Thought Feast

Size of company does not matter to Cybercriminals! (1)

Rashmi Knowles — Fri, 24 May 2013 09:00:49 +0000

Gone are the days when it was thought that size of the company matters to the cybercriminals. The latest PwC Information Security Breaches Survey 2013 shows that there has been a significant rise in the number of small businesses that were attacked by an unauthorized outsider in the last year – up by 22%. Interestingly large organizations only went up by 5%. Cybercriminals have moved on to stealing intellectual property or corporate secrets as that’s where the real money is. Small companies also do not have the resources or budgets to protect their information and become easy targets. It’s time to understand the differences between corporate secrets and custodial data. Secrets refer to information that the enterprise creates and wishes to keep under wraps. Secrets tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD. Secrets that have intrinsic value to the firm are always specific to the enterprise’s business context. An interested party could cause long-term competitive harm if it obtains these secrets. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage. Typically, companies in knowledge-intensive industries such as aerospace and defense, electronics, and consulting generate large amounts of confidential intellectual property that present barriers to entry for competitors. Unlike with toxic data spills, failures to protect secrets are almost never made public. By contrast, legislation, regulation, and contracts compel enterprises to protect custodial data. Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws. Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data is spilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity. Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, email, and phone number; government identifiers; payment card details like credit card numbers and expiry dates; and medical records and government identifiers like passport numbers. Many well-known companies have graced the front pages of major newspapers with toxic data spills. Interestingly, enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services, and transportation have between 70-80% of their information portfolio value from secrets. If you are a small business and in any of the above verticals then it’s time to re-think how you protect your most valuable assets. By contrast, healthcare firms and governmental entities are nearly exactly the opposite, most of the value of their information assets are custodial data assets. Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage. By contrast, employee theft of sensitive information is costlier on a per-incident basis than any single incident caused by accidents. Unfortunately, compliance drives spending on security for all companies and smaller ones have a difficult choice to make. “Compliance” in all its forms has helped CISO’s buy more gear. But it has distracted IT security from its traditional focus, keeping company secrets secure. All companies really need to do a better job of understanding the value of their corporate secrets. Read my next blog for some recommendations on achieving the right balance.

Finance: CRD IV Reporting Conference

Kathryn Miller — Wed, 22 May 2013 13:54:52 +0000

The new CRD IV banking regulation being introduced to bring Europe into line with Basel III regulation is prompting growing debate amongst regulatory authorities and banks alike. Many aspects remain unclear, so it’s timely that a conference providing deep insight into the new regulatory landscape is taking place on June 17^th at the London Hilton on Park Lane. ‘Preparing for CRD IV reporting’ is aimed at those involved in both banking regulation and preparing for the new reporting regime under COREP and FINREP and the conference will raise awareness of the issues around the imminent introduction of CRD IV compliance within Europe. Sharon Bowles MEP, Chair of the European Parliament's Economic and Monetary Affairs Committee, and a keen proponent of improving banking regulation at the European level, will give the keynote address, and the morning plenary session will include other high profile speakers from the European Central Bank, the European Banking Federation, the Bank of Spain and the International Monetary Fund. After lunch, the programme will split into separate track sessions catering for delegates whose main interest is either the business or the technical aspects of CRD IV reporting. Contributions from the EBA and top consulting firms will be followed by panel discussions and a Q&A session to broaden the debate. Full details and registration at http://conference.eurofiling.info

Cloud adoption: Why are some organisations struggling to get traction?

