Net Focus

DPA Fines – Why ICO Got it Right

stewartroom — Thu, 26 Apr 2012 10:02:00 GMT

I’ve heard two arguments that are critical of the ICO fines. They go something like this: (1) the fines were too low and (2) it’s wrong of ICO to fine a Local Authority when it didn’t fine Google. Let me try to explain why these arguments are misconceived and why I believe that ICO got it right.

Regarding the level of the fines, the point to remember is that Parliament has determined that ICO must operate within a capped regime of fines, of up to £500,000. The top bracket must therefore be preserved for the worst offenders. Clearly, Herts and A4e behaved badly, but ICO will see much worse and they know it. If ICO had fined at the top of the cap, their decisions would have been vulnerable to legal challenge. ICO has limited ammunition and they need to preserve bullets for future cases.

Moreover, the purpose of fines needs to be understood. The DPA regime is not about disgorgement or even discipline; it is intended to be a symbol of serious breach that acts as a deterrent; this is precisely why the fine is not uncapped. The deterrent effect of capped fines is more associated with the stigma of being fined, rather than the quantum.

As regards the Google argument, personally I find it most troubling to hear it come from the mouths of lawyers, because it demonstrates a fundamental misunderstanding of (a) how the financial penalty operates and (b) the facts of the cases. I can understand privacy advocates and politicians (to a lesser extent) getting it wrong, but I can’t understand why lawyers are getting this wrong.

These are the key distinguishing features:

First, Herts and A4e are concerned with failures that have been frequently regulated; the community of data controllers has accepted that the absence of encryption and misdirected communications involving very sensitive information constitute breaches of the DPA. Google wifi data collection was a novel event, with no precedent for ICO to rely upon.

Second, Herts and A4e satisfied all of the elements of the fine (serious breach, recklessness, likelihood of substantial damage/distress). The Google case does not.

Third, Herts and A4e will probably admit their liability (by not appealing their fines). Google did not admit liability.

Fourth, the quality of data issue in Herts and A4e is pivotal; they mishandled highly sensitive data. There is no evidence that Google was concerned with data of comparable quality.

Fifth, Herts and A4e were themselves alert to the potential for their kinds of failure. There is no evidence that Google was.

So, those who claim that it was wrong of ICO to fine Herts and A4e when they did not fine Google are completely missing the point (the law and the facts). They are comparing apples and pears. Google wifi is not comparable to Herts misdirection of communications or A4e absence of encryption.

The Evil Shredder

QuentynTaylor — Thu, 26 Apr 2012 09:34:00 GMT

Shredders, the object of last resort for handling confidential information. Most education and awareness programs tell their users to always use a shredder to dispose of documents so office users ( and many home users) are very used to dropping anything sensitive into the shredder BUT none of them ( not even security professionals) ever check that the document was actually shredded.

I was having a series of evil thoughts the other day and I was thinking about how one could subvert a shredder. Remember that if a bad guy was attacking, he would want to get confidential documents, and where do lots of confidential documents get put ? yes into the shredder. So how do we subvert a shredder, well surprisingly easily. The issue is that most users never check that the shredder contains shredded paper and / or have no way of verifying that the document was actually shredded. This is our attack vector.

A shredder works by having 2 rotating wheels with interlocking knives that shred any paper that passes between them, for most office purposes they come in 2 varieties ; cross cut and strip cut with cross cut being the best for security purposes as it will make it harder ( though ) not impossible to re assemble the document.

OK enough about shredders, if you were to take a shredder apart and take out the cutting wheels and replace them with tight fitting rubber wheels ( think printer feed wheels) you would have essentially created a device that seems to shred paper ie the user places paper in the slot, the machine makes a noise, the paper disappears. However in the paper output bin would be the complete document in an intact format. Voila, you have now created what I call “the EVIL shredder” you can also put up an awareness poster about “always shredding documents” right next to it and assuming you can smuggle it into your target unnoticed you will be successful in gathering information.

So with that basic idea how can you improve it ?

Adding the noise of a shredder in operation, in essence a small set of speakers should do this
Making the whole unit into a device that fits on top of an existing shredder a la credit card skimmers ( and feeds to a separate paper hopper the back of the unit)
If you can make the target company believe in single sheet feeder shredders, you could also add to the credit card skimmer idea and add a small scanner so that the document is scanned before it goes into the shredder underneath.

There are loads of options, how do we defend against this ? well in high security areas make sure that the shredders are checked by the on site security at least once per day and make sure that the shredder is in plain sight ( and covered by a security camera) to prevent tampering. Whilst I have never heard of this attack before ( this is just idle musing) it is very possible and it would be possible to mock up an Evil Shredder in little more than a weekend given the right parts ( the version with a scanner might take longer)

And for those of you sitting in the warm glow believing you are more secure as you have “shredding bins” ie the documents are dropped into a “secure” bin and then shredded centrally, well there is an even easier attack that requires virtually no expertise at all. All you do is take a bin bag ( or other plastic bag) tape one end to the inside lip of the disposal bin, feed the bin bag in, and then tape the other side of the bag to the top flap ( inside). When you want to remove the sensitive docs, reach in, remove the tape and pull your bag out.

Isn’t physical security fun ? Of course this class of “attack” is very similar to the one explained by Neil Gaiman in American Gods and is also detailed at the excellent Snopes website.

Do you have real world experience of these kinds of issues ? Have you thought of a better idea ? Do you want to collaborate on a proof of concept ? why not post your comments below I am eager to hear from you.

What's the point of a management system?

DavidLacey — Wed, 25 Apr 2012 08:55:00 GMT

My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.

Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.

One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail's pace by risk assessments, committees, business cases and budget cycles.

A good question is why we actually need management systems, especially if they introduce delay or distraction. It's a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don't employ such people in your organisation (and many SMEs don't) then it's not logical to implement a management system.

Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.

And it's not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it's not done for more important business operations?

Desire Paths and what they tell us about security

QuentynTaylor — Wed, 11 Apr 2012 14:11:00 GMT

I heard an interesting term the other day “desire path” it is a term used to describe the side paths that often pop up in parks away from the main path that people use as a short cut between the main path and a favoured destination. This got me thinking as to the similarities between desire paths and security policy ( I am starting to sound like BBC R4 “Thought for the day” here) and the ways that we deal with them .

Basically a desire path ( in a park for example) is an unplanned / un authorised path between a main path and a common destination. It can lead to damage to the grass as people cut from the main path ( that may be paved) to another location in the park. You will often see park authorities use barriers to prevent people from leaving the path and causing damage to the grass / grounds, these barriers can be seen in the same way as security controls. Users want to do something that to them may not seem that risky ( connect a personal Iphone for example) but the more that do it the greater the damage.

So what do we do as security pros ? well yes we erect fences that prevent the users doing what they want. However, is there another way ? perhaps we should use the non compliance of our users to what we think are perfectly sensible policies to guide how we should implement controls ? Instead of erecting a fence preventing users from taking a short cut perhaps in some cases creating a new path would be more appropriate ? If we really can’t create a new path, then educating the users as who why walking over this piece of ground is a “bad idea” is probably the next avenue of attack. Putting up barriers should be the last direction we explore, as Elbert Hubbard once said – “Fences are made for those who cannot fly.” and your users will be able to fly at some point.

Meeting the demands of the contemporary security market

DavidLacey — Wed, 11 Apr 2012 13:11:00 GMT

It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.

One of the major factors behind the growth in demand for security advice is the rapid take of information security practices by small and medium size companies. This would be a fine thing if established standards catered for smaller or immature enterprises. Unfortunately they don't. Instead the market has evolved into a one-size-fits-all approach, coupled with a commodity market in security training and services.

