Building better cyber security in organisations

A speech given by Alex Webling to the opening of Z-CERT, the Hague, Netherlands, January 2018

Building better cyber security strategy in organisations

The opening of Z-CERT is an important development in the protection of the Netherland’s health care system. I wish you all the good fortune in the world.

Z-CERT launch
launching the Z-CERT website

When I started working in cybersecurity for the Australian Government in 2002, the world was a different place.

For one thing, we called it electronic security and mostly it was a small extension of the great game of espionage played between nation states. We focussed almost exclusively on keeping our information confidential.

However, even then, we realised that in order to keep our systems and citizens secure, we’d have to collaborate with like-minded countries and the Netherlands was top of my list.

I have continued to admire the Dutch, because I think that you tend to be quite pragmatic in your approach to problems. Solving the issues related to cyber security and privacy are no different

The cyber landscape has continued to evolve quickly under our feet and the need to collaborate and share best practice has only accelerated.

“If you think technology can solve all your security problems, then you don’t understand the problems and you don’t understand the technology”  Bruce Schneier

I think you all know that the information age is upon us and has been for some time. This year, like the last, and the one before will bring more connectivity, digital transformation initiatives, and data for organisations and their human operators to handle.

The opportunities this information age brings are amazing.

All organisations, not least health providers are focussed on getting the right information to the right people at the right time, and avoiding the wrong people accessing it too.

This is an incredibly difficult task. Getting it right, relies on judgement and experience. It is becoming increasingly difficult to achieve. Information travels at the speed of light, but we can’t think that fast.

Just think:
unlike any previous time in human history, information has become very expensive to delete as well as to create.

Within a couple of generations, many organisations have moved from paper records to electronic ones. Access to electronic information brings so many benefits for the health professional.

But there is also a dark side.

With the opportunities come the threats. Threats to privacy, reputation, financial status and also to patient outcomes.

More tools developed by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malicious software or steal data.

Estimates are that ransomware cost victims 2billion Euros in 2017, twice as much as in 2016.

Meanwhile others have predicted global losses from another growing trend, compromised business email scams, will exceed 9billion Euros next year.

With the advent of the GDPR in less than five months, the financial penalties if data protection goes wrong are about to get much more serious. GDPR fines will be up to 20 million Euros or 4% of annual turnover (whichever is higher).

The cost is not just monetary, NHS hospitals in the United Kingdom were hit by the ransomware cyberattack WannaCry, delaying surgery for patients. The potential for things to get much worse is real.

Opportunities and Threats

Yet, the opportunities are so great, that organisations have no choice but to manage the threats that the information age brings.

So the key point of this talk is:

Good information security is dependent on dynamic organisational governance of cyber security.

An Information Security Management System can help organisations become resilient to the dynamic threat

What is it?

So what is an Information Security Management System or ISMS and how can it help me and my organisation?

To answer that, we need to look at three questions

  1. Why should my organisation care about cyber security?
  2. Who is responsible for organisational cyber security?
  3. What does good cyber security look like?

Because I have found that many senior executives find it difficult to answer these questions for themselves and I’m going to give you good reasons to take back to your organisations to make change happen.

Why should my organisation care about cybersecurity?

Your organisation is an information business

At the risk of repeating myself, whatever else it does, your organisation is an information business. Information is the lifeblood of a modern organisation. A cyber attack can mean your organisation’s information goes to the wrong people, is changed or is removed. Even worse, you may not even know this has happened for months.

The legislative and regulatory environment will continue to become more stringent as the cyber threat increases

eg GDPR

The GDPR is not the first regulation to place responsibility on organisations for protection of specific data. The introduction of the GDPR is part of an ongoing trend for legislation and regulation striving to catch up with the changes in technology and society that the information age has brought us.

You are probably aware that as early as 1995, the European Council adopted the Data Protection Directive which aimed to protect individuals’ personal electronic data.

PCI DSS does this for credit card information around the world. The Health Insurance Portability and Accountability Act (HIPAA) did this for personal health information in the USA.

GDPR requires organisations to map their personal information holdings. But mapping under GDPR is not just another classification exercise. It also requires the organisation to correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the personal data content; it’s also essential to know the context of the data because the organisation is the steward of the information, not the owner.

The increasing reputational and financial damage suffered by organisations that are hacked

In many ways this is related to the previous point. The outrage that the public expresses every time another organisation loses their data is growing.