Rob Lamb — Mon, 20 May 2013 10:00:58 +0000

From my conversations with customers it is evident that CIO’s are continuing to strive to be at the heart of value creation. Generally speaking the top three goals for CIO’s in 2013 are: -

Protecting corporate data
Improving business productivity - and giving business stakeholders transparency as to the cost of the IT services they are consuming
Lowering the cost to serve of IT services – and moving spend from CAPEX to OPEX

With Cloud Computing firmly ticking numbers two and three on the CIO “to do” list, is it just fear of failure around the first point that is preventing much wider cloud adoption than is currently occurring? Inevitably, as with all things “IT”, it isn't quite that straight forward. Clearly, having confidence as to the protection afforded a corporations most precious asset (its data) is a potential barrier to public cloud adoption; but there is no reason why it should prohibit the creation and successful operation of a private cloud. So what other inhibiting factors are at play? Well, points 2 and 3 aren't quite as straightforward as you might think. Firstly, business productivity and financial transparency can’t be achieved if an IT organisation continues to utilize legacy processes and behaviour. The old saying “If you do what you’ve always done, you’ll get what you’ve always got” springs to mind here. Continuing to use silo based, potentially bureaucratic, change and incident management processes in a cloud environment will negate all the agility benefits the technology can deliver. So make sure your teams aren't falling into the “but we've always done it like that” trap. I have had two conversations recently where organisations are investing in converged infrastructure and beginning to create environments that look and feel like private clouds, but they find themselves struggling to see any benefits. A few questions soon revealed that, in both cases, they hadn’t re-jigged their org structure or altered their processes to reflect the brave new world they are striving for. They were still managing the infrastructure as separate network, compute and storage stacks while playing pass the parcel with change requests and trouble tickets. It is as important to transform how you run IT and not just simply change what you run. Lowering the cost to serve and shifting from Capex to Opex isn’t exactly straightforward either. If you buy the hardware for your Private Cloud then you have a depreciation cycle of between 3 and 5 years to contend with, depending on your company’s financial and accounting policies, which inhibits change and means you can’t scale down. Likewise Public Cloud offerings may not be as attractive as hoped; AWS for example only offer their best pricing with 1 to 3 year contracts and up front payments. Not very agile and, depending on how your organisation accounts for such things, may be treated as Capex anyway. So, the cost to serve of Cloud may not necessarily be as low as desired. Having recently moved house I can see some parallels between that process and Cloud adoption. You have to think about where you want to live, how much you want to pay, how long you want to fund it over as well as the on-going affordability and operation. Yes, Cloud is a combination of technological innovations, but it is only effective alongside new business process and IT delivery mechanisms. To realize the full benefit of Cloud you need to align all three – too many people are still labouring under the misconception that technology alone will get them there.

Nigeria’s Heart: Information Management Strategy

ContentRich — Fri, 17 May 2013 12:31:21 +0000

I am privileged in my job to meet many people, in different industries and cultures. Despite having being born in Somaliland and traveled widely in Africa, I had never been to Nigeria. I recently remedied this, on an assignment to develop an information management strategy for a major client there. I suppose it was not surprising that friends and colleagues greeted me with a lot of raised eyebrows and worried looks at news of this trip: “Nigeria! Isn't that dangerous?” or “You won’t get me going there!”. I had to explain I was going to the south west (showing Green on the FCO web-site) not the north east (which is showing Red, and always in the news), and that Nigeria is a large country with a population of 160 million; that is, 20% of Africa’s population. I do think that Africa in general, and Nigeria in particular, gets a bad press. I cannot help thinking that there is an echo here of deep seated prejudices in the minds of Europeans, created by authors such as Joseph Conrad and the image of Africa’s dark heart. Actually, when you get to Nigeria, what you see in the people is light, not dark. They are warm, optimistic and striving for improvement, despite the problems they face (creaking infrastructure, corruption, etc.). I met a project manager who was spending all her salary on educating her children in the UK at a well known Public School, and a senior manager who after an engineering degree in Nigeria had gained an Ivy League Masters in the USA but was back in Nigeria, on a fast track. Where the country scores top marks is on happiness, because the family supports and culture are so strong. So, as much as the press in Europe would like to create a picture of victim-hood and hopelessness for Africa, Nigerians at least don’t see it that way. They are working hard to improve things, and make the changes needed. One friend told me “Nigerians are the Poles of Africa”, meaning entrepreneurial and hard working. That is why they are emerging as a powerhouse, which the UK, with its historic ties, would be foolish to ignore (but is in danger of doing so). When I got home I read in the paper that Chinua Achebe, the great Nigerian novelist and author of “Things Fall Apart”, had died. It seemed to be a prompt for me to read and hear his voice; this different image of Africa and Africans, a counterweight to Conrad. Maybe it is time we all took the time to search and see the light that comes when we look for it, and to re-frame our image of Africa. Did I finish the IM Strategy? It was an exhausting, hectic, and not always comfortable environment, but yes I did. For me it is clear that Nigeria, at least is full of opportunity, for those with the right skills, vision and heart.

