David Lacey's IT Security Blog

Every year Alan Stockey, a well known London banking security professional, sends me a Christmas poem with a security theme. It's a little late for Christmas Day, but then so is the snow. 

Day Zero, Day Zero, Day Zero!

Network traffic outside is frightful

But the firewall's so insightful

Check the patches are all just so

Call CISO, Call CISO, Call CISO!

DDOS doesn't show signs of stoppin'

Hope the firewall keeps on blockin'

Websites have all gone slow

Day Zero, Day Zero, Day Zero!

When we finally see daylight

They've hit so many ports in the storm

Saving others from similar plight

There'll be others that you can now warn

But if the firewall's slowly dying

Not sure what you'll next be buying?

Just as long as you keep the code

Buy Escrow, Buy Escrow, Buy Escrow!

From a performance perspective I'd suggest a concert pitch of F for ease of singing. Try to get a bit of a swing feel to avoid annoying the neighbours.

What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what specifically can we expect? Will it be more of same? Or could we see the dawn of a new era? The answer is likely to be a little of both. Here are my top five forecasts for 2013.

Attacks get nastier

Data breaches are bad enough, but at least they don't disrupt business operations. Long term data damage is much worse. I've been forecasting this as a future risk for the last decade. It will begin to hit home during 2013, with rapid growth in cyber extortion and vandalism, perhaps coupled with the emergence of real cyber terrorism. Expect much nastier attacks and watch out for the beginnings of organised protection rackets.

Big challenges from Big Data

Big Data is the latest technology in a long term trend of increasingly powerful user access, enabling new dimensions in data mining, fusion and navigation, as well as new opportunities for big data breaches. Only compliance and expensive licence fees stand in the way of a user free-for-all in data access. But it spells the end of the 'least privilege' principle.     

Final death of corporate perimeters

Many enterprises, including big banks, still cling to the fig-leaf protection provided by private infrastructure. It's an illusion of course because Internet and email access provides a massive back door for attackers. BYOD is the final nail in the coffin for traditional corporate perimeter protection. The users have left the building, the applications are following and the enemy is already inside.  

Security speeds up

Growth in the frequency and impact of attacks will at least persuade security managers to forget the achingly slow Deming cycle and respond to vulnerability alerts and incidents in real time. Patching will get faster, vulnerability scanning will become more frequent, and security staff will become more empowered.    

SMEs discover security

In recent years I've researched and written extensively about the lack of interest and awareness in security in the small and medium enterprise sectors. The reality is that SMEs aren't concerned and nobody has bothered to educate them. They remain the soft underbelly of big business and critical national infrastructure. 2013 will see the start of a slow change in this sector, starting with small retailers, as compliance requirements gradually cascade down supply chains. It won't happen overnight but it will open up new markets for security vendors.  

It's the time of year when pundits express opinions on the year ahead. And naturally I have my own views. Before that, let's take a quick look at my forecasts for 2012. How well did I do? 

Last December I made six predictions for 2012.

1.       Space weather creates concern.
This risk didn't create the level of concern I anticipated. Levels of solar activity have been relatively low lately. Looks like another Y2K. I fell for both. The lesson from this is that professionals with well-researched data are just as likely as anyone else to overstate the risk.

2.       Social networks get secure.
It's happening, though very slowly. An increasing number of people are encrypting social media messages. Technology such as scrambls makes it easy. The rest is up to users. Some care, many don't. That will change though it might a few years.   

3.       Big Data is the new black.
If the RSA Conference is anything to go by, then it's true. The technology is here and it's available in leading products such as QualysGuard. The know-how on how to exploit it however is thin on the ground. And we've yet to scratch the surface of what can be done. 

4.       The electronic Pearl Harbour strikes home.
I've been forecasting it for a decade and a half but it hasn't happened, at least not in the form I expected. But awareness is considerably higher. Ten years ago people thought it was a wild exaggeration. Now they buy it; we've gone from denial to acceptance. But the disasters are still waiting to happen.  

5.       Public clouds fail to hit the spot.
Cloud services still have a long way to go, partly because of security and business continuity concerns. There is now a much wider understanding of the risks and how to address them. Paradoxically, Cloud security services are a compelling purchase and a big success.