Some organisations have tried to hide that they have been hacked. Uber and Equifax are alleged to have done this, but any conspiracy is almost always revealed quickly. Mandatory reporting provisions are putting increased pressure on organisations to reveal breaches quickly and to show how organisations are dealing with cyber events

Where this doesn’t happen, the public is voting with their feet. This is having direct impacts on the tenure of leaders, CEOs and boards. For listed companies, it is impacting their share value directly.

When the GDPR comes into force in May this year, to repeat for emphasis, fines of up to 4% of the organisational turnover are possible where organisations are shown to be negligent in the protection of EU citizen’s personal information. This will be a very significant increase over the previous regimes.

Who is responsible for cyber security

This one’s easy.

It is the owner of the cyber risk

That’s the board or CEO of the organisation. These are the people that regulators are increasingly targeting when things go seriously wrong.

It is not the ICT manager, the CIO, or the security manager. The decisions on how much cyber risk the organisation should take comes down to the CEO and Board. The organisation leader needs to make those decisions in an informed manner that balances relevant stakeholders’ perspectives.

Goldilocks Security

I call it ‘Goldilocks Security’ – that which is just right for the organisation, not too much and not too little.

Goldilocks security is different for different organisations. Cybersecurity is a series of tradeoffs between the confidentiality of information, its integrity and its availability.

If you think about it: The most secure information is completely inaccessible to all and pretty useless.

There needs to be a balance.

How does the board and CEO become informed about cyber risk?

They use experts who understand the threats, vulnerabilities and consequences of cyber attack, and communicate in business-ese to the board, but they retain the decision making for themselves.

Time to move away from the word ‘Cyber’

By the way this is probably the time to tell you that I don’t really like the word ‘cybersecurity’, and prefer the term ‘information security’.

Cyber tends to make people think only of computers and networks. This then can lead to the responsibility for cyber being put solely on the shoulders of the CIO or ICT manager.

Words Matter – and as hard as it is to change the way we talk, we need to make the change.

We have to continually remind ourselves that people are both the central cause and the primary victims of information security attacks.

Weaknesses in human behaviour are still one of the easiest ways of compromising any organisation.

What does good security look like?

So now we get to the crux of the matter.

Good organisational cybersecurity is tested, systematic and repeatable, however, for many organisations it is anything but like this!

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

This requires a certain amount of bravery on the part of executives.

Unfortunately, our experience is that many organisations need a compelling event, such as a major breach, before they take cyber security seriously. However, it doesn’t have to be this way for change to happen.

The organisational leadership can create an Information Security Management System or ISMS.

The Information Security Management System (ISMS)

An ISMS is a set of better practice, policies and procedures for systematically managing an organisation’s information.

The ISMS operates by identifying, assessing and managing information security risks resulting from internal and external threats exploiting the organisation’s vulnerabilities.

The goal of an ISMS is to

  • manage the risk of a cyber event occurring on an ongoing basis in a holistic manner; and
  • minimise the impact on the organisation if and when a cyber event occurs.

A Strategic Decision

Implementing an ISMS is a strategic decision for the organisation. Implementation requires CEO and Board commitment – because they own the risk.

At the strategic level, the CEO / Board create an ISMS committee which has responsibility for the organisation’s information security. The committee meets regularly and oversights the development of a structured approach for organisations to develop better enterprise security by dynamically monitoring and improving information security effectiveness.

Cyber risks are assessed at a holistic level. Sometimes, the organisational leadership will decide to take more cyber risk in order to achieve a business objective. The important thing is that it is done with full knowledge of the risk – both positive and negative.

When the ISMS committee operates in this manner, the organisational cybersecurity stance evolves to meet the increasing threat and the organisational business needs.

Minimising the impact of a cyber event. Or…. You will be compromised

I mentioned before that information security is all about tradeoffs. Tradeoffs between your people being able to access the information they need to do their jobs – availability. Tradeoffs that information is correct – integrity. Tradeoffs that information doesn’t fall into the wrong hands – confidentiality.

It is a legacy of the old cyber security thought that many security people worry more about information confidentiality than integrity and availability, rather than worrying about what the business needs to achieve its objectives.

Bringing information security to the board level, means that decisions about tradeoffs must be made, particularly in tight fiscal environments.

Sometimes it will go wrong….

Even with an ISMS in place, there is always a risk that an information security event occurs. When it does, the organisation must respond. Good cyber response involves much more than the ICT area.

Whilst the technical response is occurring, the organisation needs to work out how to respond to stakeholders, what if anything to report to authorities etc.

