Building better cyber security in organisations

A speech given by Alex Webling to the opening of Z-CERT, the Hague, Netherlands, January 2018

Building better cyber security strategy in organisations

The opening of Z-CERT is an important development in the protection of the Netherland’s health care system. I wish you all the good fortune in the world.

Z-CERT launch
launching the Z-CERT website

When I started working in cybersecurity for the Australian Government in 2002, the world was a different place.

For one thing, we called it electronic security and mostly it was a small extension of the great game of espionage played between nation states. We focussed almost exclusively on keeping our information confidential.

However, even then, we realised that in order to keep our systems and citizens secure, we’d have to collaborate with like-minded countries and the Netherlands was top of my list.

I have continued to admire the Dutch, because I think that you tend to be quite pragmatic in your approach to problems. Solving the issues related to cyber security and privacy are no different

The cyber landscape has continued to evolve quickly under our feet and the need to collaborate and share best practice has only accelerated.

“If you think technology can solve all your security problems, then you don’t understand the problems and you don’t understand the technology”  Bruce Schneier

I think you all know that the information age is upon us and has been for some time. This year, like the last, and the one before will bring more connectivity, digital transformation initiatives, and data for organisations and their human operators to handle.

The opportunities this information age brings are amazing.

All organisations, not least health providers are focussed on getting the right information to the right people at the right time, and avoiding the wrong people accessing it too.

This is an incredibly difficult task. Getting it right, relies on judgement and experience. It is becoming increasingly difficult to achieve. Information travels at the speed of light, but we can’t think that fast.

Just think:
unlike any previous time in human history, information has become very expensive to delete as well as to create.

Within a couple of generations, many organisations have moved from paper records to electronic ones. Access to electronic information brings so many benefits for the health professional.

But there is also a dark side.

With the opportunities come the threats. Threats to privacy, reputation, financial status and also to patient outcomes.

More tools developed by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malicious software or steal data.

Estimates are that ransomware cost victims 2billion Euros in 2017, twice as much as in 2016.

Meanwhile others have predicted global losses from another growing trend, compromised business email scams, will exceed 9billion Euros next year.

With the advent of the GDPR in less than five months, the financial penalties if data protection goes wrong are about to get much more serious. GDPR fines will be up to 20 million Euros or 4% of annual turnover (whichever is higher).

The cost is not just monetary, NHS hospitals in the United Kingdom were hit by the ransomware cyberattack WannaCry, delaying surgery for patients. The potential for things to get much worse is real.

Opportunities and Threats

Yet, the opportunities are so great, that organisations have no choice but to manage the threats that the information age brings.

So the key point of this talk is:

Good information security is dependent on dynamic organisational governance of cyber security.

An Information Security Management System can help organisations become resilient to the dynamic threat

What is it?

So what is an Information Security Management System or ISMS and how can it help me and my organisation?

To answer that, we need to look at three questions

  1. Why should my organisation care about cyber security?
  2. Who is responsible for organisational cyber security?
  3. What does good cyber security look like?

Because I have found that many senior executives find it difficult to answer these questions for themselves and I’m going to give you good reasons to take back to your organisations to make change happen.

Why should my organisation care about cybersecurity?

Your organisation is an information business

At the risk of repeating myself, whatever else it does, your organisation is an information business. Information is the lifeblood of a modern organisation. A cyber attack can mean your organisation’s information goes to the wrong people, is changed or is removed. Even worse, you may not even know this has happened for months.

The legislative and regulatory environment will continue to become more stringent as the cyber threat increases

eg GDPR

The GDPR is not the first regulation to place responsibility on organisations for protection of specific data. The introduction of the GDPR is part of an ongoing trend for legislation and regulation striving to catch up with the changes in technology and society that the information age has brought us.

You are probably aware that as early as 1995, the European Council adopted the Data Protection Directive which aimed to protect individuals’ personal electronic data.

PCI DSS does this for credit card information around the world. The Health Insurance Portability and Accountability Act (HIPAA) did this for personal health information in the USA.

