So you think your clouds are private?

A recent conversation with a security analyst made me think about the convergence of the increasing number of personal computing devices (including the iPad I’m writing this on) and the explosion of cloud services.

As a company or organisation trying to protect your data you have an interesting landscape to protect.

You have the full range of cloud services your business is signing up to, and a responsibility to make sure those providers  protect your data as well as you would. You need to make sure those providers give you appropriate access to the data for investigations and compliance requests. And you hope you are not caught in some sort of collateral damage from other lodgers on the same servers, who have a different view of compliance and security.

And you have the mass proliferation of new personal mobile devices, which means your data is now replicating across these often insecure, unmanaged environments. Everyone’s getting mobile – smart-phones, iPads, home working – and, for the first time ever, buying their own devices to do it. And they want connectivity to your systems for often very valid business reasons. So how do you control devices that access your systems but you don’t own?

And what struck me today was how poor these devices are as computing platforms in themselves.

An iPad or smartphone is not a great creator of spreadsheets and PowerPoint’s, nor importantly is it a great information storage device or file manager. To make them sing you need to add apps and services. Apple and others have turned a deficiency into a money making opportunity – respect!

If I look at mine, I use an file store (dropbox), a note taking app (Evernote), a to do manager (toodledo) and more. And what do these applications encourage? A  cloud service to make them work well across your estate of computing devices (laptops, desktops, tablets and smart phones). So what do I end up doing? Putting my data into cloud services that my IT department has never reviewed and has no knowledge of, with no real understanding of the security these services provide.

Security is more of an issue with these app cloud services than social networking sites as they focus on files not conversations. Yes, you will upload pictures to Facebook but you wouldn’t upload work spreadsheets you would want to share with your friends? But Dropbox and its other productivity app companions encourage file storage, as it makes their solution more indispensable and they can sell you premium options and greater storage capacity.

So what does my IT security now have to cope with? Contracted cloud services, personal devices and a vast uncontracted personal cloud. A file ITSec believe is company confidential could be everywhere, including well out of reach and unrecoverable,  in a personal cloud they know nothing about.

Security is not getting easier and its running out of (your) control.

Posted in cyber | Tagged , , | Leave a comment

1 out of every 14 programs downloaded is malware

I’ve been in IT for over 30 years and started as a developer back in the old Cobol days (and if that doesn’t date me….), so my wife’s family think I know what I’m talking about and understand the intricacies of all computers and technology.

So every time I visit her parents, a moment will occur when someone subtly (!) drops the latest computer mystery into the conversation and its roll-up your sleeves time and debug my mother-in-law’s computer.

I’ve had botnets, trojans, IE virtually unusable because its got 10 toolbars, 6 browsers on the desktop (some in foreign languages), strange home pages – the lot.

And my constant question: why did you download this? and the constant answer? I didn’t!

And she believes it. She doesn’t understand the technology, she believes in the goodness of the computer and when it asks “do you want to …” she thinks its polite to say yes, even when she does not know what that “yes” means. So her computer gets populated with a load of rubbish – and worse.

A recent Microsoft blog shows that 1 in 14 program downloads are malicious  http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx and that downloads are becoming a vector of choice as browsers become more robust, patching better, security is better developed inside software and potential exploits are reducing.

So what can we do? Guidance recently surveyed the user community and found a singular lack of IT security training and we must do more there – its the only real way forward as insider threats begin to dominate.

Would that help my mother-in-law? what do you think!

Posted in cyber | Tagged , | Leave a comment

eDiscovery shouldn’t be this hard

In a recent US court case one party seemed to find the eDiscovery process so hard / complex / time consuming that they ended up being slapped by the court http://abovethelaw.com/2011/05/d-c-lawyers-screw-up-e-discovery-so-badly-it%E2%80%99s-literally-unheard-of/

So what’s so complex? Often the complexity is because people use old fashioned mechanisms to control the data. They rely on slow manual procedures, massive over-collection and expensive external resources. eDiscovery success should not be based on how long you can delay nor how big you can make it.

Modern in-house (or even the quality end of out-sourced) eDiscovery practise is aimed at getting to the key data, from the key stakeholders quickly and concisely. It should provide some quality pre-collection analytics that enable you to size the collection (to ensure its not ridiculously big or small), to collect automatically and forensically (so your sure it will stand up to scrutiny) and to give you early review of the collected and processed data (so you quickly know what’s happening and can end the litigation early).