Companies new to information security typically request penetration tests, policy & procedure manuals and ISO 27001 compliance. None of these is appropriate as the first steps in security for an enterprise, for by themselves they do not reduce risks.

Other than the shock value from your first penetration test (which admittedly can help with budgets) the outcome is generally an incomprehensible document listing of hundreds of pages of vulnerabilities, which now happen to be shared across a small community of consultants, staff and unencrypted emails and laptops. Would it not be better to have devoted that time to tightening up platforms and application? Yes, but that would be logical, rather than "ethical".

Policy and procedure manuals are quick and easy to implement but they rarely get opened. And ISO 27001 is particularly unsuitable for smaller or newer enterprises, especially those operating in regions or cultures where paper-based procedures are rarely followed. I've blogged many times about the security challenges of the smaller enterprise. They're different from the formal demands of larger organisations, which is why the ISSA-UK has developed a special standard for small and medium sized enterprises.

A second problem however is that there is no gradual path with recognised milestones to implementing ISO 27001. And as anyone who has read my book "Managing the Human Factor in Information Security" will have noted you can't implement a rich, complex framework of controls overnight. It has to be done in stages if you want to carry people with you.

So we have an unsatisfactory market where people are trained to apply and demand skills and standards that bear little resemblance to actual requirements. How much better it might be to start with a blank sheet of paper and a good dose of common sense, and to draw up a security programme that really reduces risks rather than ticks boxes. Getting back to that sensible state would be a huge step forward, but it would require a simultaneous behaviour change by regulators, security managers and consultancies. And that's not likely to happen.

Securite Informatique et politique ?

Aurelia Magron — Wed, 11 Apr 2012 10:42:00 GMT

« Tout n'est pas politique, mais la politique s'intéresse à tout » (Nicolas Machiavel).

A quelques semaines du premier tour des élections présidentielles, la politique s’intéresse notamment à la sécurité de l’information.

Le magazine mag-secure a en effet réalisé un dossier très intéressant sur la place accordée à la sécurité de l’information dans les programmes des différents candidats à la présidentielle.

7 candidats ont accepté de répondre à cette enquête et cette démarche a été accueillie de manière très positive. Il est vrai que nous entendons rarement les candidats s’exprimer sur le sujet de la SSI alors qu’il mérite une attention particulière notamment après les menaces et attaques qui ont déferlé ces derniers temps.

Les sujets de l’enquête couvrent entre autres : Le rôle de la Cnil et la protection des données personnelles, les Anonymous, la protection du patrimoine informationnel des entreprises, le rôle de l’ANSSI et la lutte contre la cybercriminalité.

Acteurs majeurs de la Sécurité des Systèmes d’Information, la CNIL et l’ANSSI interviendront lors de la conférence Net Focus France 2012.

Vous pouvez consulter l’agenda de la conférence et la liste des intervenants confirmés. Cet événement de deux jours réunira les responsables de la Sécurité des Systèmes d’Information et aura lieu a Lyon les 19 & 20 juin 2012.

Si vous ne l’avez pas encore fait, réservez votre place dés maintenant pour ne pas manquer la réduction préférentielle de 200 Euros pour les réservations faites avant le 20 avril 2012.

Pourquoi ne pas également vous inscrire aux webinars organisés chaque mois au sein la communauté ?

Le mois dernier, Paul Simmonds a présenté le sujet : Transitionning IT to the Cloud. Si vous n’avez pas pu y assister, vous pouvez télécharger la présentation et écouter l’enregistrement du webinar.

Robert Bond, Partner chez Speechly Bircham interviendra sur le sujet: Data Protection and Information Security: The Top 5 Legal Risks for 2012. Ce webinar aura lieu le 17 avril 2012 et vous pouvez réserver votre place ici.

Le 3 mai, Gillian Thomson présentera le sujet : Segregation of Duties et présentera le programme qu’elle a mis en place au sein de Morgan Stanley. Vous pouvez vous inscrire ici

Fishing for Phishers

Ian Moyse — Wed, 04 Apr 2012 11:11:00 GMT

We seem to take phishing attacks for granted these days, in much the same way that we’ve accepted spam as a natural, and inevitable, by-product of email. Some experts believe that one of the best solutions to thwart phishing attacks is end-user training, but I doubt training alone can be a viable solution. Can we really train every computer user to be sufficiently security literate, such that anyone can distinguish a phishing message from a genuine bank email? I doubt that it is possible, especially given how specific the details in spear phishing (phishing targeted at specific people and/or companies) attacks have become.

It used to be that thieves could satiate their hunger for evil (and money) merely through the emulation of a consumer bank or a PayPal login screen. While those low-hanging-fruit scams show no signs of abating, even following some major busts of phishing rings, we’ve seen new types of phishing attacks that wear the mask of a Web security product, persuading users to follow through on fake spam quarantine messages, or security update alerts, sometimes using the name of real vendors. It’s all very plausible.

Unfortunately, the average user is not a trained security expert—and why should he or she be? Criminals lure us into phishing and email scams in much the same way that street cons lure some people into losing their wallet at Three-card Monte. We let our curiosity get the best of us, and at times can be gullible. Like street hustlers, cybercriminals aren’t afraid to experiment with hacking our inclinations (or, as many security experts call it, social engineering). The volume of phishing attacks has increased, as have their variety and sophistication. Even security experts struggle to identify some of the fakes.

The phishers cast their rods farther and with more efficiency than ever before. They can easily download phishing site creation tools (yes they exist) and produce convincing messages and pages. Expecting an average PC user to beat these guys without any help is tantamount to pitting an average golfer against Tiger Woods (albeit a few years ago; no offense, Tiger). The criminal’s job is to create online scams that work, and the returns on their investments are huge. Why would we expect non-criminally-minded users to be more adept at spotting scams, than scammers are at reeling in the users?

Technology has to step up its game. We need to continue to make it harder and less lucrative for online scammers to do their “jobs.” That’s really the most effective way to stop phishers from attacking our end users.

Is cheating a game a criminal offence ?

QuentynTaylor — Wed, 04 Apr 2012 10:53:00 GMT

When does cheating in a video game become a criminal matter ? I recently came across this story where by 2 men was accused of “cheating” video poker machines in Las Vegas.In essence they are alledged to:

“the men would make small bets over and over again until finally winning a hand, then use a special button sequence to change the credits to a higher denomination and “access the previous winning hand of cards,” triggering a jackpot.”

Now they have been charged with 650 felony counts of theft, criminal conspiracy, computer trespassing and other charges, it is believed that they may have netted perhaps as much as 1.4 million US $ not a small amount. Now what does this have to do with information security ? well what have they done ? lets look a little deeper.

They managed to manipulate video poker machines, commonly found in casino’s to allow them to win more consistently and increase the odds of them winning. The “attack” worked by :

“…..a special “double-up” feature had to be internally activated. The men persuaded casino technicians to alter “soft” options on the machines, such as volume and screen brightness controls. Such perks aren’t unusual for high-rollers, who can wager anywhere from a few hundred to thousands of dollars in one day.”

So it needed prior knowledge but the settings that were changed were commonly changed for “high rollers” such these gentlemen certainly appeared to be. But is it criminal to exploit software weaknesses in a game of chance or a game of skill against a computer ? Lets take the analogy of counter strike, it is a 1st person shooter and you have the option of playing against “bots” or computer controlled players. Now when you play against computer “bots” you will quickly rise to the top of the leader board, why ? Well with computer players a human can very quickly anticipate their moves and so allow you to beat them. Is this cheating ? possibly ? what about playing against other humans ?