RSA‘s Art Coviello praises UK at select-committee briefing on Cyber Security

Kathryn Miller — Mon, 13 May 2013 10:00:54 +0000

Cyber security has long been a priority for CIOs, CTOs, and others in working in technology. But following a number of high profile attacks, and as IT becomes increasingly integral to everyday life, cyber is becoming a mainstream issue of concern, not just across the across the whole of the c-suite, but also among policy makers and wider society. New research released by the UK government last week found that 87% of small firms and 93% of large enterprises had experienced security breaches last year, with some attacks causing more than £1 million of damage. Like many other countries, the UK has responded to the increasing cyber threat by developing a comprehensive national cyber security policy programme. The £650million, 4-year agenda includes actions to strengthen Britain’s cyber intelligence, defensive, and offensive capabilities; boost skills; and increase resilience in the private sector. Given this level of activity and investment, British Members of Parliament have been keen to scrutinise the government’s actions, and seek expert views on the progress the UK is making compared to that in other countries. As part of this, members of the House of Commons Home Affairs Select Committee have been holding a number of hearings on Britain’s response to the cyber crime threat. Last week the MPs invited RSA’s Executive Chairman Art Coviello to share his 30+ years of experience at the forefront of the security industry as part of a panel of leading private sector representatives. Among the many interesting issues discussed during the hour-long session, the committee chair Rt Hon Keith Vaz MP began by asking Art whether the “war” against online criminals was being won or lost? Art responded: I do not think the war has been lost, but we are not winning it either…obviously, we have to keep in mind the threat environment—but what people sometimes overlook is what I call the expansion of the attack surface. We have now developed so many web applications, we have so many remote access devices, mobile devices, we have so many points of entry into our enterprise, and now we are starting to outsource a lot of our infrastructure and applications to the cloud, that we have expanded the attack surface and made it literally easier for the attackers to take advantage of us. But having said that, I am a technologist, so I am an optimist, and I believe we can win the war, but we are not winning it yet. The importance of information sharing to combating the cyber threat arose during an exchange between Art and committee member Nicola Blackwood MP on the new Cyber Security Information Sharing Partnership that the government had created to provide a trusted environment for companies and other organisations to gather and share cyber threat information: Nicola Blackwood: Why do you think [The Cyber Security Information Partnership] will be helpful? Art Coviello: Because any opportunity [to] timely share information about attacks, as long as you disseminate the information broadly… means that all potentially affected companies can be on the lookout for a similar-type attack, whether it is the IP addresses from which the attack has been launched or the particular malware itself. Another vital element, Art added, was to adopt an advanced security approach in today’s hyper-extended, “bring your own device” world in which traditional, perimeter defence products like anti-virus and firewalls were becoming less and less effective: In an age where the attack surface has broadened… in an age where there is no discernible perimeter, perimeter-oriented defences are less and less effective. So, the game shifts from outright prevention of breaches to early detection and response to breaches. The model that we advocate is one where you have technology that can detect these breaches in a far more timely fashion. To do that, you have to have a lot of data. You have to be able to see the faint signal from the attacker that anomalous behaviour or an anomalous flow or use of data is occurring. To do that requires a substantial capability to correlate and analyse vast streams of data at very fast speeds. Art concluded by praising the UK government’s cyber security policies, in particular around information sharing and working with the private sector, comparing them favourably with the situation in the United States: In the US we have been talking about public/private partnerships since 2003, and we have got nowhere. Quite frankly, it is an extreme frustration… in general the outline of [the UK] strategy is far more coherent than anything that is being done in the US… you are [also] on the right track around information sharing. Unfortunately, in the US we have not been able to get a Bill passed to facilitate information sharing, which to me is quite a pity.... [in a world where] breaches are probable, if not inevitable, then having intelligence sooner as opposed to later is fundamental to building out a new model of security so that we can shrink the window of vulnerability from all attacks. MPs on the Home Affairs Select Committee last week heard that the UK government is pursuing a very active and comprehensive agenda to boost the nation’s cyber defences. Although still early days, good progress is being made, and RSA will continue to share its knowledge and expertise to support this important work.