6.       A new Global game - soft targets hit back.
If newspaper coverage is anything to go by then we are certainly into a new Great Game with angry reactions by those targeted or caught in the crossfire. This game is different as it's impossible to keep things secret in a networked society.   

Not a bad set of forecasts, and at least they were reasonably interesting. Perhaps I'll have better luck next time. 

I've commented many times that cyber security management today is far too slow. It's the result of many factors: the treacle of standards and compliance; the need to gain business case approval for security investments; the influence of quality management concepts that promote long-term process improvement at the expense of short-term action.

This situation will not be changed by security managers, They are under mounting pressure to demonstrate compliance with established standards. Nor will it be fixed by security institutes who tend to have a substantial investment in traditional practices. The reality is that it will only be through the emergence of disruptive technologies that deliver a step change in the speed of incident detection and response.  

Fortunately we are now seeing faster security services emerge, as vendors embrace the Cloud and explore the potential for managing big data. I've long been a fan of Qualys and their innovative products which transformed vulnerability assessment from an expensive, infrequent exercise to a fast, frequent and universally-available process.

A few weeks ago I was fortunate to get a briefing from Sourcefire on their latest technology (announced last week) and I was very pleased to see that their new products enable much faster and more reliable malware detection, transforming the detection process from a once-off perimeter check to an internal, always-on process.  

It's the type of breakthrough we need to see more often. Security managers cannot counter emerging threats though people and processes. We also need real-time, pervasive protection though vigilant technology.   

A few postings ago, I mentioned the growing number of high-profile digital catastrophes reported in the media. And I wasn't referring to natural disasters such as fire and flood or deliberate attacks such as hacking. What I was really concerned about was the type of increasingly spectacular glitch caused by simple, human causes, such as inadequate software testing, fat finger mistakes, bad change management or poor data quality. These are the things we generally class as "cock-ups" rather than "conspiracies". They are the result of accidental rather than sinister actions.

One would hope, after all these years of designing and operating IT services, that we should be able to deliver services that are highly reliable. Unfortunately it's not always the case. In recent months we've seen failures of supposedly bullet-proof Cloud services and extended outages of major banking services. But that's just the tip of the iceberg. Behind every major incident are dozens of near misses, hundreds of minor incidents and thousands of bad practices.      

Why is this continuing to happen? Several trends are behind this. Hardware might be a little more reliable (though not always) but systems and infrastructure are becoming increasingly complex and harder to integrate. Project deadlines are becoming shorter because of the continuous pressure from business management to move faster and faster. There's also relentless pressure to cut costs resulting in greater demands on resources and constantly changing supply chains. Add to this the usual elephants in the room that nobody wants to tackle such as data quality (for which there no standards) and intrinsically insecure legacy assets, and it's a wonder our systems manage to stay up as much as they do.

Yet this is a world moving to Cloud Computing, where we might reasonably expect better than 'five nines' service availability to keep out businesses running. A major issue is that business continuity planning is difficult and expensive for users of Cloud services. They will have few, if any, alternative sources of identical services. And switching is far from easy. Try asking a Cloud service provider how to plan for a major outage and you'll be lucky to get a sensible answer that even acknowledges the problem. 

So what can be done? Here are a few ideas. Firstly, accept that no service is invincible: they are all vulnerable to deliberate and accident incidents. Increasing centralisation of service delivery and a growing reliance on monoculture (use of identical components and practices) is also raising the stakes by increasing the global impact of a failure. The bigger and more widespread they are the harder they will fall. And credits for missed service levels are no substitute for lost business and damaged reputation. 

Secondly, treat outages and security events like safety incidents. Monitor the minor incidents and conduct a root cause analysis for near misses and common sources of failure. There's no such thing as an isolated incident. Examine your own operations and dig into your service provider's history. Many well-known service providers fall well short of customer expectations.  

Thirdly, draw up a 'catastrophe plan'. And I don't just mean a disaster plan, which generally involves recovering from a fire or flood. I mean a full-blown catastrophe plan based on a "worst of the worst" complete or extended loss of service or data. It will demand imaginative thinking and preparation, for example ideas to speed up the recreation of databases from scratch, alternative sources of essential management information, and proactive plans to reassure customers that everything is being done to protect their interests.