Lets stick with 1st person shooters, there have been “bugs” on maps that allow players who know about them to effectively win very easily as they have a massive unfair advantage over other players. Is this fair ? in my opinion no, is it illegal ? probably not, is it cheating ? possibly. Certainly Valve Software’s Anti Cheat system will ban players if they are caught using any programs to assist them in their playing but that is not what we are talking about here. What we are talking about is a player identifying a problem in the software an exploiting it. So here is my question…

When does it become illegal to cheat a computer game ?

When money is involved ? when other humans are involved ? And before anyone thinks that there is never money involved in computer games I refer you to World Cyber Games where prize funds have topped half a million $. If a player were to be accused of exploiting poor programming ( or indeed poor level design ) to give themselves a competitive advantage such an event would the outcomes be the same ? Can we expect to have criminal investigations if someone manages to exploit a bug in a computer game for profit ? Or is this reserved to games that are regulated by a Gaming Comission ?

Lets look at another type of game, in Korea the game StarCraft is almost a national sport, they have training academies, televised events it is big business. People also bet on it all the time. Imagine if one were to be able to generate a competitive advantage for a relative newcomer, the betting revenue could be quite considerable. Would it still be illegal ?

To return to the original story, it seems that the defence that may be used is that the players did little more than card counting, a blackjack technique that may get you kicked out of a casino but is certainly not illegal, time will tell if this defence works.

What do you think ? why don’t you contribute below. If you are a lawyer I am really interested to hear from you and don’t worry your post can be anonymous. Please note that none of the above post constitutes legal advice as I am not qualified to give it.

Who influences security?

DavidLacey — Wed, 04 Apr 2012 10:44:00 GMT

I was contacted last week by a company that specialises in harnessing influence. They claimed to be working for a top IT security solutions vendor and had identified me as a key "influencer" in the UK. They wanted me to answer a set of questions but refused to say who the client was and offered no references or incentives. Not surprisingly I turned them down - another case of the Cobbler's Children, where the influence peddlers are themselves lacking in influence.

But it set me thinking about who actually sets the agenda for security in Today's world. It's an interesting question, because the answers are not immediately obvious. Certainly the influence is not where you might expect it to be.

Analysts such as Gartner and Forrester have our ears, but they operate by repeating back what clients and customers tell them. They are primarily as a decision support tool, rather than a decision making one. The same goes for consultants, who are essentially overpriced sounding boards.

Academics could be highly influential but today's crop is short on ideas and prefers to ape the not-so-best practices of industry. Some new university courses are now focusing more on universal business skills, such as how to present a business case, rather than real security competences, such as how to secure an infrastructure.

Regulators are in a perfect position to set the agenda but they cannot be seen to be tilting the playing field, so they usually end up falling back on bland principles and universally agreed standards. You get the occasional exception, such as PCI DSS, but it's generally the result of a standard developed by experts rather than regulators.

Vendors should be setting the scene, but innovative technologists are very much in the minority, and most established firms are run by commercial managers seeking to squeeze every last penny from their cash cows. Meanwhile their PR companies dish out bland press releases which few people read as they are primarily designed to stroke the egos of their masters.

That leaves governments and journalists. The former are a mixed bag: of politicians who pursue fame and publicity supported by civil servants who prefer consensus. The latter are also divided: into loyal scribes who support their sponsors, and trouble makers who are looking for a good story.

So it's no surprise to find politicians and bloggers featuring strongly in SYS-CON's list of the "Most Powerful Voices in Security". The top three are Darrell Issa, US Representative for California's 49th congressional district, William Lynn III, Deputy Secretary of Defense, and Bruce Schneier. I made it to 51 on the list, though my friends tell me that's because I have a loud voice that's difficult to shut up.

Breach disclosure – the law of unintended consequences

stewartroom — Wed, 04 Apr 2012 10:36:00 GMT

We seem to have been talking about breach disclosure laws for ages. Well, it has been ages, nearly a decade – 2003 was the landmark, when California introduced the first true security breach disclosure legislation. Nearly a decade – wow, doesn’t time fly …

And since that time it has been adopted all across the US and internationally.

The UK’s legal history on breach disclosure is shorter. For personal data breaches we can trace the beginnings of the legal framework back to November 2007, when the Government introduced compulsory breach disclosure requirements for Gov departments, as part of the response to HMRC. The Information Commissioner picked up the baton and ran with it in March 2008, but the pivotal moment came in late 2009, when the EU adopted the Citizens Rights Directive, which contained the mandatory breach disclosure regime for the electronic communications sector, namely telcos and ISPs. These rules came into force in May this year, although research by my law firm shows that the EU Member States are not all working at the same rate to bring breach notification into effect.

But enough of the history lesson. My point today is that breach disclosure contains within it a worrying potential for unintended consequences, in the sense that transparency drives disputes; once you are aware of a problem, you can have a row about it. And when the problem affects millions, you have the potential for lots of rows and lots of disputes and lots of litigation.

So, with this potential for unintended consequences, do we roll back breach disclosure? Of course not; it serves some excellent objectives. Rather, what you need to do is to identify the policy gap and address it through legislation. And the policy gap here is whether we want transparency to fuel litigation and regulatory actions, or not. Should we punish organisations for doing the right thing?

Our policy makers have left a vacuum here. So it will be filled by compensation claims and court cases. What a shame.

Lets Go Phishing

Ian Moyse — Tue, 27 Mar 2012 14:41:00 GMT

It can seem at times that the only people who like change are Internet attackers. And they don’t just like it—they need it. Technology’s rapid changes give cybercriminals new attack vectors to exploit, and new ways to turn a profit out of someone else’s misfortune.

For example, take phishing. The concept is simple: Send an email disguised as a message from a bank, PayPal, or UPS. Wait for the user to click a link in the message, and enter their private details into a phishing site, and presto! The attacker attains financial or personal login details that can be used to commit fraud or theft.

Of course, it was only a matter of time before most people caught on to email scams. Users read again and again not to click on such links. Mail solutions became better at spotting phishing emails and filtering them into a junk email folder. Even free Web mail providers now catch the majority of these attacks.

Once cybercriminals noticed their traditional phishing approaches were returning lower response rates, they rapidly adjusted to new mediums. As a result, a new trend emerged: smishing (social media phishing) became the new trend in cyber attacks.

The underlying concept is the same, but the attack mechanism is different. Instead of targeting users via email, cybercriminals use social media messaging and advertising to lure their victims.

For hackers, it’s the perfect opportunity. They can cheaply buy lists of Facebook login details, hack into users’ accounts, and send personal-looking messages to an individual’s entire friend list. The majority of users are more trusting of a post from a friend than a suspicious email in their in-box, making smishing more effective at luring users to phishing sites.

Just remember: What you see is not always what you get, especially in the cyber world. When you receive a message or shared link from a friend, don’t assume it is actually from them. The attack vector is new, but our old advice still applies: Stop and think before you click.

Trust and Society

DavidLacey — Tue, 27 Mar 2012 13:44:00 GMT

I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the United Nations last year and he was awesome, reflecting a lot of research and deep thinking about important issues such as trust, risk, surveillance and cyber warfare.

I shall be ordering a copy of his new book "Liars and Outliers ". It's about trust, a subject I find both relevant and fascinating. Trust is a phenomenon that few security researchers seem to understand. The problem is that it's a means to an end, and makes little sense when studied in isolation from its purpose.

