible, unique, hard-to-crack passwords will be essential.
—The detailed FAQ is available at http://nakedsecurity.sophos.
com/2010/11/15/faq.
Indian Tech Companies Highest on Risk Management
PH
OT
O B
Y P
HO
TO
S.C
OM
IN-SHORT
4 21 NOVEMBER 2010 CSO FORUM
IN-PERSON
Security in Social Space
How can companies fairly differenti-ate employee social networking
activities from those of the business?For the most part, it is about awareness and strategy. Companies must take an even-hand-ed approach. If they come down too hard, they will alienate trusted employees, and may in fact be prohibiting them from exercising their Constitutional right to free speech.
But when those doing the blogging are senior executives, board members, those that can officially speak for the firm, then
the line between private and profession-al networking activities?In fact, since they are more business ori-ented, greater awareness is required.
On Facebook, someone may ask you what you favorite movie is.
On LinkedIn, they will ask you about cor-porate direction, R&D, merger activity, etc.
Companies need to know that they shouldn't shun social media for fear of bad end-user behavior. They need to anticipate it and formulate a multilevel approach to poli-cies for effective governance of social media.
If employees are encouraged to set up and utilise social media
accounts while "on the clock" - who ulti-mately owns the social media account?It depends on how the firm words their social media guidelines and policies.
Clear guidelines and policies, reinforced in awareness training, will remove any ambiguity, and protect the firm's proprietary content and intellectual property.
Firms that don't have such wording in their social networking guidelines may find their legal recourse is limited.
Can an enterprise with thousands of employees reasonably expect to
be able to protect themselves from risks due to the aggregation of critical proprie-tary information exposed via their employee's social networking activities?Companies that understand the risks and benefits can do that. These companies have no qualms about giving hundreds or even thousands of employee's expensive laptops.
But the issue of aggregation is something that should not be ignored. The power of aggregation and data correlation is that seemingly trivial and irrelevant bits of information can get collected to form large information set.
It all comes down to training, awareness, management and monitoring. Companies that are in control of those 4 areas are able to maximize the benefits of social network-ing, while controlling the risks.
Ben Rothke Senior Security Consultant for BT Global Services spoke to Anthony M. Freed, Managing Editor of Infosec Island on Social Networks and their impact on information security.
“Companies need to know that they shouldn't shun social media for fear of bad end-user behavior.”
that requires a different approach.It all comes down to effective and clear
social networking guidelines. Without those guidelines, data breaches are inevitable.
Also, those guidelines have to include the entire spectrum of social networking; from blogs, wikis, social networks, to virtual worlds and other social media forms.
What about social media outlets like LinkedIn and Plaxo that blur
BEN ROTHKE Senior Security Consultant for BT Global Services
5 21 NOVEMBER 2010 CSO FORUM
Security must evolve with new business models and must be operationalised to reap proper benefits. By Amrit Williams
NEW FACETHE
OF SECURITY
IMA
GIN
G :
JO
FF
Y J
OS
ECOVER STORY
6 21 NOVEMBER 2010 CSO FORUM
COVER STORY
HERE is a dull hum permeat-ing the industry of late – security is dead some say, others think it to be too costly to maintain, oth-ers still believe that what is need-ed is a change of perspective, perhaps a radical shift in how we approach the problem.
What underlies all of these positions is a belief that the status quo is woefully ineffective and the
industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just... well, just done something different from whatever it is we are doing at the time something bad happens.
As we go round and round on the never ending hamster wheels pro-vided as best practice guidelines and security frameworks by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents.
But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness.
We are as secure as we need to be at any given moment, until we
Another survey has found a sharp increase over the last year in enter-
prises' plans to migrate toward cloud com-puting, and this one adds better pricing to tighter security as a major obstacle hinder-ing faster adoption.
The Tech Pulse survey by Boston marker research firm Chadwick Martin Bailey found 28 percent of 247 survey respondents polled in August had aggressive plans to move to the cloud. A similar poll in early 2009 found 15 percent reporting similar plans.
In a measure of how aggressive these plans are, the survey said respondents expected to more than double the workload running on cloud architecture within the next two years.
"We're now seeing that all the industry marketing dollars spent on promoting cloud computing have started to actually move the needle," says Chris Neal, vice president of Chadwick Martin Bailey's technology and telecom practice.
But security concerns continue to keep that needle from swinging too wildly. In this poll, 32 percent of respondent cited security as a top concern with the cloud. That was nearly double the popularity of the next-biggest issue, which was better pricing from cloud suppliers, requested by 17 percent.
Reliability came much lower on the list, cited as a top concern by just 7 percent.
Security was the big reason for another finding, namely, that IT departments favor internal cloud solutions over external cloud solutions, the survey found. Another reason is that IT professionals find the skill level of their current channel partners lacking when it comes to cloud-based solutions.
Most (54 percent) indicated that current channel partners need additional training to support a transition to the cloud. Another 12 feel current channel partners are "not at all prepared" to help with their organisation's move to cloud computing.
are no longer so – when that happens, regardless of what you may believe, is outside of our control.
One of the biggest trends in security over the past 5-6 years has been its movement into mainstream IT. Traditionally IT security has been seen as outside of normal business processes.
Organisations tended to react driven by a security incident or com-promise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.
There is little doubt that security lags innovation. For example the concept and delivery of cloud-computing was introduced and then it was realised that the lack of security – real and perceived – especially as it relates to visibility and control, was a huge inhibitor to adoption.
The same is true for mobility; today many organisations are seeing their employees adopt shiny, new consumer computing devices, like the iPhone and iPad, and requesting access to corporate resources, yet most organisations are still struggling with managing and secur-ing traditional computing assets, such as PCs and servers and there is limited enterprise-class support for these new devices.