GDPR requires organisations to map their personal information holdings. But mapping under GDPR is not just another classification exercise. It also requires the organisation to correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the personal data content; it’s also essential to know the context of the data because the organisation is the steward of the information, not the owner.

The increasing reputational and financial damage suffered by organisations that are hacked

In many ways this is related to the previous point. The outrage that the public expresses every time another organisation loses their data is growing.

Some organisations have tried to hide that they have been hacked. Uber and Equifax are alleged to have done this, but any conspiracy is almost always revealed quickly. Mandatory reporting provisions are putting increased pressure on organisations to reveal breaches quickly and to show how organisations are dealing with cyber events

Where this doesn’t happen, the public is voting with their feet. This is having direct impacts on the tenure of leaders, CEOs and boards. For listed companies, it is impacting their share value directly.

When the GDPR comes into force in May this year, to repeat for emphasis, fines of up to 4% of the organisational turnover are possible where organisations are shown to be negligent in the protection of EU citizen’s personal information. This will be a very significant increase over the previous regimes.

Who is responsible for cyber security

This one’s easy.

It is the owner of the cyber risk

That’s the board or CEO of the organisation. These are the people that regulators are increasingly targeting when things go seriously wrong.

It is not the ICT manager, the CIO, or the security manager. The decisions on how much cyber risk the organisation should take comes down to the CEO and Board. The organisation leader needs to make those decisions in an informed manner that balances relevant stakeholders’ perspectives.

Goldilocks Security

I call it ‘Goldilocks Security’ – that which is just right for the organisation, not too much and not too little.

Goldilocks security is different for different organisations. Cybersecurity is a series of tradeoffs between the confidentiality of information, its integrity and its availability.

If you think about it: The most secure information is completely inaccessible to all and pretty useless.

There needs to be a balance.

How does the board and CEO become informed about cyber risk?

They use experts who understand the threats, vulnerabilities and consequences of cyber attack, and communicate in business-ese to the board, but they retain the decision making for themselves.

Time to move away from the word ‘Cyber’

By the way this is probably the time to tell you that I don’t really like the word ‘cybersecurity’, and prefer the term ‘information security’.

Cyber tends to make people think only of computers and networks. This then can lead to the responsibility for cyber being put solely on the shoulders of the CIO or ICT manager.

Words Matter – and as hard as it is to change the way we talk, we need to make the change.

We have to continually remind ourselves that people are both the central cause and the primary victims of information security attacks.

Weaknesses in human behaviour are still one of the easiest ways of compromising any organisation.

What does good security look like?

So now we get to the crux of the matter.

Good organisational cybersecurity is tested, systematic and repeatable, however, for many organisations it is anything but like this!

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

This requires a certain amount of bravery on the part of executives.

Unfortunately, our experience is that many organisations need a compelling event, such as a major breach, before they take cyber security seriously. However, it doesn’t have to be this way for change to happen.

The organisational leadership can create an Information Security Management System or ISMS.

The Information Security Management System (ISMS)

An ISMS is a set of better practice, policies and procedures for systematically managing an organisation’s information.

The ISMS operates by identifying, assessing and managing information security risks resulting from internal and external threats exploiting the organisation’s vulnerabilities.

The goal of an ISMS is to

  • manage the risk of a cyber event occurring on an ongoing basis in a holistic manner; and
  • minimise the impact on the organisation if and when a cyber event occurs.

A Strategic Decision

Implementing an ISMS is a strategic decision for the organisation. Implementation requires CEO and Board commitment – because they own the risk.

At the strategic level, the CEO / Board create an ISMS committee which has responsibility for the organisation’s information security. The committee meets regularly and oversights the development of a structured approach for organisations to develop better enterprise security by dynamically monitoring and improving information security effectiveness.

Cyber risks are assessed at a holistic level. Sometimes, the organisational leadership will decide to take more cyber risk in order to achieve a business objective. The important thing is that it is done with full knowledge of the risk – both positive and negative.

When the ISMS committee operates in this manner, the organisational cybersecurity stance evolves to meet the increasing threat and the organisational business needs.