The nature of trust is also changing as we move from an industrial-age dominated business landscape to the information age. I find this paradigm shift is neatly captured by two Russian proverbs. The first, ascribed to both Stalin and Lenin, is "Trust is good, control is better", which encapsulates industrial-age thinking for vertically integrated enterprises and societies. The second, made famous by Ronald Reagan, is "Trust, but verify", which reflects our best endeavours for managing situations in a modern, diverse supply chain that is increasingly beyond our direct control.

Impact of the new EU privacy regime

stewartroom — Tue, 27 Mar 2012 13:21:00 GMT

I’m popping over this morning to a meeting of the Information Security Forum, at GSK’s offices in Brentford (an awkward commute for me, but that’s another point), to give a talk on the “impact of the EU legislative changes on privacy”. This is a great topic, because, of course, it’s focus is forward looking (so, if I get it wrong, the delegates will have forgotten by the time that becomes apparent), meaning I can say virtually anything …

But, the good folk at the ISF pay a decent annual fee to be involved, so it’s worth finding a substantive basis for my talk.

Impacts are hard to assess at this stage. The EU is obliged to make a stab at this when new legislation is proposed, but few people really believe that the EU has modelled all the consequences of the proposals. So, perhaps one way of looking at impact is to consider the impact of the EU regime from 1995 to 2009, ie from the adoption of the Data Protection Directive to the Citizens Rights Directive. Taking a high-level view, no one can deny that the impact of privacy legislation has been monumental.

To scale this, I reflect back on when I started my career at the Bar, as a young lad straight out of Uni and Bar School. Back then, there was no expectation of privacy as a legal concept. Yes, we had the Data Protection Act 1984, but it was a classic toothless tiger. I doubt that many people entering the legal profession back then were thinking about how they could make a career in this area. But now, privacy and data protection is a real favourite of would-be, trainee and newbie lawyers, as I can attest for from my own experience at FFW, where we are swamped with applications from bright young things hoping to get into this area.

And the key point here, of course, is the classic sharks-are-circling point; lawyers are getting into this area because they sense blood in the water. Of course, you can express the point less graphically; basically lawyers know that they can make a career in this area, which they couldn’t do not so long ago. Take the point again; to get to this stage in half a career of this lawyer is incredible.

So, returning back to the question, what will be the impact of the DP Regulation, well we can’t be precise, but we can be accurate in our assessments. And I believe that we are going to see this area elevate to such a level of heightened importance that it will be impossible to ignore.

Yes, new ideas like “the right to be forgotten”, compulsory DPOs, new consent obligations, compulsory risk assessments etc will have their individual impacts, but even these measures are not enough, collectively or individually, to take things to the next level. No, the big impact flows from the heightened transparency agenda and the focus on sanctions, penalties, litigation and regulatory enforcement actions.

These measures will inject the critical volatility of “contentious” legal business into the mix. And privacy – data protection will become about disputes, argy-bargy and litigation. It will be about suing, prosecuting and holding to account, about compensation and fines.

Look at this way and do you scent the blood in the water?

Which is the most risky social network?

QuentynTaylor — Tue, 27 Mar 2012 10:49:00 GMT

Just before Christmas I was participating in a Secure Computing webcast on the subject of social networking and the question came up, “which was the most dangerous social network from a corporate point of view ? ” With more and more companies blocking Facebook, Myspace, Bebo etc it is obviously a hot issue.

There was a poll of the participants between the options above and one addition, Linkedin. Unsurprisingly Facebook won as listeners of the webcast viewed it as the most dangerous from a corporate point of view, however I beg to differ. Whilst we have all seen the news stories with embarrassing photos popping up, with sensitive information being leaked,lawsuits being launched, people playing too much farmville all from Facebook. But…. from a corporate point of view is it that much of an issue ?

Now on the other hand, lets look at Linkedin. I am an avid linkedin user so please don’t take this as linkedin bashing but I consider it to be one of the most potentially dangerous social networks from a corporate standpoint. Imagine the following, if one had high level access to the back end of linkedin ( or are linkedin to a few LION‘s) you can :

· I can see who is meeting who

· I can see which companies are considering merging

· I can see who is on holiday and who is travelling on business ( yes you can also do this elsewhere)

· Who is considering buying what ( and which tenders are floating about)

· Which positions have become available

· Which companies are experiencing financial issues or are about to lay off staff

· Who trusts who

· Which people will give reciprocal recommendations ( always amusing to see when you know both of them)

· Who has viewed your profile

· Who is looking for a job

· And much much more

So looking at some of the above, how can I do it ? well it is easy. If you suddenly see lots of Company A linking in with Company B and some of Company A’s staff changing job titles and companies all of a sudden… you know that something is up. If a person is linking in with a load of virtualization vendors ( or other grouped vendors) … well there is probably a purchase floating around.

On the other hand, if suddenly the head of security ( or risk) is linking in with legal counsels who specialise in privacy law or if suddenly there is a lot of linkedin activity with a companies staff and a forensics / investigations company then you know that something is up. Please note that very little of the conclusions you can draw in this case are concrete ( there could be may reasons ) but they give you a place to start to cross reference from. Indeed Linkedin is the perfect place to witness inference attacks (PDF).

If you had access to the back end of the database ( and please note I am not suggesting that linkedin staff have ever done this) you would have access to an amazing amount of information that would make the current wikileaks revelations look small scale. One would ( at the very least) be able to effectively play the stock market with quite some success given the amount of corporate data that you would have access to.

Lets also look at the case of “Robin Sage” as it is also connected. In summary “Robin Sage” was a person invented by Thomas Ryan to see how many people in sensitive locations he could lure into connecting with her on a variety of social media (including linkedin). In essence she was ( apparently) a young, female security analyst with many “flirty” pictures on her various pages. Eventually this led to:

“Ryan befriended men and women of all ages during a short time period between December 2009 and January 2010. Almost all of them were working for the United States military, government or companies (amongst the only organizations that did not befriend Sage were the CIA and the FBI). Using these contacts, Ryan gained access to email addresses and bank accounts as well as learning the location of secret military units based on soldiers’ Facebook photos and connections between different people and organizations. She was also given private documents for review and was offered to speak at several conferences.”(1)

Oops… basic human nature wins again, remember how many email viruses used to offer naked pictures of $RANDOM_TV_ACTRESS if only you would click the link… well “Robin Sage” was the same but on a grander scale, and without the virus. The entire paper can be found here ( google cache link as blackhat media archives appear down) and it is really worth reading.

What can you do ?

Well some companies resort to blocking which is a short term and unsuccessful strategy. I have to admit I used to be in the linkedin nay sayers however I too have moved with the times. If you block it, users will still find ways to use it and you will be blind to their activities.

Monitor, get on the particular social network and have a look what your users are doing. You can engage external 3rd party companies who offer social media monitoring services. Only you can decide if you believe that this is worth it, but it will be for some.

Policies, any company that doesn’t have a social media policy is really falling behind the times, you have to have a policy that covers social media explicitly. It is no good expecting your confidentiality policy to cover social media, it won’t.

Education, this is the key. Educate your users, tell them what they can and can not do. Give them example cases and try to be as open as possible. Let them know about what can happen but focus on the positive angles and the benefits your users can get.

In summary, it is often the risk that is in plain sight that is the most risky. Ask any senior executive of they have a corporate facebook page, I haven’t met many, ask them if they have a linkedin page and you will struggle to find one that doesn’t.

What are your opinions ? do you think differently ? add your comments to the post below and have your say.

what is hiding in your email ?

QuentynTaylor — Thu, 15 Mar 2012 12:27:00 GMT

It used to be that all we had to fear in the corporate world email leak wise, was that company email would be read back to an executive in a court of law by an opposing lawyer. This would occur after lengthy deliberation by all legal entities concerned and could take months, or even years, from the 1st discovery process to when it finally popped up in court. If the email was of a particularly sensitive nature the judge may rule that particularly salacious material was not for the open court.