And if you don’t take advantage of current eDiscoovery processes…. prepare for the slapping and the concomitant costs.

Posted in eDiscovery | Tagged | Leave a comment

Stuxnet goes to Vanity Fair

A great review of the probable history and background to Stuxnet in, of all things, Vanity Fair http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104.

Its a well researched thriller of a story and highlights 2 key aspects:

1. how targeted and dangerous this attack could be.

2 how difficult it is to really attribute it.

I think the second is the more interesting point and is the spur behind governments investing in Cyber Defence and Attack. Even an attack as well researched as this is attributed by supposition not fact. Dates of when the code was written, internal code names etc all point in particular directions but could be false markers.

In real CSI style, there are no actual fingerprints and even if there was a comment in the code of “brought to you be Israeli Intelligence” is meaningless as its just code and anyone could have written it. Tracing the origination back to a country or IP or location is also meaningless as all it takes is someone to go to the country, sign-on to a local ISP and upload and you’re done. And in fact they probably don’t need to go to the country.

So all you’re left with in true thriller style is motive. And in the Machiavellian world of international relations, good luck on knowing who’s doing what to whom, and why.

Posted in cyber | Tagged , , | Leave a comment

Donate those PCs securely

It was disappointing to see that the valid security concerns of many organisations are increasing the tendency to destroy computing assets. http://www.channelweb.co.uk/crn-uk/news/2035623/security-fears-hamper-reuse

Reuse in most cases is not reuse within a business but donation (or low cost sale) of those devices to deserving causes – local schools or to the developing world. Having seen, in my last job, the real difference the availability of computers makes to children in Africa it would be devastating if that avenue is closed off.

My advice would be to engage with a good charitable provider, investigate their cleaning processes and make a difference with your old kit.

One I like (as I’ve seen the great work they do in Africa) is Computer Aid International http://www.computeraid.org/. They are professional, organised and experienced. They commit to the appropriate cleaning – check them out.

Security is important, but security should not be an excuse not to do the right thing. Sure, maybe some PCs are full of too much secure data to take any risk but that’s not the case for your entire estate. Take that extra step to make a difference to disadvantaged children and families and donate (carefully).

Posted in Uncategorized | Tagged | Leave a comment

Progress on UK Cyber defence

News that a senior army general has been appointed to take charge of Britain’s £650m cyber security defence programme is a positive sign in the progression of the Government’s approach. http://www.scmagazineuk.com/government-moves-forward-on-cyber-crime-strategy/article/198523/

It’s another key step in their efforts to bolster protection, and whilst there is no detail on all the measures that are being taken, it does signal the seriousness with which the cyber crime threats are being taken.

The Armed Forces minister Nick Harvey has also said that the MoD is developing a joint approach with industry and co-operation will be vital in strengthening defences.  We have to remember that we’re dealing with cyber criminals who are becoming increasingly skilled in evading detection – a collaborative approach between public and private sectors will be vital to mitigate these new threats.

What we must remember though is that Government initiatives can help set the agenda, they can’t protect all of the country or all of the businesses in it. “The government cannot and should not attempt to tackle this issue by itself,” Harvey said. I think the emphasis here is on the “cannot”.

The joint approach, if successful in moving beyond just talking about it, will also bring significant benefits in threat awareness levels, education and common threat response approaches. However one big challenge with this holistic theme is that some attacks are just too targeted to trigger the “sensors” on many different systems that a nationwide monitoring system might need to “see” the threat.

If someone is targeting just one bank or just one electricity company the noise that threat makes will be very low level nationally and requires the bank or electricity company to make sure its house is in order to respond or counter the threat – not the government.

So whilst these announcements are in fact progress, it does not remove the need for individual companies to protect themselves from these increasingly morphic or evasive threats we see coming.

Posted in cyber | Tagged , , | Leave a comment

Disorder in the cloud?

The ISF have just published a helpful report on how to avoid pitfallls in taking to cloud computing. Many very sensible “sins” are exposed :   https://www.securityforum.org/userfiles/public/ISF_Cloud_computing_flyer.pdf

Sin no.5 Disorder is of particular intertest to me :

• SIN – information placed in the cloud is not classified correctly, stored appropriately or destroyed completely.