Minimising the impact of a cyber event. Or…. You will be compromised

I mentioned before that information security is all about tradeoffs. Tradeoffs between your people being able to access the information they need to do their jobs – availability. Tradeoffs that information is correct – integrity. Tradeoffs that information doesn’t fall into the wrong hands – confidentiality.

It is a legacy of the old cyber security thought that many security people worry more about information confidentiality than integrity and availability, rather than worrying about what the business needs to achieve its objectives.

Bringing information security to the board level, means that decisions about tradeoffs must be made, particularly in tight fiscal environments.

Sometimes it will go wrong….

Even with an ISMS in place, there is always a risk that an information security event occurs. When it does, the organisation must respond. Good cyber response involves much more than the ICT area.

Whilst the technical response is occurring, the organisation needs to work out how to respond to stakeholders, what if anything to report to authorities etc.

One of the key aspects of the GDPR, as I’ve mentioned earlier is the mandatory reporting of data breaches. An ISMS brings together key stakeholders to consider risks, including the data protection officer, who can consider the impact of a breach from a GDPR perspective and advise the organisational leadership about the implications, if any.

However, like a fire drill, cyber response needs to be practised.

A smooth response to an event can minimise the impact on the organisation significantly. In my experience, the technical response to cyber incidents works better than the non-technical response, simply because the techs are responding to minor incidents day in and day out, but for other parts of the organisation, it is not their day job.

Recovering (more) gracefully

There are multiple examples (eg Uber, Equifax) of companies handling data breaches badly. However, here’s a case of one that was handled well from a public relations perspective.

In Australia, the Red Cross Blood Bank was compromised in 2016. Over 500,000 blood donors’ personal information was exposed publicly.

At that time, it was not mandatory to report breaches of personal information.

However, the Red Cross was proactive in informing the public and the Australian Privacy Commissioner. In doing so, Red Cross made the best out of a bad situation by displaying transparency and showing that they were doing their best to fix the problems.

By getting on the front foot, the Red Cross maintained the public’s trust in the blood system.

http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach

In summary

Why should my organisation care about cybersecurity?

Care because your business is information (whatever your business)

  • Your business is information
  • The GDPR is just the next step in a global tightening of Legislation and Regulation for organisations operating in cyberspace.
  • If you don’t play by the rules and you get caught, your reputation and finances will suffer

Who is responsible for cyber security

  • The owner of the risk, generally the CEO, Agency Head or Board
  • The CEO needs to make informed decisions about how much security is just right – Goldilocks security
  • Your security and ICT people help the leadership make informed decisions. They need to translate geek-speak into business-ese

What does good security look like

• An information security management system is recognised as the better practice for information security and is eminently applicable to the data protection requirements of the GDPR.

• An ISMS evolves continuously to meet the changing risks. It is not ‘set and forget’ and only works if the risk owner engages with it.

• You will be compromised. Practice your cyber response at the organisational level, not the ICT level.

CONCLUSION

We are well into the information age. Information is the lifeblood of the organisation. The days when somebody from IT was responsible for cybersecurity are long past.

Executives responsible for organisational success must take ownership for cyber security. Cyber is just another risk category like finance.

Establishing and running an information security management system is recognised as the best way to manage and balance information security and privacy risks for organisations.

A well run ISMS helps the organisational leadership understand the value of its information and take advantage of the opportunities of the information age as well as reducing the downside risk.

The GDPR is part of a continuum of regulation that will force organisations to design security for citizen data across its entire lifecycle into their processes. The provisions relate not only to technology, but also to policies and employee behaviour. The policies and practices that are instituted to meet the requirements of the GDPR can also be applied to improve information security across the whole organisation.

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

You have the power to make cybersecurity happen in your organisation. Start today, by creating your information security management system board. Make sure that the CEO is at the table. Keep the scope small and manageable whilst you learn by doing.

Looking at the risks associated with GDPR would be ideal if your organisation hasn’t started. Once you understand what you’re doing, start expanding the scope.