Journalists could always receive leaked emails but they would generally only release material that fell into the journalistic narrative ie if the material didn’t fit the story they wouldn’t publish. In essence the general public had never had direct access to leaked information. It was always sanitized, summarised and presented by journalists in neat chunks. They had never had access to the “raw” information. Even in the height of the “Watergate scandal“, or the “stake knife” scandal in the UK, the raw, underlying material was never leaked direct to the public. There wasn’t the mechanism to do so, you could only print so much and TV is really only good for releasing video, audio or summarised material.

In 2010 that all changed, one could also argue before but lets ignore that to stick to the narrative . The start was wikileaks, and the collections of Iraq was video’s, the documents on the war in Afghanistan and finally culminating with the diplomatic cables release. As these documents have been linked to all over the place ( and the links constantly change) i will not bother linking to them here but putting any of the terms in google will point you to the current location.

In 2010 a very British story surrounding ACS-Law also popped up. ACS-Law were a law firm that gained notoriety by threatening to sue people who they believed had been sharing copyrighted material on the internet without permission. These two threads intertwine and not just by their link to the loose knit hacking group “Anonymous” but in the fundamental shift that they both brought to the internet and to corporate risk.

ACS-Law were the 1st major entity to be brought down by the complete leaking of their email. That is to say that several years of their complete email were leaked on the internet for any interested party to pick over. What Wikileaks started in the mainstream acceptance of the general public picking over leaked information, the leak of the ACS-Law email finished. It is fair to say that the leak of their email was not the exact cause of their demise, but it contributed to it quite significantly and was very embarrassing to have internal email ( and commentary) floating around on the internet being discussed.

Fast forward a year to 2011, two company names suddenly popped up on the information security press that I must admit I had never heard of, HBGary Federal and Ligatt security. Both suffered the same fate as ACS-Law in that their email become public. Whether they survive this experience is something that only time will tell but it does pose the interesting question. What would you do if tomorrow your email was leaked ? Certainly I hear a lot of you scoffing that there could never be anything damaging in your email… are you certain ? I mean really certain ? Awareness programs can only go so far and you can be almost certain that some where someone in your organisation has left a time bomb in our email.

So what can you do ?

Well firstly you will need to conduct a risk assessment, what is the likelihood of your company being a target, what material could be disclosed ? what processes do you have in place to detect the leak at an early stage ? How easy is it for 1 person to get unfettered access to your email ?

Secondly if you do not have an incident response plan it is a good time to create one. Work with your legal team and your corporate communication team to ensure that you do have a plan and if you do suffer an incident at least you have your senior management briefed and can perhaps weather the storm. Note that in the HBgary Federal case, it was not so much the embarrassing email that caused the issue but the intellectual property in business relationships as well as the internal project based IP that every company will have.

The future, leaking corporate information is going to continue of that I am certain. The rise of the internet has brought a new breed of citizen journalists who really want to dig into the data themselves. In the UK, the Government has released reams of data to allow people to slice and dice it as they see fit. The police have released an online crime map ( which when it works is actually quite good). Ordinary citizens access to high level data is here to stay, however the darker side is also here. From the examples given above and the meteoric falls that some of the companies experienced mean that this will become the tool of choice for activists. I predict that by the end of 2011 there will have been a string of such attacks and the public will be used to dealing with the latest information, however I suspect that given the publics fickle nature that picking through corporate email will swiftly become jaded and they will need something extra for their stimulation.

Our only hope lies with Academia

DavidLacey — Thu, 15 Mar 2012 12:22:00 GMT

Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.
At the end of each talk I ask: "Do you agree?" The response is generally a refreshing "Yes".

Of course it might be my compelling rhetoric rather than the content that sways the audience. It's certainly hard to drum up any passion for today's slow, dry, quality-focused approach. But I suspect that I'm actually striking a chord that's long overdue to be heard.
If there's any hope for a change of direction, it lies with Academia. User organisations are too bogged down in the treacle of compliance to inspire any change. Vendors are only interested in what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.

Thirty years ago, if you'd told me that Academia was our salvation, I would have laughed, watching researchers struggle to find practical use for Bell and LaPadula models. Fifteen years ago, you would have got the same reaction as I observed universities putting together MSc courses inspired more by the Common Criteria than industry practices. Today it's different. It's time for students and researchers to go back to first principles and design an entirely new approach to information security management, one that's more in keeping with a fast-moving, sophisticated risk environment.

New consent rules for data processing

stewartroom — Thu, 15 Mar 2012 11:26:00 GMT

The proposed Data Protection Regulation contains a new regime for consent-based data processing. It places high compliance obstacles in the path of data controllers, which, if implemented, will fundamentally alter the way that many do business. So, let’s take a look at what is proposed.

The beginning of the story is Recital 25, which tells us that consent means explicit consent. This consists of a “freely given”, “specific” and “informed indication” of the data subject’s wishes. This can be achieved only via the routes of a “statement” made by the data subject, or by “clear affirmative action” on their part that shows that they are aware that they are giving consent. This can be achieved by the indicative approaches of “ticking a box” when they visit a website, or by similar statements or conduct. Silence or inactivity cannot amount to consent. The recital continues by saying that “electronic requests” for consent “must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided”, with the implication being that electronic systems should not be designed to badger the individual into giving consent, such as by making repeated requests for consent.

What is unclear is whether a data controller can make the provision of a service conditional upon the giving of consent to data processing operations which are not strictly necessary for the provision of the service, such as direct marketing, OBA or data sharing, but it is possible that the anti-badgering provision can be interpreted this way, if a refusal of consent results in a service disruption, in the sense that access to the service is blocked. If this is the correct interpretation, then it may have worrying implications for business innovations that require data monetization to survive.

Perhaps the answer is found in Recital 32, which sets out a new burden of proof rule for consent. The recital begins by saying that the controller bears the burden of proving that the subject has consented and then continues with “in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.” This may suggest that it will still remain lawful to put clauses around consequential data processing in contract terms and conditions, provided that the relevant clauses are highlighted and the effect explained. To understand what I mean by consequential processing (which isn’t a term used by the Regulation by the way), in a contractual situation it is lawful to process personal data that are necessary to fulfil the contract (so, for example, payment card details can be processed prior to delivery of a good or service) but anything beyond that point needs its own legitimacy. So, referring back to the earlier example, processing for direct marketing or OBA will not be legitimatised in a contractual situation by the “contractual necessity” ground; these activities will be consequential to the main contractual ambitions. In other words, I am referring to secondary processing.

Anyway, returning to Recital 32, what might be being outlawed is the burying of processing terms within the small print, not compulsory consequential processing. If that’s the focus, then it is hard to argue against it; in the UK at least consumer law has required a “Denning big red hand” for unusual clauses impacting on consumer rights for many years now.

More answers may be provided by Recital 33, which clarifies that consent needs genuine and free choices and the right to change one’s mind. This might have the effect of building a distinction between services that are non-essential and those which are. But, if this is the idea, you are moved to the question where do you draw the line? If utilities are essential, like gas, water and electricity, then it might be unlawful to make the provision of services conditional on the acceptance of consequential processing, because the effect would be to deprive the user of a choice. If you follow this through, do you put online banking in the same category? And what about social networking? Or online retailers? In my mind an Amazon is less of a utility than, say, a mobile phone network operator, but why should an Amazon enjoy more commercial privileges with data and a less rigid regulatory environment?