Fourthly, make your own personal contingency plans. Make sure you can work offline. Carry a decent amount of cash. Top up your petrol tank. And keep a torch, maps and compass in your briefcase. Because, like it or not, we are entering an information age in which business and life will become increasingly volatile, and major crises will become more commonplace.

For those of you who couldn't make RSA's latest thrash in London I can report that there were, as expected, no real surprises. It's a shame as cyber security is booming at a time when emerging technology promises possibilities to transform the solution space in ways that should blow the minds of traditional practitioners.

Unfortunately such a change demands original thinking, smart investment and a buccaneering appetite for risk taking that is sadly lacking in both the public and private sectors. I know from personal experience that if you develop novel ideas for creative product development they are unlikely to gain much traction in a blinkered research and business environment that prefers to focus and build on established practices and cash cows. (I've been forced myself to abandon projects to build solutions based on models of the human immune system and imaginative analysis of network data through lack of UK Government funding.)    

The end result is that new products tend to be little more than incremental improvements of long established solutions. In the past thirty years I've encountered as many new breakthroughs as you can count on one hand. There is always however a new fashion or spin to place on new releases or product variations each year.

If last year's trend was BYOD, then this season's buzz phrase is Big Data. This particular one is very significant as it really does herald something new, though its inspiration is no more than a reflection of contemporary business trends in data mining coupled with the existence of growing audit logs, rather than the outcome of any serious problem-solving analysis.

Take Splunk for example who were promoting their latest Big Data security solution. Splunk is clearly a leading engine for data miners and I'm a big fan, but the security application looks like it's been put together by a firewall administrator rather than an experienced data miner. I met more than one colleague who told me their company was investing in the tool for business applications though not for security. But watch this space. Solutions will evolve beyond all expectations.

Several other products on display exhibited that not-quite-thought-through-or-finished-off quality, such as technologies that lacked a hardware root-of-trust or other products that were clearly designed by ad hoc security folk rather than subject matter experts. But there were some interesting products on display. I liked for example the concepts behind Bromium, an imaginative virtualisation-based solution, and Mykonos, a honey-trap technology that encapsulates the new spirit of deception that will progressively underpin security in the new information age.         

All new products need improvement of course and the RSA Conference is a good opportunity to delivering essential feedback because it's attended by leading users as well as senior vendor executives and their research and marketing teams. The development of new products is often locked in an inevitable conflict between the road map drawn up by the CTO and the conflicting demands of early customers. RSA Conference provides a useful forum for helping to settle the arguments.   

And this year's conference proved to be an excellent environment for networking. The new layout of the exhibition area - with smaller stands and more seating - encouraged visitors to relax and interact with their colleagues between sessions rather than stand in a corner checking their email and missed calls. On one day for example I sat down with a venture capital colleague to have lunch and we were immediately immersed in a facilitated debate on social media. We both enjoyed it.

I thought the new layout was a move in the right direction: more customer engagement and discussion about the relative merits of the technologies on display, and less direct product promotion. Let's face it if you want to buy a product, you're much more likely to be influenced by the opinions of another user you've met rather than the pitch of a salesman on a stand. Too many conferences waste energy on big stands, free gifts, loud music and tacky promotions, rather than creating a calm environment to engage people and discuss how to use and improve products.

What of the presentations themselves? The track sessions were too numerous to cover. There were some good debates but nothing really new, and they left me with an impression that many speakers spend more effort on the presentation title than the actual content.

The keynote addresses were generally lacklustre, clichéd and short of new ideas or compelling rhetoric. We need more than abstract pronouncements on the wonders of Cloud Services, Big Data and Intelligence-led Security. Philippe Courtot of Qualys always comes across as the most visionary and authoritative vendor but this year he gave us nothing new. MIsha Gleny had a fascinating tale to tell of hackers, criminals and spies, though I was left with the impression that he was largely reading from his book.