 


Alex travelled to the Netherlands as a guest of Z-CERT, the Dutch Computer Emergency Response Team for healthcare (Zorg)  in January 2018.

Z-CERT’s website is https://www.z-cert.nl/ 

 

GDPR is on its way

GDPR is on its way

On 25 May 2018, GDPR comes into force. Any company that does business with EU members needs to be in full compliance with the EU’s General Data Protection Regulation (GDPR). This requires them to take specific steps to more securely collect, store and use personal information.

For many organisations, time is running out……

GDPR has big teeth

Companies not meeting the GDPR this time next year face significant fines for indiscretions.

For example, NCC Group came up with a model that took fines actually imposed for privacy breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR. Under the model, British companies that were penalised for breaches last year could have faced fines totaling $112m AUD under GDPR, rather than the $1524m AUD they had to pay. That’s an order of magnitude larger.

Extrapolating the modelling.

  • The 2016 fine for the data breach of Talk Talk seems small compared to what it might be under GDPR. Talk Talk got whacked last year with the biggest fine ever in the UK for a data breach $693,000 AUD. NCC calculated that Talk Talk’s fine under the GDPR would have been an eye-watering $102 million.
  • Pharmacy2U, sold personal details, including medical related information, to a lottery company. It was fined $225,000 by the UK information commissioner in 2015. NPP’s modelling indicates that it would have instead faced a much steeper fine of $7.6 million under GDPR.

Those are large $$$, especially in light of a report from earlier this year by (ISC)2’s EMEA council, which covers Europe, the Middle East and Africa. According to the (ISC)2, companies aren’t doing at all well. The familiar mantra is

“Time is running out”.

The (ISC)2 EMEA council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.

Meanwhile, a recent report by UK company Crown Records Management found,  nearly one in four UK businesses surveyed said they had stopped preparing for GDPR. In fact 44% saying they didn’t think GDPR would apply to them once the UK divorces the EU sometime in 2019 post Brexit. There are two problems with this line of thinking. Firstly, in the short-term, businesses will still need to meet the GDPR whilst the UK is part of the UK; and secondly, unless there is a complete change in trading relationships, the EU will remain the UK’s biggest export market.

SMEs are not immune

Another point of uncertainty for companies is about size. Unlike Australia. where there is effectively a privacy carve out most small companies, the GDPR requires that any company doing business in the EU more securely collect, store and use personal information. So, smaller companies face fines for violations that might occur.

That said, the regulation accounts for the fact that smaller businesses lack the resources of the big guys. The Bytestart UK small business portal gives some advice for SMEs on what they need to know about the GDPR. They make four points:

  • Firms of a certain size (over 250 employees) must employ a Data Protection Officer (DPO). This person ensures that a business collects and secures personal data responsibly. Smaller firms may have to as well if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects”
  • Mandatory Reporting – Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but certainly within 72 hours.
  • Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
  • Failure to comply with the GDPR will lead to heavier punishments than previously. The GDPR will be able to fine up to 20 million Euros or 4% of annual turnover (whichever is higher).

So what?

Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies that want to trade with the EU must take to be ready for 25 May 2018. Australian and New Zealand companies are in this boat, not only those in Brexit Britain. We’ve written previously about how the decisions in the EU and USA on privacy affect Australia. It is likely that this will be much the same.

Ireland’s Office of the Data Protection Commissioner has produced a checklist which is quite good. We’ve found this list to be particularly helpful with our clients.

  1. Become aware.
  2. Become accountable.
  3. Communicate with staff and service users.
  4. Protect personal privacy rights.
  5. Review how access rights might change.
  6. identify your legal basis for carrying out processes and document it.
  7. Ensure you are using customer consent as grounds to process data.
  8. Process children’s data extra carefully.
  9. Have a plan to report breaches.
  10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default.
  11. Consider data protection officers.
  12. Understand International Organisations and the GDPR.

