FREE WITH YOUR COPY OF CHIEF TECHNOLOGY OFFICER FORUM
NEW FACE OF INFORMATION SECURITY Security must evolve with new business models and must be operationalised to reap proper benefits. PAGE 05 IN-PERSON
OPINION
DR Vs. BCP PAGE 07
A 9.9 Media Publication
IN-SHORT
Security in
The Dirty
PAGE 04
PAGE 03
Social Space
Dozen
IN-SHORT Chrome, Safari, MS Office top 'dirty dozen' list
PHOTO BY PHOTOS.COM
T
First Encryption Products from Dell in the Market TO HELP customers simplify data protection and comprehensive reporting that enables an organisation’s IT department to detect devices that and comply with security regulations, Dell has need encryption. announced Dell Data Protection/Encryption, a flexible, manageable and auditable endpoint encryption solution. The solution is designed to Benefits help companies protect endpoint devices, which Easy deployment and integration into heterogeserve as the “front door” to sensitive information. neous IT environments (Dell and non-Dell sysWith the increase in and rising cost of data tems) with support for existing authentication breaches, private and public-sector organisations and patching processes. are being forced to reevaluate endpoint Quick recovery of systems with errors device policies. In fact, more than 14 by avoiding a multi-step, time-consummillion records have been exposed and ing process of decrypting, transporting 575 data breaches have been documentdata and re-encrypting. ed in 2010. The cost of each data breach One solution to encrypt data on the in the U.S. can be up to $6.75 million. disk, plus removable media such as Dell Data Protection/Encryption is an USB thumb drives, external hard intelligent file-based encryption soludrives, eSata drives, 1394 devices, optidata-stealtion that is designed to protect data on cal storage and Secure Digital (SD). ing attacks laptops and desktops, as well as external were done Pre-set policy templates to provide media, in case of loss or theft. The soluover the Web an easy starting point for compliance tion includes centralised management management and maintenance.
Data Briefing
52%
2
CSO FORUM 21 NOVEMBER 2010
he Google Chrome browser has been named the most vulnerable application on the "Dirty Dozen" list of 12 applications with the most discovered software flaws requiring security updates and notifications from January to October 2010. The annual "Dirty Dozen" list, compiled by security vendor Bit9 based on information available in the National Institute of Standards and Technology's public National Vulnerability Database, puts Google Chrome in the top spot with 76 reported vulnerabilities. The second spot is held by Apple Safari browser at 60 reported vulnerabilities while MS Office was at number three with 57. The rest of the "Dirty Dozen" ranking are as follows: 4. Adobe Acrobat — 54 5. Mozilla Firefox — 51 6. Sun JDK — 36 7. Adobe Shockwave Player — 35 8. Internet Explorer — 32 9. RealPlayer — 14 10. Apple Webkit — 9 11. Adobe Flash Player — 8 12. Apple Quicktime and the Opera Web Browser (tied) — 6
PHOTO BY PHOTOS.COM
IN-SHORT
Indian Tech Companies Highest on Risk Management MARSH INDIA, risk advisors and insurance brokers, have said that compared to other sectors/industry verticals, risk management in Indian technology companies has gained significant importance and has emerged as one of the highest priorities for the C-suite. According to Marsh, regulatory changes in the western world, especially related to privacy and data security, have made it mandatory for most Indian Tech companies to have a robust and formally documented
risk management plan. In fact, for many companies this risk management plan goes beyond management of operational risks and focuses on business continuity and issues like succession planning as well. Marsh India has monitored emerging trends and broad themes related to risk and insurance among Indian technology companies over the last one year, the following findings were highlighted at the technology conference;
Risk management has moved up the agenda at the most senior level; risk management functions are being utilized as differentiations while pitching for customer contracts, many companies now have a formal position of Chief Risk Officer reporting to the board Risk is being more formally and objectively addressed at board meetings and in other forums A majority of companies have reviewed their approach to risk because of the downturn and are keen to replicate global best practices, and in some cases pioneer them in India Customers, suppliers and credit/political risk have moved from being one of the lowest to the top risks being monitored by many Indian technology companies Post Satyam incident, there is an increased emphasis on corporate governance, disclosures and transparency beyond what is mandated by the different regulations or listing requirements Regulatory changes, especially in the US, UK & EU are driving many companies to relook at how they do business. Some of these like the US healthcare HITECH Act could be a blessing in disguise which some outsourcing companies are gearing towards capitalizing upon new technologies or developments in older ones like the cloud, social networking, open source etc. spell opportunity but are also throwing up challenges related to risk for technology firms in India.