One of the key aspects of the GDPR, as I’ve mentioned earlier is the mandatory reporting of data breaches. An ISMS brings together key stakeholders to consider risks, including the data protection officer, who can consider the impact of a breach from a GDPR perspective and advise the organisational leadership about the implications, if any.

However, like a fire drill, cyber response needs to be practised.

A smooth response to an event can minimise the impact on the organisation significantly. In my experience, the technical response to cyber incidents works better than the non-technical response, simply because the techs are responding to minor incidents day in and day out, but for other parts of the organisation, it is not their day job.

Recovering (more) gracefully

There are multiple examples (eg Uber, Equifax) of companies handling data breaches badly. However, here’s a case of one that was handled well from a public relations perspective.

In Australia, the Red Cross Blood Bank was compromised in 2016. Over 500,000 blood donors’ personal information was exposed publicly.

At that time, it was not mandatory to report breaches of personal information.

However, the Red Cross was proactive in informing the public and the Australian Privacy Commissioner. In doing so, Red Cross made the best out of a bad situation by displaying transparency and showing that they were doing their best to fix the problems.

By getting on the front foot, the Red Cross maintained the public’s trust in the blood system.

http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach

In summary

Why should my organisation care about cybersecurity?

Care because your business is information (whatever your business)

  • Your business is information
  • The GDPR is just the next step in a global tightening of Legislation and Regulation for organisations operating in cyberspace.
  • If you don’t play by the rules and you get caught, your reputation and finances will suffer

Who is responsible for cyber security

  • The owner of the risk, generally the CEO, Agency Head or Board
  • The CEO needs to make informed decisions about how much security is just right – Goldilocks security
  • Your security and ICT people help the leadership make informed decisions. They need to translate geek-speak into business-ese

What does good security look like

• An information security management system is recognised as the better practice for information security and is eminently applicable to the data protection requirements of the GDPR.

• An ISMS evolves continuously to meet the changing risks. It is not ‘set and forget’ and only works if the risk owner engages with it.

• You will be compromised. Practice your cyber response at the organisational level, not the ICT level.

CONCLUSION

We are well into the information age. Information is the lifeblood of the organisation. The days when somebody from IT was responsible for cybersecurity are long past.

Executives responsible for organisational success must take ownership for cyber security. Cyber is just another risk category like finance.

Establishing and running an information security management system is recognised as the best way to manage and balance information security and privacy risks for organisations.

A well run ISMS helps the organisational leadership understand the value of its information and take advantage of the opportunities of the information age as well as reducing the downside risk.

The GDPR is part of a continuum of regulation that will force organisations to design security for citizen data across its entire lifecycle into their processes. The provisions relate not only to technology, but also to policies and employee behaviour. The policies and practices that are instituted to meet the requirements of the GDPR can also be applied to improve information security across the whole organisation.

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

You have the power to make cybersecurity happen in your organisation. Start today, by creating your information security management system board. Make sure that the CEO is at the table. Keep the scope small and manageable whilst you learn by doing.

Looking at the risks associated with GDPR would be ideal if your organisation hasn’t started. Once you understand what you’re doing, start expanding the scope.

 


Alex travelled to the Netherlands as a guest of Z-CERT, the Dutch Computer Emergency Response Team for healthcare (Zorg)  in January 2018.

Z-CERT’s website is https://www.z-cert.nl/ 

 

Poodle vulnerability

Poodle Vulnerability 

Padding Oracle On Downgraded Legacy Encryption (POODLE)

The poodle vulnerability has been around as an exploit since 2014.It led to an attack which led to completely disabling SSL 3.0 on the client and server-side to prevent hackers from making use of this man-in-the-middle attack. 2014 also brought us Heartbleed bug, BERserk, and FREAK exploits. That might seem like ancient history in cybersecurity. But history has a freaky way of repeating itself.poodle anime

In 2016 the DROWN attack took advantage of support for SSLv2 protocol and exposed the weakness in more than 81,000 of the top 1 million most popular websites.  As we get closer to 2017, the odds are increasing that the number of exploits will continue to rise.

Krebs is usually a good source of the most up to date info. But it remains a race, and I’m not always sure we’re winning.  http://krebsonsecurity.com/

Poodle in the Park
Black standard poodle

In the meantime, here’s some pictures of poodles to lighten the mood! This is Cleaver Black – destroyer of dragons (blue stuffed ones).