For the most part security can only inform, rarely does it affect change, that job is left to the operational teams that must reconfig-ure a network device, harden a database, patch a workstation or dis-able services.
Most security professionals lack an understanding of the operational
THE CLOUD NEEDS MORE SECURITY & LOWER PRICES
environment that they work within and they lack the ability to modify that environment even if they did. So why do security profes-sionals spend so little time understand-ing their role within an organisation?
The fundamental problem with security today is that it is not part of the operational lifecycle of IT and until we can integrate security into every elements lifecycle we will forever be left implementing security as an afterthought or bolting it on once we experi-ence a compromise or undergo a TSA like groping of our networks from an auditor.
Security must be operationalised, it must become part of the lifecycle of everything IT.
This is the theme for 2011 - “Operational-ising Security”.
To experience wide-spread and main-stream adoption security technologies must be operationalised To become operationalised security tech-nologies must become integrated as a part of an elements lifecycle To become part of an element, operational lifecycle security technology must provide output that is operationally actionable, integrated within the broader operational ecosystem, and support current opera-tional processes.
—Amrit Williams has over 18 years of experi-
ence in IT, security, and risk management.
7 21 NOVEMBER 2010 CSO FORUM
OPINION
HAS IT ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department?
Why business continuity is usually identified with IT?
Probably because business con-tinuity has its roots in disaster recovery (DR), and DR is all about IT. Twenty or thirty years ago busi-ness continuity (BC) did not exist as a concept, but DR did - the main concern was how to save the data if a disaster struck.
At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organisation would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location.
But after a while it was realised what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born - its purpose is to enable the business
tion of DR is quoted from Wikipedia - actually, "business continuity" is an official term recognised in standards, while "disaster recovery" is not.
Implications for implementationSo why is it a bad idea for an IT department to implement business continuity for the whole organisa-tion? Because business continuity is primarily a business issue, not an IT issue.
If the IT department was imple-menting business continuity for the whole organisation, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a ques-tion whether it would get commit-ment from the business parts of the organisation.
The best way to organise the imple-mentation of BC is for the business side to lead such a project. This is how you would achieve greater aware-ness and acceptance of all parts of the organisation. The IT department should play its role in such a project - a key role - to prepare DR plans.
to keep going on, even if in case of a major disruption.
DefinitionsLet's take a look at the definitions - business continuity is the "strategic and tactical capability of the organi-sation to plan for and respond to incidents and business disruptions in order to continue business opera-tions at an acceptable predefined level" (BS 25999-2:2007), while DR is "the process, policies and procedures related to preparing for recovery or continuation of technology infra-structure critical to an organization after a natural or human-induced disaster" (Wikipedia.org).
As you can see from the defini-tions, the emphasis in DR is on tech-nology, while in BC it is on business operations. Therefore, DR is part of business continuity you might con-sider it as one of the main enablers of business operations, or the tech-nological part of business continuity.
However, you may have noticed something else too - the definition of BC is quoted from BS 25999-2, the leading standard on business conti-nuity management, while the defini-
“BCP's pur-pose is to enable the business to keep going on, even if in case of a major dis-ruption."
THE AUTHOR IS an expert in information security management
(ISO 27001) and business continuity management (BS 25999-2). BY DEJAN KOSUTIC
www.kosutic.eu
Disaster Recovery versus Business Continuity
8 21 NOVEMBER 2010 CSO FORUM
OPINION
What is Security?SECURITY is not just about aware-
ness. A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.
I think that investing in formal security awareness training, inter-nal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money.
I prefer a CEO that says “Here are my four rules” and tells the staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk. Making common sense security part of the performance review is more effec-tive than posters and HR training.
Security from this perspective is indeed an exercise in leadership. Unfortunately, in many organisa-tions, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees.
Security doesn’t improve your bottom lineHave you ever asked yourself why security is so hard to sell? There are two reasons.
investment (RoSI) cannot be proven. Indeed, the converse is true. Judg-
ing by the behaviour of most compa-nies they do not believe that security saves them money.
So what is security? It’s like brakes on your car. You would
not get into a car without brakes or with faulty brakes. But brakes are a safety feature, not a vehicle function that improves kilometers per litre.
It’s clear that a driver who has a lighter foot on the brakes will get bet-ter mileage, and continuing the anal-ogy, perhaps spending less money on security technology and more on security professionals will get you better RoSI.
Challenge your assumptions about what makes for effective security in your organisation.
Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configu-ration in a consolidated enterprise network is more secure and cheaper to operate?.
—Danny Lieberman is a serial technol-
ogy innovator and leader. Danny’s data
security business, Software Associate
(Israel) provides enterprise information
protection to clients in Europe and the
Middle East.
1) Security is complex stuff and it’s hard to sell stuff people don’t under-stand.2) Security is about mitigating the impact of an event that might not happen, not about making the busi-ness operation more effective.
Note a curious trait of human behaviour (formalised in prospect theory – developed by Daniel Kahne-man and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over pros-pects involving gains, but risk-loving over prospects involving losses.
In other words, a CEO would rather take the risk of a data breach (which might be high impact, but low prob-ability) than invest in DLP technology that he does not understand.
Managers are not stupid. They know what needs to be done to make more money or survive in a down-turn. If it’s making payroll or getting a machine that makes widgets faster for less money you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.
Since almost no company actually maintains security metrics and cost of their assets and security portfo-lio in order to track ‘Value at Risk’ versus security portfolio over time, a hypothesis of return on security
THE AUTHOR IS serial technology innovator and leader –
implementing ideas from brain to business.
"Making common sense security part of the performance review is more effec-tive than posters and HR training."
BY DANNY LIEBERMAN www.dannylieberman.info