How to approach GDPR compliance

GDPR is just another project. These are some milestones that your organisation might consider so that it can be ready for 25 May 2018

  • Executive Support and Awareness in place
  • Project Plan and Budget
  • User Awareness
  • Appoint a Digital Protection Officer
  • Identify privacy information holdings
  • Update Privacy Notices
  • Revise Data Protection Policies
  • Re-examine Information Sharing Agreements
  • Develop and accept at an organisational level Privacy Impact Assessments
  • Identify cross-border transfers
  • Establish a Data Subject Rights Management protocol
  • Ensure “Privacy by Design” is implemented into the Organisational Project Methodology

More resources

The EU has created a GDPR portal which gives a countdown until enforcement, and more importantly FAQs about how to prepare

http://www.eugdpr.org/

There is a lot of guidance available from the UK Information Commissioners’ Office

https://ico.org.uk/for-organisations/

Also useful

http://cfsystems.biz/wp-content/uploads/2016/11/Preparing_for_the_General_Data_Protection_Regulation_-_White_Paper.pdf

 

Security Professionalisation in Australasia

Security Professionalisation in Australasia

Security Professionalisation is an issue that all who are involved or care about societal resilience should be concerned about. I’ve just written an article for Security Solutions Magazine talking about the efforts that a new organisation, Security Professionals Australasia (SPA) is undertaking to work with the security industry and governments to improve the state of affairs.

The article has been published in the latest edition of Security Solutions Magazine (Nov/Dc 2015) which is available at  http://www.securitysolutionsmagazine.biz/ 

(Disclosure of interest, Alex Webling is a member of SPA)

Privacy Safe Harbour and Australia

Privacy ‘safe-harbour’ and Australia

 – not safe enough?

The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.

The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.

This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland

Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.

The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.

This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.

Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.

When the big players jostle, smaller countries feel the waves.

For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.

The Internet becomes less than one – Time for an International Law of Cyberspace

The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.

Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.

This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea  achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.

 

 

 

Speaking at the ASIS Asia-Pacific Security Forum

ASIS Asia-Pacific Security Forum

Alex will be speaking at the ASIS Asia-Pacific Security Forum being held in Singapore 7-9 December 2014.

http://www.gratisography.com
Credit:www.gratisography.com

Alex will be talking about:

Resilience in an Information Centric World.

The best indicators of the future are the events of the past, yet the past is not an absolute indicator or future events. Outlier events are becoming more common and threatening the existence of organisations – Is enterprise risk management to be thrown out?

The vast majority of organisations that have ever existed are not around today. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

The few that survive broadly did so for two reasons, which Alex Webling, Treasurer of the Australasian Council of Security Professionals will discuss with examples at ASIS Asia Pacific 2014 in Singapore.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well.Research carried out on fortune 500 companies in the USA showed that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

Alex has talked about this topic before and will be expanding on his observations and research with conference participants about how they might assist their organisational longevity.

We hope to see you in Singapore.

The website for the conference is here and you can register here

 

 

Cyber resilience update

Cyber resilience

One of the most important aspects of resilience in the information age is understanding the environment in which we exist. Resilience is adaptability in a changing environment, the more we understand that change, the less painful it is. Here are a few  current issues that might help your cyber resilience.

Alert, but not alarmed
Alert, but not alarmed! – Photo AWebling

Cyber Security Summit – Stanford November 2013

In the shadow of the Snowden revelations about the US and UK, security experts and leaders from more than 40 countries have been at Stanford University in California, USA for a gathering on cyber security.

If you have a sense of irony, you may have listened to the debate on Syria and comparing that to the NSA / Snowden / Internet debate.
– US Secretary of State John Kerry has recently made broad and I think reasonable statements saying that

President Assad had lost the moral authority to rule Syria.

– However that same test can be made against the USA.

 The USA has lost its moral authority to control the Internet

through the activities of the NSA and other government agencies. The full text of Secretary Kerry’s Syria speech can be found here via usembassy.gov. Of course although the USA is the biggest culprit here, the UK, Canada, Australia and NZ have all been shown up.

China was prominently represented at the conference. The Minister of State Council Information spoke about China’s problems. In his speech Cal Mingzhao said that in the first six months of 2013, 20,000  websites were hacked and 8 million servers compromised. According to Minister Mingzhao this indicated a rise of 14% year on year.