Sleepy Poodle
Let Sleeping Poodles Lie
Poodle in the park
Happy poodle

 

Portrait of a young poodle
Portrait of a young poodle
Cleaver - Destroyer of (toy) dragons
Cleaver – Destroyer of (toy) dragons

Cyber-Resilience

Cyber-Resilience

Cyber-Resilience in the Information Age

The Global Resilience Collaborative held a curated seminar  at Parliament House in Queensland.  Alex Webling gave a speech on Cyber-Resilience to the assembled audience

The Speech posted on Youtube. The video is embedded below.

In summary, Alex introduces four ideas for cyber-resilience in the information age.

  1. Information is the lifeblood of the modern organisation.
  2. The value of data should determine how it should be protected
  3. Data value changes with time
  4. Considering data flows within an organisation allows an organisation to develop an adaptable and resilient approach to its security and longevity.

Subscribe to the Resilience Outcomes Channel at https://www.youtube.com/channel/UCh0XQODTB2r8nQzUBoTGSeA

Good cybersecurity is repetitive and boring

The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring

The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.

The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.

The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.

The Boring but tremendously important bits

Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”

Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out.  http://www.asd.gov.au/publications/protect/top_4_mitigations.htm

This Koala is completely secure from cyber attack
This Koala is completely secure from cyber attack

The answer is not more power for intelligence and law enforcement

Let’s keep it simple

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.

Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.

Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.

Where might government focus its resources?

Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.

Mandatory Disclosure

Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.

I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.

Data centralisation

Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.

Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.

It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!

When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.

Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.

Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.

Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.

The way to make the argument is to do so on the basis not of security, but finance.

Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.

Here’s a collection of links, which might be useful

http://www.npr.org/2015/06/05/412177006/opm-hack-exposes-records-of-4-million-federal-employees

http://www.politico.com

http://www.engadget.com/2015/06/06/opm-hack-details-revealed/

https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184

http://www.govexec.com/technology/2015/06/massive-data-breach-puts-spotlight-shared-it-services/114613/?oref=ng-channelriver

http://www.theguardian.com/technology/2015/jun/05/us-government-opm-hack-data-collection-powers

http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html

Help

We can help your agency set up its cybersecurity defence policies and procedures.

Contact us at [email protected] to talk to a cybersecurity policy expert.

Complexity and Resilience in an Information Centric World

Complexity and Resilience

How do organisations develop resilience in the complex environment that is the 21st century information centric world?

The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.

Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!

Complex Organisations in the 21st Century

The opportunities posed by increased information flows are enormous,

Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.

1 billion Carbanak hackThe threats are also enormous

But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.

Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!

Survival and resilience

Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .

The Australian Government’s resilience strategy shows Australia’s leadership in resilience thinking. It identifies four options for an organisation

  • Decline;
  • Survive;
  • Bounce Back;
  • Bounce Forward. 

However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons

  1. They have the resources, capital personnel,  leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
  2. They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.

It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.

ICT is a two edged sword in the quest for resilience

As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility

Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?

Possibly, though it is more the issue of complexity. There are a number of other factors

Speed of change

The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.

Interdependence

Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.

However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.

Everyone’s your neighbour

Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.

Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.

sony hacked again
From http://blogs.umb.edu/itnews/2015/01/06/the-sony-hack/

 

 

 

 

 

Affecting organisational longevity?

The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.

This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.

average company lifespan on SP500

US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to

  • declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
  • acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.

At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.

The flaws in simple risk

Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.

The sum of overall risk that an organisation has, is greater than its parts.

It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:

  • The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
  • Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.

In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.

Different risk events

We see these issues playing out in different events that affect organisations, whether it is a

acute failure

such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton

Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.

Or chronic failure

such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.

A resilient approach

Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile
(Adapted from www.compete.org)

A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.

Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.

As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.

The resilient organisation

Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.

Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.

Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.

Resilience from Chaos (Monkey)

An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.

Chaos Monkey Released Into the Wild

 

 

 

 

 

This post is based on a presentation I gave in Singapore. Here are my slides

This slideshow requires JavaScript.

 

Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.

The state of ICT Security

State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage

The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.

Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.

The German Federal Department for Safety in Information Technology  has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.

As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass.  I’ve picked out some of the gems and translated them here.

Complexity is killing information security

The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.

Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.