• ISSUES – inappropriate data ends up being stored on third parties’ systems,without formalised access control procedures. For highly regulated industries,it becomes difficult to identify and prove what users are doing.

• ACTION – organisations should classify and assess data before it is moved to the cloud, and should ensure that access control procedures deliver the level of assurance required.

We see many organisations looking at the cloud for its upfront cost benefit. The challenge from an electronic investigation perspective is this disorder.

Who owns the data? How forensic can searches of that data be? How expensive are they in the cloud? How can you ensure your data retention policies are embraced? How can you prove in a court of law that you’ve disclosed it all? How can you truly identify who did what to whom? Many issues that require upfront planning and, importantly, contractual clarity.

Cloud computing, like almost every IT initiative, can bring significant benefits but, like every IT initiative, should not be adopted on blind faith without significant due diligence across the entire spectrum of need not just cost.

Posted in eDiscovery | Tagged , | Leave a comment

In-house eDiscovery reported as key trend

An interesting article that reinforces a trend we are seeing pick up in the UK  http://www.enterprisestorageforum.com/management/article.php/3927986/The-Top-Six-Trends-in-eDiscovery.htm namely in-house eDiscovery.

In the article it highlights 2 parallel elements of the trend:

1. In-house eDiscovery itself, whereby companies are finding the cost and control of in-house collections and early case assessment is a practical and much more productive solution.

2.  the reaction of the outsourcers to that emerging position. Some are modifying their pricing structures so they are more in line with the in-house costs and some are even taking it further and embracing the in-house route by encouraging their customers to perform the collections and early stage analysis in-house and focusing on the latter stage full review and production elements.

The cost argument for in-house is hard to refute. You only need to be dealing with a few major matters to be able to pay off any investment in under 12 months and what’s more the in-house capability allows you to respond quicker and earlier to potential issues – big and small.

Posted in eDiscovery | Tagged | Leave a comment

Forensics and incident response key to minimise cost of data breaches

A recent study http://www.infoworld.com/t/security/how-not-handle-data-breach-992?source=footer shows that organisations who react before they understand the significance of a security event get hurt.

Its becoming more obvious that the clever companies expect the breaches to happen (who thinks defence-in-depth is 100% secure) and plan for that eventuality. And the first step in that plan is to define an incident response structure (people, process and tools) that allows you to quickly understand what’s happened, how far its spread, what damage is caused and stop it.

The old adage of “you can’t manage what you can’t measure” is old but still an adage – a basic truth. And without that first measured response structure, how can you possibly hope to manage the incident.

Another valuable point in the article is the need for forensics. This ties back into the incident response as these breaches are becoming more sophisticated and stealthy. Advanced Persistent or Evasion Threats (APT or AET) hide so well that you need to really get under the covers to find them. Forensic tools are key to that deep dive.

Posted in Incident Response | Tagged , , | Leave a comment

UK Critical infrastructure defence

Lat month saw the UK Government start to enlist the private sector to combine cyber defense responses http://www.telegraph.co.uk/technology/8366810/GCHQ-aims-to-protect-critical-private-networks-from-hackers.html

The issue has become more significant recently with the realisation that infrastructure networks beyond the military are terrorist targets and that, with examples like Stuxnet out there, they will be attacked. The potential for harm or disruption is significant.

Anything that helps protect against this increased threat to critical infrastructure is a good thing, but for it to work, and importantly, for it to be accepted, there must be significant oversight to protect individual freedoms and privacy.

A quick first step in protecting critical infrastructure would be increased, and more open, sharing and communication of threats. Security services and commercial organisations should keep each other appraised of increasing risks or known threats and work on early warning systems of potential threats.

But public perception is a concern. The last 10 years has seen the state become more “intrusive” in electronic communications and the public is nervous of that intrusion into their private lives no matter how innocent. So selling this to the public is key.

One aspect to reflect on is that for the system to work, sensors need to be implanted in the private infrastructure networks and one question to ask is “who owns the sensors”? Are they security service owned or are they owned by the private networks themselves? There would probably be more acceptance of commercially owned sensors that provide a known and managed feed to the security services as opposed to the security services having sensors they own and collecting who knows what data.

 

Posted in cyber | Tagged , , | Leave a comment