Jimmy Wales was the undoubted star of the show, and came across as a jolly nice chap with healthy, balanced views. I offered my congratulations on his new marital status but he reacted as though I'd taken the wind out of his own announcement. In fact for the first half of his talk, the lack of any mention of his celebrity-studded wedding seemed to be the elephant in room. But Jimmy's important closing point was to remind us that the biggest threat to Freedom of Speech is well-meaning but misguided legislation. Even in a world of fast changing risks, some things never change. 

This Tuesday marks the start of RSA Europe 2012. It's a leading brand and a major event. US vendors will be there in force, as will the cream of the European security community. The formula has been long established: keynotes by paying sponsors plus the odd guest or two; large scale technical programme with multiple strands; exhibition of products from leading vendors.

This year we have Jimmy Swales closing the conference, fresh from his celebrity-studded wedding. I believe there is also a German rock musician on one of the panels, though I'm not well up myself on that genre. All in all it's a compelling event that cannot be ignored. Anyone who is anyone - and can afford the fee - will be there. Media coverage will be guaranteed, in spite of the rather lacklustre capabilities of the PR community.

So what does it all achieve? Firstly, like or not, it reflects, communicates and reinforces the mood of the time. If Cloud, Big Data or BYOD are this year's flavours then everyone will be compelled to believe it. Secondly it brings together a high concentration of security authorities - for better or worse, as perspectives are quite different on each side of the Atlantic. But most importantly it is the best opportunity for individuals from the UK and European community to influence the big vendor beasts from the USA.

So let's get in there. I will certainly be promoting my latest views on products, techniques and directions. I would encourage you all to follow suit. Because in my view there is far too little imagination, diversity and criticism in the field of information security management. And this is a good shop window to promote innovation.   

I'm now back blogging after an extended break of several weeks. Unsurprisingly, nothing much has changed in the world of cyber security, except for the media coverage, which has grown in quantity, scope and sophistication.

This trend is clear from the number of daily emails churned out by specialist briefing services, such as Team Cymru's excellent Dragon News Bytes, which seems to have at least doubled in size over the past year. It's also quite apparent that the subjects addressed are now much more sophisticated, encompassing cryptic threats such as State-sponsored espionage, as well as abstract risks such as intellectual property rights. Such coverage would have been unthinkable a decade ago.

But it's not unexpected. In fact it's quite predictable, as press, politicians and pundits gradually catch up with long lasting, subtle trends that are becoming increasingly apparent to a much wider audience. Esoteric subjects such as espionage, operating system vulnerabilities and cryptography are now regularly discussed in newspaper columns. The Internet probably publishes more classified government secrets than can be found in any intelligence agency synopsis.

So what are the trends that are currently catching the imagination of the media? Here's three to kick off with.

Firstly there have been a number of high-profile catastrophes. For the purposes of this posting, by "catastrophe" I don't mean regular disasters such as fires or floods - though they can cause massive damage. And I don't mean "hacking" which is both unrelenting and damaging. What I'm really getting at are the digital glitches caused by inadequate software testing or bad change management. The sort of things we generally consider "cock-ups" rather than "conspiracies, if you get my meaning.

Secondly there's the gradual realisation by military observers that cyber warfare is very, very important, though few people have any idea what it's really about. Let me rephrase that:  I mean lots of people can easily articulate the problem space, but few people understand the underlying root causes or the changes needed to correct them. Hardly a day goes by without a government agency or lobbyist calling for more research and development, regardless of the thin results that have emerged from previous decades of academic and industry studies.

And thirdly there's the growing speculation that China is becoming a little too dominant in the cyber security field. Whether it's the absolute control of the routing technology or the perceived level of offensive capability, many people seem concerned. This is rather interesting, as the cyber battle space appears (at least to me) to be a relatively level playing field, characterised by a handful of bright individuals drawing on a relatively similar set of tools and techniques. It's certainly not an arms race of the kind we have experienced in the nuclear space. Nevertheless there are lots of reporters and TV producers exploring this area and even a few conferences dedicated exclusively to this subject. (Who can justify attending those?)  

Over the next few blogs I'll explore some of these trends and suggest what the longer term implications - as opposed to the short term media interest - might be. Many people in business focused roles might wonder what on earth the relevance might be to their everyday programmes, but, believe me, press coverage and the resultant citizen perception have vastly more influence on employee behaviour than industrial strength awareness campaigns. 