There are over 250 million individual varieties of Windows malware around now

Other observations which confirm what you may have seen in other places

  1. Spam continues to grow exponentially
  2. Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
  3. The number of infected sites delivering ‘driveby exploits’ is growing substantially.
  4. Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
  5. Phishing continues to yield results for cyber criminals

Advanced Persistent Threats – an increasing threat for government and industry

Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues

  • Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
  • Attacks on key individuals – attacking system administrators for key systems to gain access.
  • Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
  • Manipulation of IT hardware and software – Well they would do that wouldn’t they.

The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.

This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.

Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft

Cyber threat prognosis

Casestudies

The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.

Steelworks compromise causes massive damage to furnace.

One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.

Dragonfly attacks a dozen companies

The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.

Conclusion

It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.

You can download the original Document from the BSI – Bundesamt fuer Sicherheit in der Informationstechnik – in German “Die Lage der IT-Sicherheit in Deutschland 2014”  https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile

Privacy and Social Login – wins first prize

Privacy and Social Login article wins award

“Privacy and Social Login” an article published in the International Association of Privacy Professionals Australia New Zealand May 2014 edition of “Privacy Unbound” and here won the first prize for article for this year .

The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.

The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.

The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.

UPDATE 23/12/14

The article, along with a profile of Alex Webling was republished in the IAPP December 2014 edition – http://www.iappanz.org/IAPP/eflash/November_December_edition_59_Privacy_Unbound.pdf

Privacy and social login

Is it possible to enhance privacy with social login?

The likelihood that any Australian Government is going to create an online identity credential now seems distant with the National Trusted Identities Framework (NTIF) almost forgotten. How quickly the Internet forgets, but maybe that’s a good thing if you’re Mario Costeja González.

But the need that the NTIF sought to fill has not gone away. Governments are trying to work out how to service their citizen/customer/users at lower cost. The Internet offers one possibility, but in taking their services online, government agencies expose themselves and us to different threats and potentially higher risk. However, it seems inevitable that government agencies will follow financial institutions in offering higher value transactions online. In the end, the economic argument is likely to drive government agency migration online with more high trust services. Recent federal and state/territory budget announcements are only likely to spur this movement.

There are a number of threats that need to be mitigated before a government agency could potentially provide its services online. Probably the key issue is for the agency to be sure that a user requesting access to a site is who they say they are. Currently issuing the customer with a username and password mostly does this, but the model is beginning to fail. The problem is that most people don’t interact with government agencies on a regular basis and yet information sensitivity and computer capabilities require users to adopt increasingly complex and non-sensical passwords.

It's all getting a bit hard
It’s all getting a bit hard

This in turn makes the passwords more difficult to remember even as they are harder to crack. It also means that password resets are much demanded. Yet at the same time, customers are expected to change their passwords regularly, not to write them down or repeat them for other online services.

It seems clear that these password requirements largely force customers to break their user agreements and either, write their passwords down, or worse re-use them for other services/websites.

It also puts government agencies in a bind. They want to provide online access to their services because it could be cheaper to operate than bricks and mortar outlets (if they didn’t have to reset too many passwords), but they also do not want to be embarrassed by privacy and security breaches.

Social Login providers

One option is the use of a social login to help secure online authentication. This could enhance user information security and minimise privacy breaches. Social login, also known as social sign-in, is a form of simple sign-on (to web resources) using existing membership of a social networking service such as Facebook, Yahoo, Twitter or Google+ to sign into a third party website in lieu of creating a new login account specifically for that website or service. Social login is designed to simplify logins for end users as well as provide more and more reliable demographic information to website owners. Social login can be used as a mechanism for both identity authentication and user authorisation.

Google website authentication

Social login is being adopted by private sector organisations for a number of reasons including: Rapid registration; Verified email contacts; and Customer stickiness. However social login also offers three major benefits for government agencies.

–       Currency of contact data. Contact data such as email tend to be kept up to date by the user.

–       Passwords are less easily forgotten because they are regularly used. At the same time, the social login passwords are not transmitted from the user to the agency website.

–       Security. Agencies can leverage security technologies implemented by the social networks that they might never be able to replicate themselves. Because of their resources, social networks such as Google and Facebook are able to detect and patch zero day exploits quickly.

So what are the privacy risks?

A user, when accepting the convenience of a social login, can share a significant amount of their information between a third party website (such as a government agency) and the social network. The social site is informed of every social login performed by the user. Often, it is worth considering whether users understand exactly what they are sharing and whether they are giving informed consent to share. However this risk can be mitigated with the creation of clear and detailed login screens, which explain what the users are sharing.