EMC World 2013: Building a Data Protection Legacy

LadyBackup — Thu, 09 May 2013 16:00:26 +0000

Greetings from EMC World 2013! Another record year with nearly 15,000 people from 80 countries. There is no shortage of news from the show including:

The headline news from EMC World 2013 is the introduction of EMC ViPR, Software-Defined Storage.
From my area of interest, we introduced the EMC Data Protection Suite, changing the way customers consume EMC backup and archive capabilities.
There’s also news from Isilon, Syncplicity and much more so you can check it out here.

Guy Churchward took the stage for the first time as president of EMC Backup Recovery Systems Division. “Unique” doesn’t really do it justice to describe the keynote. First, Guy comes out on stage wearing jeans and t-shirt to the 1984 song You Spin Me Round (Like a Record) . On top of it, he is holding massive vintage tape cartridges, keeping with the 80s theme. The t-shirt of course also featured 80s super hero characters. I admit – when I heard the theme of the keynote I was a bit skeptical. That might be my American conservative side. Did I mention that Guy is British? As a British colleague said to me, “Leave it to a Brit to shake things up.” But Guy delivered an excellent keynote. The message was really simple. Your decisions into data protection aren't made just for today, tomorrow, next week or next month. The decision you make into your data protection infrastructure should long outlast your individual job tenure. And this longevity – or data protection legacy as I like to think of it – means it is critical to make the right decision into a vendor that is build to last. Under Guy’s watch, EMC will continue to be that vendor. “It doesn't matter what you did. It matters what you do,” Guy told the audience. As our new president, Guy isn't taking our market share or technology innovation for granted. We’ll keep raise the bar and never resting on our successes. LB

UK Government’s Cyber Security: Where has the £650 million gone?

Rashmi Knowles — Thu, 09 May 2013 11:00:25 +0000

The UK government identified cyber security as a key area of focus and new investment and in 2011 announced a budget of £650 million to shore up defenses in the UK. So, after two years let’s examine where it’s been spent? Here’s some of the good things that have resulted from the investment - SOCA took down 36 website domains that sold credit card data – this is probably a very small tip of the iceberg. - 15,000 fraud websites were suspended - GCHQ announced a scheme to help companies deal with cyber attacks and give guidance on response to a compromise - 8 universities have been given the Academic Centre for Excellence in Cyber Security and Research - CISP, the Cyber security Information Sharing Scheme However, there are areas that need further investment - 60% of the budget was spent ‘detect and defend’ – We hope that ‘response’ is also a large portion of this investment although it’s not very clear - The government needs to do a lot more to collaborate with the security industry and ensure that skills and knowledge can be exchanged - According to the UK National Audit Office it will take the UK up to 20 years to meet the required skills in Cyber security, the universities are a good start but a lot more will have to be done to educate the citizens and raise awareness on cyber security - Agility is a key factor on where and how this budget is spent. A continuous challenge facing any government is how quickly they can invest with a cyber security landscape that is constantly evolving. The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack. It’s good that the Government has articulated their policy and published some results to date. We’ll have to wait and see if the remainder of the funding is spent to meet the goals initially set out.

APT Attack: How broken is security?