I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security governance style and control requirements, but how similar they are in security initiatives and solutions.

I find it remarkable to find small companies aspiring to implement management systems, scorecards and maturity frameworks, as I do to find very large organisations wanting to standardise on a common set of enterprise policies, standards and governance processes. Security standards have become decoupled from requirements. It is a dangerous drift towards a monoculture of identical but unsuitable security countermeasures.

Where is the appetite for innovation and diversity? The answer is that it's been killed off by a professional development mindset that is reluctant to challenge the accepted wisdom of an established compliance regime. Real security is career-limiting. Best practices are far safer.  

This situation cannot continue. We need to encourage and empower our security managers to think, judge and develop solutions that are more in tune with real business. But a single business will find it hard to break the mould. And government, regulators, trainers and standards bodies are even more constrained. The future has to lie with academia and journalists, who are free to research, criticise and encourage new ideas.

If you're a university or research establishment, then I would encourage you take on this challenge. It's an important one, because in my opinion every single aspect of information security management (bar none) is inappropriate, and in need of substantial improvement. We must throw away the past and invent new solutions from first principles.

The starting point is to nail down those principles. What are they? There is a gap here. Watch this space for more on this topic. 

We have computers to thank for teaching us the importance of business continuity planning. The real objective might be to keep the business running rather than prop up the technology, but the approach and plans largely grew out of computer fallback planning. That's why the manuals tend to be so thick. Business continuity planning is a simple process spoilt by consultants copying manuals from other clients.

But today's computer systems failures have a much wider impact than business processes. The consequences ripple down the supply chain affecting large numbers of customers who have grown to depend on just-in-time supplies of money, goods and transport. The problem is that unlike enterprises, consumers don't do contingency planning. It's understandable of course, given that nobody has encouraged them to do it.

Security and contingency planning are similar in that nobody bothers to do them unless forced to by compelling legislation or after experiencing a life-changing incident. Even with the highest levels of education, people won't pay attention unless the perceived consequences of not doing so are personal, immediate and certain. And they're not or rather they haven't been in the past.

In the last few months however we've seen some compelling incentives for UK citizens. Major UK banks have failed to work as expected, in one case for a couple of weeks. Floods have disrupted travel. Immigration queues have caused travellers to miss connections. And the forthcoming Olympic Games threaten to bring parts of London to a standstill.

How should a citizen react? The answer is by anticipating disaster and preparing practical continuity plans. It's nothing new, it's just rarely practised. I have one neighbour for example with a relatively sophisticated disaster plan. We've been briefed in detail on how to respond to virtually any major disaster affecting their property, whether fire, flood, earthquake or theft. But this is a rare exception.

Today, every citizen should be prepared for extended bank outages, petrol shortages, power outages, travel disruptions and other major disasters. Fifty years ago many people worried about nuclear war. Today we need to worry about how to survive when ATMs and transport fail.

Earlier this year I published the first ever book (as far as I know) on business continuity planning for small and medium businesses. With this year's hindsight, I'd admit that I probably didn't go far enough. We now need citizen continuity plans. Because information systems and process control systems are far from foolproof and given the pressures placed by management on IT development and operations staff, they are likely to stay that way for a long, long time. 

My blog postings have been very thin lately. This was due to my annual Scottish fly-fishing holiday (the highest priority in my calendar) followed by the Queen's Diamond Jubilee and a mass of catch up work. It's take me weeks to get up to date.

But breaks like this are highly welcome, not only because of the freedom, relaxation and social networking, but also because they grant you a rare chance to detach yourself from the madness and (let's face it) incompetence of everyday business, and to reflect objectively on life.

In a large enterprise this madness is largely invisible to most employees, masked by a surrounding mist of illusion, otherwise known as organisation culture. Such a phenomenon is impossible to ignore and even harder to influence. Smaller companies can be less prone to it, but any large community tends to adopt an instinctive behaviour that springs from no obvious source, and generally defies logical analysis.

We see it with banks that carry on gambling as usual. With process industries that refuse to acknowledge that Die hard 4 was perhaps an understatement. And with governments who think the answer to all ills is simply more regulation. But most worryingly we see this madness with security managers at all levels who think that the answer to a wave of advanced persistent threats is to form a committee, conduct a risk assessment, publish a policy or carry out a review.  