As an example, the following information is returned when a Facebook user agrees to share their ‘Basic Profile’. Other than the email, the information is not verified and may not be present. However, several organisations claim that the quality of the data returned is in general very good because social network users feel social pressure from their friends to be accurate.

Address Birthday Verified Email
Display Name Family Name Formatted Name
Gender Given Name Homepage
Preferred Username Profile Photo Time Zone

At the same time, it is not necessary for the third party website to collect all the information if it is not required.

Another issue surrounds current sensitivities with the USA NSA’s indiscriminate hoovering of online data. It is important to note that because all the large social networking sites are based in the USA, they are subject to USA’s laws and customs related to security and privacy. Under that regime, Australians are given significantly fewer protections than USA citizens or residents. Effectively, the social networking site itself provides the main protection for reputational reasons. However, readers may be aware that there have been recent moves in the USA to change this approach for what the US charmingly calls ‘aliens’ like Australians and give the same protections for all users irrespective of citizenship.

Can we get the benefits of social login and have citizen privacy as well?

With careful design it seems possible that social login could enhance privacy for users at the same time as providing benefits to government agencies. Considering the social login as an adjunct to agency authentication rather than the whole process could be an answer. If customers nominate their social login at the same time as they were enrolled into a government service, they could later use their social login as the first stage of an authentication process. This would provide an outer layer of defence against hacking. The user could then login to the agency itself using a separate authentication process.

The advantages of this model, beyond defence in depth, are that the user logs into the agency with their authenticated social login username, but does not gain access to sensitive information without providing an agency specific authentication. The social network also does not receive any sensitive information beyond the fact that a user logged in at a website. The use of government portals can be used to obfuscate which agency a user is accessing. At the same time, with consent, contact information from the social login site could be compared with that held by the agency and presented to users so that they can choose to update the information held on them by the agency.

At both the state and federal level, government agencies are starting to actively consider social login. Provided that governments are also prepared to carefully design the user interaction so that the social networks don’t get any more personal information than the user/citizen is prepared to share – by turning off analytics and sharing social network authentication gateways across groups of government agencies, it can provide benefit to users and government alike.

In the longer term, government will be able to verify citizens online when they wish to enrol themselves for services. The possibility arises to use the Document Verification Service (DVS) combined with social history to connect an entity to an identity, but that may be a discussion for another time.

I’d love to hear what you think.

Alex

This article originally appeared under the title “Can social login be privacy enhancing” in the May 2014 edition of Privacy Unbound, the journal of the International association of privacy professionals (IAPP) Australia New Zealand chapter and can be found here at this link iappANZ_MayJournal

Direct link to the IAPP:  https://www.privacyassociation.org/

IAPP ANZ http://www.iappanz.org/

 

Information Security and Resilience at ASIS QLD

Information Security and Resilience presentation to ASIS QLD Chapter

I gave a presentation to the ASIS QLD Chapter yesterday morning.

Apart from a couple of minutes spruiking the Australasian Council of Security Professionals, I spent my time talking about the intersection between Information Security and Resilience. You can download a copy of the presentation PDF via this link – ASIS QLD JUNE – infosec and resilience

If you’re interested, here are a few links related to the presentation.

I have written previously about resilience and information security. You might like to revisit these links on cybersecurity or here.

Alex talks about information security and resilience

 

PRESENTATION ASIS QLD JUNE – infosec and resilience

Link to  ASIS QLD 

Privacy changes in Australia

Privacy strengthened in Australia

The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.

Fines of $1.7 million are possible for breaches.

Privacy - Sony executives bow in apology post Playstation breach in 2011
Execs bow post Playstation breach in 2011

Australian Privacy Principles

The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.

The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges

A number of the APPs are quite different from the existing principles, including

  • APP 7  -on the use and disclosure of personal information for the purpose of direct marketing, and
  • APP 8 – on cross-border disclosure of personal information.

The OAIC gets teeth

The Privacy Act now includes greater powers for the OAIC which include:

  • conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy

In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could  have a serious impact on company finances as well as reputations.

One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.

For more information on the APPs and the OAIC’s APP guidelines, visit this link –  Australian Privacy Principles.

Credit Reporting is changing too

The Privacy Act now includes new credit reporting provisions including:

  • introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
  • introduction of civil penalties for breaches of certain credit reporting provisions
  • requiring credit providers to have an external dispute resolution scheme if they want to participate in the credit reporting scheme. The scheme must be recognised under the Privacy Act.

For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed

A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.

We can help

We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please  contact us at Resilience Outcomes for assistance.