Clearly, there is a need for clarification around these questions, because many data controllers have made consequential processing a condition of service provision. If they can no longer pursue this business strategy, they may be faced with serious business remodelling.

And this is the point at which a form of despair sets in about the Regulation. The EU has had years to think through the issues, but the more time you spend with the Regulation, the more obvious it becomes that it raises more questions than answers. This does not make for an encouraging environment for the achievement of the ambition of increased legal harmonisation. Perhaps it might be fair to opine that the Regulation actually puts us back, because we have a whole new series of unanswered issues to contend with …

So what else do we learn about consent? These are the other headlines:

Consent cannot be given where there is a clear imbalance in the power relationship between controllers and subjects. This rule is set out in Recital 34, which explains that a power imbalance will exist where the subject is dependent on the controller, such as in an employment situation, a point that has been made often by the Article 29 Working Party. So, this position will not come as a surprise to informed privacy pros, but it is disappointing nonetheless, as many have argued against the position that it is inherently impossible for employees to give valid consent in the workplace. For instance, what about workplace emoluments? Are we saying that the employee cannot consent to dedicating their benefits pot to one particular benefit in a range of employer provided packages, or that they can’t consent to giving over their family details for life assurance purposes, or that they cannot exercise a choice on taking up workplace based training? If that’s what the EU is saying its awfully patronising to employees, but let’s wait and see.

Another area of power imbalance is in the relationship between subjects and public authorities, where the public authority has the power to “impose an obligation”; these seems to be less problematic than the employee context example.

As far as children are concerned, for the purposes of provision of information society services (web based services essentially), for those under 13 consent means parental consent (and custodian’s), which needs to be “verifiable”. This is similar to the US approach in COPPA.

So, there you are. For further reading, check out the Articles 4, 6, 7, 8 & 9.

Employing Cloud

Ian Moyse — Thu, 15 Mar 2012 11:17:00 GMT

2012 is rumored as the tipping point for cloud. For the last four to five years, we have heard that cloud (Internet-delivered solutions) is about to go mainstream, however, this year it is not the hype, but real user benefits that are driving adoption.

What do I mean by this. Well people are not going out looking for cloud-based solutions (“I want some cloud”), instead they are looking for a solution to a real problem. Some users are unknowingly using a cloud-based solution (either in their business or personal lives) and are quickly seeing the benefits.Take for example Dropbox, a free tool for sharing (large) files across devices seamlessly, easily and from anywhere, where users adopt it from a need that it solves and not because of the technology factor behind it or because of any cloud hype.

Cloud computing is expected to enjoy an adoption rate and growth of between 30 to 40 percent per year, every year for the next five years and its promise of substantial benefits will drive this adoption..A 2012 customer study from Rise indicating that 94% of IT departments expect to expand their use of cloud in the next 12 months.

The key benefits of cloud Include:
•    Easier more flexible access in a world of consumerisation and BYOD (Bring Your Own Device),
•    Increased resilience,
•    Easier migration/implementation,
•    Simplicity of use,
•    Consistency across platforms ,
•    Reduced cost of both implementation and on-going usage, and
•    Innovation acceleration.

We still hear the downers on cloud – the news stories of gloom, fear and disdain. It was not so long ago that Internet shopping was placed in the same bucket, and yet this has become the norm and is continuing to enjoy compound growth and affect the traditional bricks-and-mortar retail arena.

There is plenty of hype on the ‘cloud’ and certainly plenty of discussion and content, and yet reports and audiences still show a need for education on the terms, benefits and realities of this growing form factor. Top concerns of businesses in survey after survey on the cloud, continue to be security, data sovereignty and reliability. In a recent end user study from the Cloud Industry Forum 62% of companies using or planning to use cloud indicated Data Security was their prime concern. When it comes to individuals the top concern in the IT arena is job loss and reduction of individual value.

There is no doubt cloud is bringing change. With the Internet and technology, we have a generation of users demanding access to their applications from their iPhone, iPad, BlackBerry or Android devices. We have entered an era where infinite IT power and information is available to a user on the smallest of devices, on the move and at an affordable price. As devices get more powerful, the Internet faster, the demand and supply of cloud applications will skyrocket and the power in the hands of the user will be greater than we have ever delivered before. Expect the marriage between mobility and the cloud to continue to grow.

So with this growth of cloud comes a change in skill requirements and job opportunities. One of CRN’s top 10 cloud predictions for 2012 is a growth in demand for cloud jobs as validated by an article in CIO magazine in early 2012.Cloud computing is and will have a major impact on skills across business, with IT being the most logically effected it will also impose itself onto roles in marketing, support and business roles in general. The demand for cloud-based skills already is showing signs of exploding. A recent report from Wanted Analytics, reported that hiring for cloud computing expertise showed a growth of 61 percent year over year. The cloud market is growing at such a pace that the number of job postings is accelerating and yet the talent qualifying for these roles is marginal.

Cloud isn’t all overcast and according to IDC ‘Spending on public and private cloud services is predicted to generate almost 14 million jobs worldwide between 2011 and 2015. More than one-third of cloud-enabled jobs will occur in the communications and media, banking, and discrete manufacturing industries.’ “For most organizations, cloud computing should be a no-brainer, given its ability to increase IT innovation and flexibility, lower capital costs, and help generate revenues that are multiples of spending,” said John F. Gantz, chief research officer and senior vice president at IDC.

Cloud offers opportunities for those that embrace the new form factor and self-educate and certify themselves for the needs of employers today and tomorrow. More education is needed in cloud across all sectors to enable businesses to understand and utilize this important new technology to its advantage.

CompTIA’s Cloud Essentials certification is an example option that enables employees of varying roles to validate their cloud knowledge, take online training and exam condition testing, and differentiate themselves in the competitive job market. More education is needed in cloud across all sectors to enable businesses to understand and utilize this important new technology option to its advantage and this need for understanding stretches past simply the border of the IT department. Expect to see more cloud courses and exams providing the market with the required validations in this new cloudy world. Ignoring cloud is no longer an option, utilizing it to your advantage is!

Net Focus Blog – March updates: how to conduct successful awareness campaign?

Aurelia Magron — Wed, 07 Mar 2012 14:57:00 GMT

As I was doing some researches for my blog, I’ve found a very interesting article written by Charlie Osborne on ZDnet website: Steal laptops for class credit? This article explains how the University of Twente in Netherland conducted a scientific research project and asked students to steal staff computers. The result is quite surprising: the staff were aware of the operation and were asked to secure their machine but still half of the computers were stolen. Students didn’t even use technical tools to steal the computers, it was conducted that it was down to human behaviour.

This project raises the issue of awareness because even if people know, they still won’t pay attention. This case can apply in your company and the issue remains the same: how can you conduct a successful awareness campaign? To help you, we published this whitepaper: Information Security Awareness: Building an effective campaign that works.

There are a lot of new issues affecting the IT Security industry in 2012. The Net Focus France Conference gives you the opportunity to access presentations delivered by IS experts and to participate in workshops on the hottest topics that you are dealing with. It will be in Lyon (France) on the 19 & 20 June 2012. Back to Basics, The Cloud, BYOD, IAM, Identity theft or communication and awareness around IT security are some of the topics you could find in the agenda. You can also have a look to the workshops and confirmed speakers.

If you or someone from your team in France would like to attend, you can already book your seats online or call our team on +44(0)207 250 0100.

The Net Focus Community organises free webinars on the latest IT Security issues that occur in the industry. You can register now for the upcoming ones:

Transitioning IT to the Cloud, presented by Paul Simmonds, Co-Founder & Member of Board of Management - Jericho Forum. This webinar will be on the 29 March 2012 and you can register here.