Yet in the past few months we've seen some amazing revelations on the threat front, from "hacktivists", government spies and organised crime. There is no longer any margin for error. The Internet is a dangerous environment for everyone. If you don't get your security absolutely right, you will be hacked sooner or later (and increasingly sooner).

It's quite clear that national intelligence services have for years been exploiting the extraordinary degree of vulnerability found in every enterprise. Recent claims, for example, that the US Government has been sponsoring cyber attacks at the highest levels for the best part of a decade should come as no surprise to any security professional. Many other states are likely to be following their lead. Yet little seems to be being done to safeguard our increasingly vulnerable critical national infrastructure from sophisticated attacks.

Let's face it all enterprises today have leaky perimeters, insecure platforms, ineffective access rights management, and error prone users. Yet we are painfully slow in recognising and addressing these weaknesses. Instead we publish reams of unreadable policy, allow business expediency to override critical vulnerabilities, and conduct lacklustre awareness campaigns.

One reason for this state of affairs is that the threat is largely invisible, which means it's easy to ignore. Espionage and fraud are covert activities by nature, and their consequences are largely outside of a typical manger's everyday experience. That doesn't mean it doesn't happen and doesn't cause damage. Take it from me: every research centre, procurement process, customer database, and call centre is a target, and many will have been compromised. We just don't open our eyes to the reality or the consequences.

Another reason is the inevitable fact that remedial action costs real money and time, so no one wants to go down that route. Given a choice, business managers will always accept a risk rather than spend money or invoke delays. Security is not just a hard sell; it's a career limiting investment. But in the absence of any real enthusiasm from business managers, security will remain little more than a tick-box requirement.  

It doesn't have to be like that. The world of in industrial safety, for example, was in a similar state back in the 1980s. Today, to an outsider, safety in the process industries comes across as an ingrained religion. You can't walk upstairs without someone telling you to hold the handrail. You can't trail a mains lead across the floor without someone shouting "safety hazard". How did this happen? Quite simply, it was through a professional, sustained campaign sold to and driven by senior management.           

Why does this not happen for security? The answer is because few people in security have learned from the safety example and, more importantly, because nobody in security is telling the truth to their executive boards. The security community has an unfortunate habit of telling the directors that everything is fine and dandy when it's not.

A further factor might be that enterprises tend to look to banks rather than process industries for best practices in security. And another is the hard truth that few CISOs actually possess the skills and imagination to promote a change of direction to the Board.    

In the meantime we continue to observe security communities and institutes congratulating themselves on their effectiveness in promoting professional development schemes, standards and other bureaucratic treacle. Yet the truth is that all we are really doing is building and reinforcing a dangerous monoculture built on discredited practices and ancient rites.

Discuss?

You can't visit the Far East without contemplating the contrast between Eastern strategies of negotiation, and the less colourful philosophies of the Wild West.

The Thirty-Six Chinese Strategies, for example, are a wonderfully rich collection of tactics derived from military strategy that are claimed to shape the Chinese approach to business, especially business with foreigners. 

Examples include "Kill with a borrowed knife", "Conceal a dagger in a smile" and the delightfully pragmatic "If all else fails, run away".

To the Westerner these principles might appear a mite aggressive or even a slight underhand. But to the Chinese, business is no different to warfare. And this of course gives them a positive advantage in cyber warfare, which I've long pointed out is really the "art of illusion" than the "science of sabotage".

Perhaps we should adopt a similar set of principles for the Wild West. What might they be? Tossing a few ideas around with the delightful Melanie McFarland, a US business strategist based in Hong Kong, we came up with a few ideas.