Security Implications of New Facebook Email Service FACEBOOK has announced its new email service which brings together Facebook messages, instant messaging chat and SMS messages in one place. Following this news, Sophos has produced an FAQ guide to help users understand the implications for security before they sign up— "Before signing up, users need to realise that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into," said Graham Cluley, Senior Technology Consultant at Sophos. "Facebook accounts will now be linked with many more people in the users' social circles - opening up new opportunities for identity fraudsters to launch attacks." Sophos notes that cybercriminals are compromising the accounts
of Facebook users, and using their accounts to spread spam messages. Spam sent via social networks can be more effective than traditional email spam, as users are more likely to open and trust a message which appears to have been sent by someone they know one of their Facebook friends. Users will need to take greater care of the security of their Facebook account than ever before. Keeping security up-to-date on computers, policing which applications link with their Facebook profile, and choosing sensible, unique, hard-to-crack passwords will be essential. —The detailed FAQ is available at http://nakedsecurity.sophos. com/2010/11/15/faq.
CSO FORUM 21 NOVEMBER 2010
3
IN-PERSON
If employees are encouraged to set up and utilise social media accounts while "on the clock" - who ultimately owns the social media account? It depends on how the firm words their social media guidelines and policies. Clear guidelines and policies, reinforced in awareness training, will remove any ambiguity, and protect the firm's proprietary content and intellectual property. Firms that don't have such wording in their social networking guidelines may find their legal recourse is limited.
Security in Social Space Ben Rothke Senior Security Consultant for BT Global Services spoke to Anthony M. Freed, Managing Editor of Infosec Island on Social Networks and their impact on information security.
4
CSO FORUM 21 NOVEMBER 2010
Senior Security Consultant for BT Global Services
the line between private and professional networking activities? In fact, since they are more business oriented, greater awareness is required. On Facebook, someone may ask you what you favorite movie is. On LinkedIn, they will ask you about corporate direction, R&D, merger activity, etc. Companies need to know that they shouldn't shun social media for fear of bad end-user behavior. They need to anticipate it and formulate a multilevel approach to policies for effective governance of social media.
“Companies need to know that they shouldn't shun social media for fear of bad end-user behavior.�
How can companies fairly differentiate employee social networking activities from those of the business? For the most part, it is about awareness and strategy. Companies must take an even-handed approach. If they come down too hard, they will alienate trusted employees, and may in fact be prohibiting them from exercising their Constitutional right to free speech. But when those doing the blogging are senior executives, board members, those that can officially speak for the firm, then
BEN ROTHKE
that requires a different approach. It all comes down to effective and clear social networking guidelines. Without those guidelines, data breaches are inevitable. Also, those guidelines have to include the entire spectrum of social networking; from blogs, wikis, social networks, to virtual worlds and other social media forms. What about social media outlets like LinkedIn and Plaxo that blur
Can an enterprise with thousands of employees reasonably expect to be able to protect themselves from risks due to the aggregation of critical proprietary information exposed via their employee's social networking activities? Companies that understand the risks and benefits can do that. These companies have no qualms about giving hundreds or even thousands of employee's expensive laptops. But the issue of aggregation is something that should not be ignored. The power of aggregation and data correlation is that seemingly trivial and irrelevant bits of information can get collected to form large information set. It all comes down to training, awareness, management and monitoring. Companies that are in control of those 4 areas are able to maximize the benefits of social networking, while controlling the risks.
IMAGING : JOFFY JOSE
COVER STORY
THE
NEW FACE
OF SECURITY
Security must evolve with new business models and must be operationalised to reap proper benefits. By Amrit Williams CSO FORUM 21 NOVEMBER 2010
5
COVER STORY
HERE is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just... well, just done something different from whatever it is we are doing at the time something bad happens. As we go round and round on the never ending hamster wheels provided as best practice guidelines and security frameworks by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we
are no longer so – when that happens, regardless of what you may believe, is outside of our control. One of the biggest trends in security over the past 5-6 years has been its movement into mainstream IT. Traditionally IT security has been seen as outside of normal business processes. Organisations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought. There is little doubt that security lags innovation. For example the concept and delivery of cloud-computing was introduced and then it was realised that the lack of security – real and perceived – especially as it relates to visibility and control, was a huge inhibitor to adoption. The same is true for mobility; today many organisations are seeing their employees adopt shiny, new consumer computing devices, like the iPhone and iPad, and requesting access to corporate resources, yet most organisations are still struggling with managing and securing traditional computing assets, such as PCs and servers and there is limited enterprise-class support for these new devices. For the most part security can only inform, rarely does it affect change, that job is left to the operational teams that must reconfigure a network device, harden a database, patch a workstation or disable services. Most security professionals lack an understanding of the operational environment that they work within and they lack the ability to modify that environment even if they did. So why do security professionals spend so little time understanding their role within an organisation? The fundamental problem with security today is that it is not part of the operational But security concerns continue to keep that lifecycle of IT and until we can integrate needle from swinging too wildly. In this poll, security into every elements lifecycle we will 32 percent of respondent cited security as a forever be left implementing security as an top concern with the cloud. That was nearly afterthought or bolting it on once we experidouble the popularity of the next-biggest ence a compromise or undergo a TSA like issue, which was better pricing from cloud groping of our networks from an auditor. suppliers, requested by 17 percent. Security must be operationalised, it must Reliability came much lower on the list, become part of the lifecycle of everything IT. cited as a top concern by just 7 percent. This is the theme for 2011 - “OperationalSecurity was the big reason for another ising Security”. finding, namely, that IT departments favor To experience wide-spread and maininternal cloud solutions over external cloud stream adoption security technologies solutions, the survey found. Another reason must be operationalised is that IT professionals find the skill level of To become operationalised security techtheir current channel partners lacking when nologies must become integrated as a it comes to cloud-based solutions. part of an elements lifecycle Most (54 percent) indicated that current To become part of an element, operational channel partners need additional training to lifecycle security technology must provide support a transition to the cloud. Another 12 output that is operationally actionable, feel current channel partners are "not at all integrated within the broader operational prepared" to help with their organisation's ecosystem, and support current operamove to cloud computing. tional processes.