Data Protection and Information Security: The Top 5 Legal Risks for 2012 presented by Robert Bond, Partner and Notary Public - Speechly Bircham. This webinar takes place on the 5th April 2012 and you can register here

We also have new documents you can download (Compliance Transformations in Virtualization,New DPA Regulations or Business Continuity Planning: Back to Basics) and blog posts to read and comment. Don’t hesitate to participate in the community!

PIRANET ou comment faire sans internet ?

Aurelia Magron — Wed, 07 Mar 2012 11:10:00 GMT

En faisant quelques recherches pour mon blog du mois de Mars, je suis tombée sur un podcast de France Info dans lequel le journaliste réalise une interview de Patrick Pailloux, directeur de l’ANSSI sur l’opération PIRANET qui a eu lieu les 7, 8 et 9 février 2012.

Cette opération pose la question : «comment faire sans internet ? » et surtout comment faire pour gérer les conséquences de cette « coupure » ? Internet est devenu tellement présent dans notre quotidien qu’il est difficile d’imaginer comment travailler sans. Le journaliste se pose également la question de savoir si la France est prête à faire face à un risque de ce genre. La réponse n’est évidemment pas simple car pour cela, il est nécessaire de développer de nouveaux moyens. Patrick Pailloux annonce également l’ouverture de nouveaux postes à l’ANSSI. Réponse à la crise ? En tout cas, cela est un point positif dans un contexte difficile…

Cette année encore, de nombreuses problématiques apparaissent. Vous les retrouverez dans l’agenda de la Conférence Net Focus France 2012. Cet événement rassemble les responsables de la sécurité des systèmes d’information des plus grandes entreprises et organismes français et vous permet de discuter avec vos homologues des sujets d’actualités dans un environnement de confiance.

L’agenda de cette année est encore très riche et contient entre autre des sessions sur les thèmes de « Back to Basics », BYOD, IAM, les clauses contractuelles dans le Cloud, la sécurité informatique industrielle, l’usurpation d’identité ou les réseaux sociaux.

Je vous invite à consulter également la liste des forums de discussion et les intervenants déjà confirmés. Si vous souhaitez réserver votre place, vous pouvez le faire en ligne ou en appelant le +44(0)207 250 0100.

De nouveaux documents et blogs sont disponibles sur le site internet Net Focus, n’hésitez pas à les télécharger et les commenter.

Accès aux documents

Accès aux blogs

La communauté organise aussi des webinars gratuits sur les sujets les plus importants de la sécurité des systèmes d’information. Vous pouvez vous inscrire pour les prochains webinars :

Transitioning IT to the Cloud, présenté par Paul Simmonds, Co-Founder & Member of Board of Management - Jericho Forum. Ce webinar aura lieu le 29 mars 2012 et vous pouvez vous inscrire ici

Data Protection and Information Security: The Top 5 Legal Risks for 2012 présenté par Robert Bond, Partner and Notary Public - Speechly Bircham. Le webinar se déroule le 5 avril 2012 et les inscriptions ont lieu ici

Social Media and the law, how websites will reveal your data

QuentynTaylor — Wed, 07 Mar 2012 10:02:00 GMT

Following up from the news story regarding the US governments legal challenge to get several prominent wikileaks people’s data. I thought I would expand on my tweet about the EFF‘s summary document regarding the process by which some social media companies will disclose your data. Far from this article being about the “Shock horror – Companies will give up your data” I want to use it to praise the companies for being open about how they will give up your data of requested. I would prefer that companies are open rather than be secretive. Indeed, I respect twitter for their court action to get a secret request for people connected to wikileaks’ account details public. Far worse would have been simply to not fight and just release the data.

So what is the significance of this ? well it really is a wake up call to all of you about the potential dangers of social networking ( and other sites that you upload your data to). Never before have people shared so much data so publicly and so openly. There are plenty of horror stories about people sharing images and comments on Facebook ( and elsewhere) and loosing their jobs or being denied entry into certain countries. There are plenty of times where the media has seized upon pictures and information from social networking to get pictures of the accused, journalists must be happy that they don’t have to go door to door for a grainy picture anymore. Now just just hit Facebook and go from there.

There are also examples of where the police have over gathered evidence, once this happens who knows where your data can end up. Then take for example the case of ACS-Law, whilst not law enforcement, the data they gathered ended up being spread far and wide, an extreme example. However when you look at a recent post from Brian Krebs, you know that some law enforcement bodies have to be fully owned. Who knows what happens to the data once they have it ?

So where will this lead ? I strongly believe that there is and will be a growing market for, repudiation companies. That is, a company that will look through your online presence and remove any area that you feel may be of issue to you. Why might you want to do this ? either you are looking for a new job, attempting to move countries or just embarrassed about those pics you posted whilst drunk. These companies will use a mixture of techniques to remove content that you do not want to be present. When will they rise to prominence ? well Facebook started in February 2004, and Myspace started in August 2003. Assuming you were 18 in 2003, by 2013 you will be 28, just at that time where you are going for the new “big” job. So by 2015 these companies will be fully in operation and serving their clientele.

Note that there has been some movement on this front recently with a German company showing a technology called X-Pire. The technology claims to be able to “expire” an image after a given time, sounds too good to be true ? well it really is. The product depends on a FireFox (only for now) plug-in that decodes the image, this means that the website showing the image would have to be able to work with encrypted images ie no manipulation of images on the site ( eg resizing or cropping on the particular site). There are also a few other limitations,

What can X-pire! not do?

• X-pire! is a browser plug-in for Firefox – the programme does not work without Firefox. Extensions to other browsers are in the making.

• X-pire! does not offer protection against the intentional copying of images during the period they are valid (for example a screenshot), i.e., the use of this software does not give total free reign – protection of one’s own privacy sphere still requires the conscientious and sensible handling of all personal data online.

So nice try but not really ready for the mainstream yet. Which brings me back to the point above, there will come a time in the generation Y ( or Z) people lives when they realise that the pics of them drunk at a party ( or even just with a drink) , or imbibing dubious substances might not be a good idea for future job opportunities. This is where the repudiation companies will come in, for a fee I suspect they will offer complete removal, editing or ( taking it one step further) engineering of a social media past. The last point reminds me of a film I once saw…

The wrong type of loop

DavidLacey — Tue, 06 Mar 2012 16:46:00 GMT

We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of "Plan, Do, Check, Act". This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA ) loop of "Observe, Orient, Decide, Act".

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word "study" to check", which suggests that we don't spend enough time on it.

But OODA is all about speed. It's about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that's exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world.

So let's ditch PDCA and embrace OODA. It's an entirely different philosophy, and one that we all need to adopt.

Regulatory Bear Market alive and kicking

stewartroom — Tue, 06 Mar 2012 16:35:00 GMT

In my last book I wrote about the idea of the Regulatory Bear Market. I’ve blogged about it here before. To recap, a RBM is a time of negative sentiment that manifests itself through negative regulatory behaviours. It’s the regulatory equivalent of a financial bear market, the opposite of a bull market.

Basically, you don’t want to see a RBM if you are a controller of personal data, because you’ll be at risk of “heavy touch” regulation.

RBMs come and go. Generally speaking, they arise when there is heightened public interest in the subject matter of regulation, in this case privacy issues. The last RBM emerged after the Gov revealed the loss of the HMRC data disks in late 2007. It was over by 2009, when the new Info Commissioner was appointed, with his belief that “enlightened self interest” was the key driver to being compliant. Now he’s wielding a stick.

This RBM emerged last year, in the wake of renewed public, press and political engagement with privacy issues consequent upon phase 2 of the NOTW phone hacking scandal.