China has used the conference to repeat its call for global efforts in building a robust legal system, and strengthening international cooperation. Although I am somewhat cautious about their motives. I believe that the Chinese are on the right track with this view. I have previously made my views clear here in this post about why the world needs the cyber equivalent of an international law of the sea.

It is good to read  that Scott Charney ex US Department of Justice and current Microsoft VP on privacy and security is publicly calling for the US to show more information about what it collects and what happens to that data. Few sensible people disagree that the US and its allies should use maximum efforts against terrorists.

The US has lost support because it has strayed away from its stated goal of combatting terrorists and towards industrial espionage and employed tactics which compromise the majority in the pursuit of this goal such as the backdooring of encryption algorithms.

 

In other news

The Canadian Office of the Superintendent of Financial Institutions has released a ‘Cyber-Security Self Assessment Guidance for Canadian financial institutions, but which provides some good advice to any organisation looking for a template to help them.

Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for financial institutions to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.”

Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Of course if you’re a Canadian bank trying to do business in the US..

www.offi-bsif.gc.ca

Lastly, in the ‘this might be a little insane’ category

A US (Missouri) based cyber crime prevention network is advising parents to teach their children about cyber-security from the time they are toddlers.

www.kshb.com

I can just imagine it – “Our little Johnny fixes our firewall whilst we sit him on the potty…..” But seriously, of course keeping kids safe online is important in the same way as keeping them safe in the real world, but maybe they should learn to read first.

 

 

 

NSA/GCHQ built vulnerabilities into encryption?

Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?

If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian  alleged that  the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .

The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.

Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.

It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.”  George Orwell1984 . No organisation as large as the NSA can do this forever.

The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip  into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the  concept.

The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.

 

You can find the NYT article here – http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all 

You can find the Guardian article here – http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Cyber-Security doesn’t stop at the virtual perimeter

News that the New York Times was hacked by the Syrian Electronic Army  is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.

According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.

A number of quick conclusions

  1. This was a well planned attack almost certainly took some time to conceive, research and operationalise.
  2. You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
  3. Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
  4. 80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
  5. In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
  6. Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
  7. Everybody is your neighbour on the Internet, the good guys and the bad.
  8.  Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
  9. This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.

Further technical details have been posted here.

http://www.flickr.com/photos/alextorrenegra/
New York Times – by ATorrenegra

 

Contact Resilience Outcomes to discuss how we can help your organisation become more resilient at [email protected]

 

 

Hacking the spies – or how to counter the cyber insurgency

You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.

Information Dominos 1

 

New espionage?

For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.

The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.

Information Dominos 2

What is different then?

The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.

The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong

Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.

4d

How can my organisation protect itself?

Paraphrasing the principles of counter-insurgency as espoused by David Galula and Robert Thompson

– the aim of the war is to gain the support of the population rather than control of territory

– most of the population will be neutral in the conflict.

– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution

– in the guerilla phase of an insurgency, a government must secure its base areas first

Using these principles we can identify a strategic direction

The way to deal with an insurgency is through hearts and minds.Information Dominos 6

Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.

Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.

Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.

By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.

Such an organisation is indeed resilient.  Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.

Information, if you don't protect it, it just fades away
Information, if you don’t protect it, it just fades away

 

Back To Top

 

Online trusted identities – a primer

“Trust is the currency of the new economy”

You may have heard recently about the efforts being promoted by the USA and Australia amongst others to promote trusted online identities. There are also significant efforts in the private sector to develop online trust systems.

Trust will be the currency of the new economy as it was in the mediaeval village. During the late 19th and early 20th Century, formal identity credentials gradually replaced more informal systems of identifying people that we interacted with. Increasing population and technology drove this change. It was simply impossible to know everybody that you might deal with and so societies began to rely on commonly used credentials such as drivers’ licences to prove identity and ‘place’ in society. Of course, drivers’ licences don’t say much if anything about reputation. But if you think about  high value financial transactions you establish your identity and then you give a mechanism to pay for the transaction. Although in most cases it wouldn’t matter who you are, it gives the vendor some comfort that the name on your driver’s licence is the same as on your credit card and makes it just that bit more difficult to commit fraud on the vendor if the credit card isn’t legit. However this isn’t the case with interbank lending. Most of this is done on a trust basis within the ‘club’ of banks and it is only at a later time that the financials are tallied up for the day.