THE CLOUD NEEDS MORE SECURITY & LOWER PRICES
A
nother survey has found a sharp increase over the last year in enterprises' plans to migrate toward cloud computing, and this one adds better pricing to tighter security as a major obstacle hindering faster adoption. The Tech Pulse survey by Boston marker research firm Chadwick Martin Bailey found 28 percent of 247 survey respondents polled in August had aggressive plans to move to the cloud. A similar poll in early 2009 found 15 percent reporting similar plans. In a measure of how aggressive these plans are, the survey said respondents expected to more than double the workload running on cloud architecture within the next two years. "We're now seeing that all the industry marketing dollars spent on promoting cloud computing have started to actually move the needle," says Chris Neal, vice president of Chadwick Martin Bailey's technology and telecom practice.
—Amrit Williams has over 18 years of experience in IT, security, and risk management.
6
CSO FORUM 21 NOVEMBER 2010
OPINION BY DEJAN KOSUTIC www.kosutic.eu
THE AUTHOR IS an expert in information security management (ISO 27001) and business continuity management (BS 25999-2).
Disaster Recovery versus Business Continuity HAS IT ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department? Why business continuity is usually identified with IT? Probably because business continuity has its roots in disaster recovery (DR), and DR is all about IT. Twenty or thirty years ago business continuity (BC) did not exist as a concept, but DR did - the main concern was how to save the data if a disaster struck. At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organisation would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location. But after a while it was realised what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born its purpose is to enable the business
tion of DR is quoted from Wikipedia - actually, "business continuity" is an official term recognised in standards, while "disaster recovery" is not.
to keep going on, even if in case of a major disruption.
Definitions Let's take a look at the definitions business continuity is the "strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level" (BS 25999-2:2007), while DR is "the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster" (Wikipedia.org). As you can see from the definitions, the emphasis in DR is on technology, while in BC it is on business operations. Therefore, DR is part of business continuity you might consider it as one of the main enablers of business operations, or the technological part of business continuity. However, you may have noticed something else too - the definition of BC is quoted from BS 25999-2, the leading standard on business continuity management, while the defini-
Implications for implementation So why is it a bad idea for an IT department to implement business continuity for the whole organisation? Because business continuity is primarily a business issue, not an IT issue.
“BCP's purpose is to enable the business to keep going on, even if in case of a major disruption."
If the IT department was implementing business continuity for the whole organisation, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a question whether it would get commitment from the business parts of the organisation. The best way to organise the implementation of BC is for the business side to lead such a project. This is how you would achieve greater awareness and acceptance of all parts of the organisation. The IT department should play its role in such a project a key role - to prepare DR plans.
CSO FORUM 21 NOVEMBER 2010
7
OPINION BY DANNY LIEBERMAN www.dannylieberman.info
THE AUTHOR IS serial technology innovator and leader – implementing ideas from brain to business.
What is Security? SECURITY is not just about awareness. A lot of folks talk about the people factor and how investing in security awareness training is key for data protection. I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money. I prefer a CEO that says “Here are my four rules” and tells the staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk. Making common sense security part of the performance review is more effective than posters and HR training. Security from this perspective is indeed an exercise in leadership. Unfortunately, in many organisations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees.
Security doesn’t improve your bottom line Have you ever asked yourself why security is so hard to sell? There are two reasons.
8
CSO FORUM 21 NOVEMBER 2010
1) Security is complex stuff and it’s hard to sell stuff people don’t understand. 2) Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective. Note a curious trait of human behaviour (formalised in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses. In other words, a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand. Managers are not stupid. They know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system. Since almost no company actually maintains security metrics and cost of their assets and security portfolio in order to track ‘Value at Risk’ versus security portfolio over time, a hypothesis of return on security
investment (RoSI) cannot be proven. Indeed, the converse is true. Judging by the behaviour of most companies they do not believe that security saves them money.
So what is security?
"Making common sense security part of the performance review is more effective than posters and HR training."
It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature, not a vehicle function that improves kilometers per litre. It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better RoSI. Challenge your assumptions about what makes for effective security in your organisation. Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?. —Danny Lieberman is a serial technology innovator and leader. Danny’s data security business, Software Associate (Israel) provides enterprise information protection to clients in Europe and the Middle East.