Rashmi Knowles — Mon, 06 May 2013 11:00:01 +0000

Last week Mandiant produced their report entitled ‘Mandiant APT1 report’ you can download a copy here. The report was covered by media globally and essentially exposes a ring in China responsible for APT attacks. This in itself should be startling news and there have been many stories pointing the finger at China. However, on reading the report an interesting statistic about how long APT1 were in organizations stands out. We know from the Verizon Data Breach Report 2012 that breaches lead to compromise much faster than companies can discover them. Security tools are slow, lack visibility and are too often perimeter and signature based to detect the presence of cyber activity. Here’s a quote from the report: “APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.” The challenge for all organizations is that they rely on obsolete technology or signature based detection systems which are really not adequate for these types of attacks. Disparate security tools are unable to identify and investigate advanced attacks in a timely manner and SIEM tools have either speed or smarts, but never both. Furthermore, large amount of blind spots combined with a large window of risk from an attack allows attackers too much free time on the network. Organizations must have a target to reduce the ‘free time’ or ‘dwell time’ in an APT attack, early detection and remediation will minimize the damage. Proving compliance also costs too much and takes resources away from improving security against targeted attacks and we all know that being compliant doesn't translate to being secure. Until companies change the status quo and implement Intelligence-Driven security models we will continue to see compromises over long periods of time without companies even realizing they are hosting cybercriminals in their infrastructures. Final thought - Did the company that had APT1 in their network for 4 years and 10 months actually find the attack and stop it? Or did the Chinese get bored? My money is on the latter. For further information on the UK Cyber Strategy and where the £650m has been spent please view the recording of Newsnight from 29^th April.

Kill Chain: Spreading the News at RSA Security Summit London

Bill McCluggage — Fri, 03 May 2013 12:25:52 +0000

I had a great time at the Barbican on Monday last week, speaking at the RSA Security Summit. Art Coviello and Eddie Schwartz led off the day with their usual flair, giving very interesting and cogent talks on the main theme of the summit: “how big data transforms security”. There were great break-out sessions, like the one by RSA’s Matthew Gardiner on security analytics. And there was time for great conversations during breaks and lunch -- like one I had with Phillip Hoyer (of Actividentity, now part of HIDGlobal) about mobile security and PKCS #11. My own session, in the last segment of the day, was on “Breaking the Kill Chain”. We’ve been thinking a lot at RSA about the attack models that enterprises are confronted with these days, especially targeted, stealthy attacks. The “kill chain” described in a paper published by Lockheed-Martin is a very useful tool for modeling APTs and for understanding how to put in place intelligence-driven defenses. The kill chain model is focused on analyzing intrusions, extracting indicators and driving defensive actions. The intelligence that is the goal of this activity is enabled by analytics on those large volumes of events, packet capture, vulnerability and threats assessments, asset criticality and other information that we mean by security-related big data. It’s a model that we use ourselves, discussed in a recent RSA FirstWatch research note. It’s a model gaining increasing acceptance throughout the industry, reflecting the reality of determined adversaries. I was particularly glad to have a chance to speak about it at the Summit in London, encouraging that adoption of intelligence-driven security that we at RSA believe in so strongly!

Data Domain: A Decade of Keeping Businesses Running

LadyBackup — Tue, 30 Apr 2013 10:11:08 +0000

Lady Backup generally doesn’t shamelessly promote EMC products. But there are always exceptions. And this is one of them as we recognize the 10^th anniversary of EMC Data Domain. Thinking back to 2009, the bidding war for Data Domain added a bit of drama and excitement While interesting to watch, at the time I didn't understand why our executives were so keen on acquiring Data Domain. To me it seemed to be just another storage device - and EMC already had plenty of those. In reality, the Data Domain appliance revolutionized backup technology. I’ve come to appreciate the innovation of Data Domain and its many “firsts” in the market, which today are inclusive of both backup and archiving.

After 10 years, Data Domain continues to set the standard for protection storage. It provides the storage of last resort for tens of thousands of customers. IDC continues to rank EMC as the No. 1 supplier of purpose built backup appliance capacity, which in a large part is due to Data Domain. Ten years in, Data Domain has proven its ability to evolve to meet changing customer requirements for data protection. Looking forward to future decades, customers of Data Domain should have the confidence that their storage of last resort has the wherewithal to protect their most critical data and applications to keep businesses running. LB Want to know more about the 10^th anniversary of both Data Domain and the deduplication market? Read on here.