You can’t trust who or what is on the other end of the keyboard just because of what they say

What is a trusted ID?

Most simply, trusted online identity systems are the online equivalent of a physical credential such as a drivers’ licence used to give evidence of identity online. They can (but don’t have to) also be the basis for online reputation. They may also say something about the rights of the credential holder, such as that they are a resident in a particular country.

Which countries are developing trusted identity systems

The program in the USA is called NSTIC – National Strategy for Trusted Identities in Cyberspace. In Australia, the Prime Ministers’ department has been investigating the possibility of a trusted identity system as part of its work on a cyber policy paper which was due to be released ‘early in 2012’. At the same time, Australia has undertaken a number of processes of service delivery reform, government 2.0 and e-health. All without necessarily solving the problem of identifying whom they are dealing with online. The USA has gone beyond the planning stage and announced that it will move forward on development. As I mentioned recently. NIST has announced grants for pilot projects in NSTIC.

Some countries have already implemented online identity systems simply by migrating their physical identity cards online and allowing these to be used as trusted online systems. A number of Asian countries including Malaysia, Hong Kong and Singapore have proportions of their online services available through such means. Estonia probably leads the world in online service delivery with around 90% of the population having access to an online ID card and around 98% of banking transactions being via the Internet. More information at the Estonia EU website. While NSTIC was issued by the USA government, it calls for the private sector to lead the development of an Identity Ecosystem that can replace passwords, allow people to prove online that they are who they claim to be, and enhance privacy.  A tall order which runs the risk of creating an oligopoly of identity systems driven by corporate interests and not one which suits users. It may be a signal of things to come that Citibank and Paypal have recently been accepted to lead development of the NSTIC. There are also a number of private sector initiatives which come at the issue from a different perspective. Beyond Paypal, Google Wallet and the recently announced Apple Passbook are interesting initiatives which give some of the attributes of a trusted identity.

Why might we want one?

As more services go online from both government and business and more people want to use them there will be an increased demand for a way of proving who you are online without having to repeat the process separately with each service provider. In some ways this is already happening when we use PayPal to buy products not only on eBay, where it originated but also on Wiggle.co.uk and many others. The problem is that different services need different levels of trust between the vendor and the purchaser. Thinking about a transaction in terms of risk… The majority of private sector transactions online carry equal risk for both the vendor and customer. In that the customer risks that he or she won’t get a product or service from the transaction and the vendor risks that they won’t get the cash. Here online escrow services such as Transpact, or PayPal can help.

Where this doesn’t work well is where there complexity to the transaction.  The banking or government services sector are key areas where this is the case. Here the vendor must know their customer. One area might be analysing whether a customer can pay for a service on credit. Another is in applying for a passport, you need to prove that you are a citizen and pay a fee. However, the intrinsic value of the passport is far greater than the face value, as shown by the black market price. The result to the government if it issues the passport to the wrong person is not the value of the nominal fee, but closer to the black market value of the passport.

As a result, we are at an impasse online, in order for more ‘high trust’ services to go online the community has to have more trust that people are who they say they are.

Who might need a trusted identity?

If you take the Estonian example, 90% of the population. Most of us carry around some form of identity on our persons that we can present if required. In some countries, it’s the law that a citizen must carry their identity card around with them. In Australia and Canada and other countries, it’s a bit more relaxed. In the end the question will be whether a trusted id is used by customers and required by vendors. This will be influenced by whether there are alternative ways of conveying trust between people and institutions which are independent of the concept of identity in the traditional sense of the word

Next time:

What are the security and safety implications of a trusted identity and a discussion of about social footprint and whether this may overtake government efforts