Here are my Ten Western principles (of business, war or security):

• "Circle the wagons" - Retreat to a classic perimeter defence.
• "Hang 'em high" - Find a scapegoat rather than the true root cause of a problem.
• "The only good user is a dead user" - Forget the enemy it's users we really hate.
• "If you haven't fallen off a horse, you haven't been riding long enough" - Don't worry about breaches, they're just inevitable.
• "If you're not making dust, you're eating it" - It's much better to lead blindly than to follow.
• "Don't squat with your spurs on" - Never turn your weapons on yourself by mistake.
• "Don't mention the elephant in the room" - Ignore any problems that are too big to fix. SCADA systems come to mind.
• "Why do today what can be put off to tomorrow"- Procrastination makes life easier. Just ignore those uncomfortable audit actions. You know they won't bite you for a while. 
• "When you're in a hole, stop digging" - The classic No 2 rule of holes. (Don't ask what the No 1 rule was.)
• "Just tick the box" - Never mind the quality, just follow the process. 

All further suggestions are most welcome of course.

I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was interesting to observe the trends and progress in the region.

This year's conference was longer and well attended. Key themes included infrastructure, consumerization and mobility. There's no doubt that bring-your-own-device is this year's hot topic though it's been creeping up for a while. Cloud security is also a hot topic.

I left with an impression that this region is learning fast. Discussions with local security managers revealed a high level of maturity, as well as a healthy degree of openness to new ideas and change. Unlike the US and Europe, compliance has yet to blunt the enthusiasm of security managers.  

Of course there's little new under the sun. You see the same techniques and technologies in action but often with a regional twist. One leading company I spoke to, for example, had implemented risk assessment with anonymous voting, rather than open discussion, to avoid staff being unduly influenced from the views of their bosses.

The thing I found most fascinating however is to observe how networking varies around the world. In the US, breakfast meetings work best. In London it's dinner or perhaps after-work drinks. But Hong Kong remains one of the last bastions of the business lunch.  

I always look forward to Infosecurity Europe week, which guarantees a great congregation of security luminaries and practitioners in London. I say "week" because there is so much going on around it. You run into many old friends, meet new colleagues and learn a lot about the latest products and services.

This year I attended the first day of Infosecurity and its accompanying receptions, though I spent longer at the nearby Counter Terrorist Expo at Olympia

What impressions did these events leave? Very different and varied I have to say. The Infosecurity conference agenda was lacklustre, though the exhibition was first class. It's been progressively changing from a conference into an exhibition, which is probably no bad thing for the exhibitors, though it could limit the attraction. Interestingly, many security managers I met said they were there for the exhibition, rather than the conference sessions. You just have to walk around to find experts on just about every aspect of security.

The added attraction is the raft of free lunches and receptions in nearby hostelries. This is the inevitable result of expensive but rather limited in-house dining facilities. It persuades many visitors to look outside for lunch or early evening drinks. But it creates a tremendous village environment for the whole area. Portcullis must be congratulated for breaking the mould and establishing a rival centre for security managers to congregate. Good for them for setting and maintaining this trend. Competition is always welcome in any field.  

The Counter Terrorist Expo at Olympia had a better conference agenda with sessions on just about every aspect of physical, personnel and electronic security. A key concern for many  was the security of the London Olympics. But the most interesting trend to note was the progressive shift of cyber security know-how into the defence and counter terrorist space. Let's face it we haven't seen anything yet until we experience the impact of true cyber warfare or cyber terrorism. They're not yet happening. We'd certainly notice it if they were.  

These events are quite different from their equivalents in other regions. In the Netherlands it's hard to find the conference. In contrast, in Hong Kong at the 21C Info-security event (at which I'll be giving the keynote address) the main focus is the conference, which will be very well attended. The Hong Kong event is also better themed with a greater focus on innovation and the need for revolutionary thinking.   

So what did I take away from this week? It was so rich that I can only point out a few highlights. The Counter Terrorist conference had the best agenda. There were great presentations on terrorist threats and sophisticated debates on electronic conflict and cyber warfare. These are faster moving issues, unlike traditional information security management which has been stuck in a rut for the past decade.  

The most interesting product on display at Olympia was the panic room in a box, At Earls Court it was Wave Systems' secure Facebook solution. Secure social media is a societal game changer if the vendors can get the marketing right. Communities will be able to hide their communications. But who will hold the keys? The answer of course is that it will depend on the pattern of the uptake rather than the desires of the various actors.Like many of the future trends in security, it's in the lap of the Gods.

Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.  

It's an excellent paper though I have to admit it's largely Geordie's work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.  

My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.

Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.

One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail's pace by risk assessments, committees, business cases and budget cycles.

A good question is why we actually need management systems, especially if they introduce delay or distraction. It's a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don't employ such people in your organisation (and many SMEs don't) then it's not logical to implement a management system.     

Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.

And it's not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it's not done for more important business operations? 

A few weeks ago, along with some of the great and good, I attended the launch of the new Oxford University Cyber Security Centre. I wasn't expecting anything especially new but I have to say I was impressed by Professor Sadie Creese's initiative to embrace disruptive ideas and inject creativity by engaging with experts from other fields, ranging from ethics and law to hedge funds and astrophysics.

It's a great idea because the established security research community has failed to deliver much in the way of innovation over the last thirty years. And some of the better ideas have come from stealing ideas from other areas, such as Professor Stephanie Forrest's work at the University of New Mexico in taking ideas from nature. (Her work once inspired me to commission a fraud detection system based on a model of the human immune system.)

This has to be the way forward. I salute Sadie and her team. Oxford already have a fine reputation for Trusted Computing work, so there is a good basis for future success.

It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.

One of the major factors behind the growth in demand for security advice is the rapid take of information security practices by small and medium size companies. This would be a fine thing if established standards catered for smaller or immature enterprises. Unfortunately they don't. Instead the market has evolved into a one-size-fits-all approach, coupled with a commodity market in security training and services.

Companies new to information security typically request penetration tests, policy & procedure manuals and ISO 27001 compliance. None of these is appropriate as the first steps in security for an enterprise, for by themselves they do not reduce risks.

Other than the shock value from your first penetration test (which admittedly can help with budgets) the outcome is generally an incomprehensible document listing of hundreds of pages of vulnerabilities, which now happen to be shared across a small community of consultants, staff and unencrypted emails and laptops. Would it not be better to have devoted that time to tightening up platforms and application? Yes, but that would be logical, rather than "ethical".

Policy and procedure manuals are quick and easy to implement but they rarely get opened. And ISO 27001 is particularly unsuitable for smaller or newer enterprises, especially those operating in regions or cultures where paper-based procedures are rarely followed. I've blogged many times about the security challenges of the smaller enterprise. They're different from the formal demands of larger organisations, which is why the ISSA-UK has developed a special standard for small and medium sized enterprises.  

A second problem however is that there is no gradual path with recognised milestones to implementing ISO 27001. And as anyone who has read my book "Managing the Human Factor in Information Security" will have noted you can't implement a rich, complex framework of controls overnight. It has to be done in stages if you want to carry people with you.

So we have an unsatisfactory market where people are trained to apply and demand skills and standards that bear little resemblance to actual requirements. How much better it might be to start with a blank sheet of paper and a good dose of common sense, and to draw up a security programme that really reduces risks rather than ticks boxes. Getting back to that sensible state would be a huge step forward, but it would require a simultaneous behaviour change by regulators, security managers and consultancies. And that's not likely to happen. 

We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of "Plan, Do, Check, Act". This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA) loop of "Observe, Orient, Decide, Act".

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word "study" to check", which suggests that we don't spend enough time on it.

But OODA is all about speed. It's about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that's exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world. 

So let's ditch PDCA and embrace OODA. It's an entirely different philosophy, and one that we all need to adopt.

Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.

At the end of each talk I ask: "Do you agree?" The response is generally a refreshing "Yes".

Of course it might be my compelling rhetoric rather than the content that sways the audience. It's certainly hard to drum up any passion for today's slow, dry, quality-focused approach. But I suspect that I'm actually striking a chord that's long overdue to be heard.

If there's any hope for a change of direction, it lies with Academia. User organisations are too bogged down in the treacle of compliance to inspire any change. Vendors are only interested in what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.  

Thirty years ago, if you'd told me that Academia was our salvation, I would have laughed, watching researchers struggle to find practical use for Bell and LaPadula models. Fifteen years ago, you would have got the same reaction as I observed universities putting together MSc courses inspired more by the Common Criteria than industry practices. Today it's different. It's time for students and researchers to go back to first principles and design an entirely new approach to information security management, one that's more in keeping with a fast-moving, sophisticated risk environment.