What you see in a RBM are clear indicators of a negative regulatory mindset, such as campaigning for new powers and penalties, heavy touch regulation and trumpeting of scalps.

Check out the ICO website and you’ll see the evidence for yourself in recent press releases; calls for gaol sentences for blaggers, action against de minimis infringements (see the Durham Uni case) and boasting about the quantum of fines imposed (good news tax payers, they’ve topped £1m from public authorities).

So, campaigning + heavy touch + rhetoric = RBM, with the catalyst being a high profile privacy event.

There is more within the phenomenon, which I’ll write about in due course, but a key point is why does the RBM correct itself after a period of time? Essentially, this is because the RBM is conceptually, philosophically and legally flawed, so it collapses.

But pending the return of equilibrium data controllers need to careful, alert and on their guard, because this RBM still has a while to run.

The CISO - reaching beyond technical

SJohn — Mon, 27 Feb 2012 12:24:00 GMT

While we have been discussing the maturing of the IT industry for a number of years now,we are now finally beginning to see this happen . Information Technology is not now just an add-on to a company but an often indispensible part of doing business. On the rare occasion that as a consumer I find a company that doesn’t have an internet presence, I become frustrated at the lack of ability to research or find out more about them without having to use the phone. This change fundamentally means that IT is now a business problem - executives need to understand the high level benefits of technology and their IT leaders to talk to them in business language about the impact of decisions.

At the same time security is becoming a key business consideration with increased incidents and reporting of breaches, identity theft and regulatory scrutiny. This is leading to security being increasingly discussed at the executive level.

The result is that the CISO is moving from being a technologist within IT into a business executive who is able to discuss risks at an executive level, a similar move to that made by the CIO a few years ago. In today’s climate the key skill for a CISO is strong executive communication, good process and the ability to communicate at the highest levels about the risk. It is also important to show successful risk reduction programmes that demonstrate a measurable return on investment.

Historically, we’ve shied away from return on investment because of the lack of quantitative data around risk and threats to an organisation. It’s hard to demonstrate the value of a control that stops something happening, but this is because we have traditionally focused on the technical risk and how controls affect that, resulting in a difficulty in quantifying this.

What CISOs are now doing is translating this into the impact on business risk and discussing how any programmes or actions are reducing the risk to an organisation and enabling businesses to take the steps they need with protection and connectivity. This has led to many CISOs now having more of a business or project delivery background than one of security technology.

The result of this is that many people are now suggesting that those with a technology background have no career progression into the CISO role. In my view, this shouldn’t necessarily be the case. However, someone with a technical background wishing to be a CISO needs to focus on their business, risk and communication skills as a key part of career development and may need to look at gaining business / project experience along the way. Then when they become a CISO they will be in a business rather than a technical role and mindset.

‘C’ LOUD

Ian Moyse — Mon, 27 Feb 2012 11:00:00 GMT

The big C when it comes to Cloud for the Channel is Conflict. I have been presenting and visiting partners around Europe for the past several years and listening to the opinions and input from vendors, Vars, Resellers, MSP’s, ISP’s and a variety of channels by varying name definitions and one things for sure, the Cloud has certainly stimulated debate.

Whether it be concern, nervousness, confusion or mistrust, a lot of negative feelings have been generated in the channel by the C word. And yet there also are a growing number of channel cloud players, either from the traditional space finding their feet in Cloud solutions or thoroughbred new-born channels who focus only cloud. Take a look at examples such as Cloudmore from Sweden, Outsourcery in the UK, Jamcracker out of the USA, SaaSplaza from the Netherlands and new entrant SaaSMax from the USA and you quickly get a vision of a new opportunity that is presenting itself for a regeneration of the channels to market as we have known them.

We also see traditional distributors building cloud divisions, look at Ingram and Tech Data, both strategizing around cloud and formulating aggregation strategies to keep their hand in as much of the revenue we have known go through as product (software and hardware) sales are combining to be spent on single cloud solutions.

Customers will buy cloud, not because of the term or the hype, but because of the business outcome and benefits it can bring, be they rapid turn it on availability, more resilience, more flexibility in a world of consumerisation and BYOD (Bring Your Own Device) or simply reduced cost of both implementation and on-going usage.

It is therefore important that the channel between the vendors and the customer get to grips with cloud solutions, terminology and the value propositions they can bring and understand what they will need to adapt to in terms of selling, marketing, billing and their value to not only the customer in this new form factor, but also to the vendor. Shying away from this will leave the customer and vendor with no option but to both court and find each other. The more and longer cloud is resisted by the channel, the more pressure there will be on vendors who have heavily invested in cloud to push directly.

As cloud solutions move towards more competitive and flexible billing their will of course be challenges for the traditional reseller approach, but these are not insurmountable if the adoption and adaption to these starts now. Leave it too far down the path and the transition will be painful and like jumping off a cliff, rather than going down a gentle gradient as the landscape changes.

There are already plenty of examples of pure play cloud resellers, oft newly started by employees made redundant and deciding now is the time to make their own path. They are growing fast with low cost overheads, no legacy renewals or worry about cannibalising existing business. Everything is upside to them and they are showing the example that cloud can be a reseller success and drive profitable revenue, different agreed, but why discount because of form factor and change.

I still hear it asked often by Cloud Vendors, do we need a channel at all for cloud solutions and also occasionally this is coming from a person with Channel firmly in their job title, a worrying trend. A belief that the world has changed overnight, cloud can only be sold direct, there is no need for a channel . Yes in retail cloud has enamoured change, and consumers are changing buying patterns, particularly the young. But still there is a place for the brick and mortar retailer. The supermarkets are booming, they have taken on more ranges branching into videos, books, home appliances and even banking and insurance. Being able to adapt is key to survival and surely us as an educated species is capable of doing this when it comes to Cloud.

What we will see for sure is a change of the go to market landscape. Traditional resellers may find themselves having new competitors in this arena. It will not necessarily be one of their reseller peers bidding against them but perhaps a Managed Service Provider (MSP), an Internet Services Provider (ISP) or a telecoms reseller bidding cloud as part of their monthly billing solution set.The Telco and Xsp type go to market channels are expanding into cloud for many reasons.

Key is the fact that they already have the billing models and customer relationships in place. They already have customers who they bill monthly for example for a range of services and much like with mobile phones where the market has expanded from the basic access contract to a variety of additional services such as TXT messaging, video download allowance, web browsing, roaming hotspot service etc the providers are now seeking additional services which they can offer to their client relationships and billing cycles.

Contrary to this the IT market in general has been delivered on a supply and pay up front model historically. Cloud is changing the model to one where IT is delivered online in a periodic billing model and the value the channel brings is evolving. Telco’s as part of this have a large base of customer relationships to leverage, the infrastructure and funds to build out cloud services and the billing tools and relationships to handle what customers will expect. IT channels are going to have to adapt to this as they find new competition from the Telco and Xsp space. Also we are likely to see an increase in Communication providers (those provide telephony and the services and billing around this) and theoretically anyone who has a large spread of customer billing relationships, perhaps we will even see cloud services being sold through surprising channels down the line such as the supermarkets (perhaps selling cloud units, storage or credits much like mobile phone credits today). After all, go back 20 years and no one would have believed that you would be banking and insuring through this route to market.

Cloud is here to stay, under whatever name you wish to call it (SaaS, Public, etc) and customers will increasingly become comfortable with its form factor and delivery and as this happens if you as a channel have not given them enough value to buy it though you, likelihood is they won’t. Leverage your customer relationships now, talk to your clients about this new arena, educate yourself and work out the sweet spot for you and execute against it.