Monday 29 June 2009

The UK's cyberspace initiative

The creation of the cyber security operations unit by the British government is a necessary and positive step in combating all forms of cyber threats. We work and live in a world in which our most personal information has gone digital, and this initiative points to the importance of a centralized approach to protection, spanning citizens, government and industry.

There are also economic considerations that this initiative addresses. In the UK, for example, more than £50 billion is spent online every year and 90% of high street purchases are made using electronic transactions.

There will be much debate as to the validity of the threats and the forms that they will take; however, as members of the security industry, we know that these threats always have the ability to be more devastating and widespread than even popular imagination can dictate.

By placing the protection of "digital Britain" in the hands of the government, we are showing a united front against cyber-criminals, cyber-terrorists and the run of the mill hackers who pose a threat to our information systems and personal data. As we commend the government for taking this bold and necessary step, we would like to remind them of a lesson that industry has learned over the past few years: threats come from internal and external sources. So, a "defend the perimeter" approach will leave valuable assets unprotected.

The government should look at the threat matrix holistically, starting from the databases that hold information, to the individuals that access it, through the networks that carry the data, to the perimeter. This "ground-up" approach will ensure that we are well protected at every turn.

Tuesday 16 June 2009

View from the Tower

Today, the TowerGroup has suggested the financial services industry stands on the losing side of the battle to protect consumer data. TowerGroup analyst George Tubin believes that the majority of data within financial services institutions has been or will be compromised, because proper data protection measures continue to be overlooked. With Heartland, RBS WorldPlay, Checkfree and BNY Mellon Shareowner Services making headlines with major breaches in recent months, it all suggests the industry needs to make data protection a higher priority.

Consumer anger, embarrassing headlines and the threat of legislative involvement have not stopped data breaches in the financial services industry and nor could they, sadly. In this turbulent economy, the last thing the industry would say it needs is legislative action or another protection standard to contend with, but they should take the four months as a very serious wake-up call if they are to avoid these outcomes. These companies need to re-evaluate how they protect and store data. With each breach, mandatory legislation becomes moves a step closer. The irony is that, as we have seen with PCI-DSS, these standards bring more cost and headache than protection. The industry cannot afford this on many levels. Any financial services firm that is not evaluating their data protection measures with a forward-looking plan in place, therefore, brings the industry closer to a mandatory protection standard.

Paul Davie

Thursday 11 June 2009

Careless Talk - Part 2

Earlier this week, the Internet buzzed with rumors about a hack at T-Mobile when the alleged hacker posted information on the security forum Full Disclosure. T-Mobile has now confirmed that the posted information is from one of its documents, but it denies that the information was obtained through a hack and says that no customer information was compromised. This is great news for the company. It's even better news for their customers. But it also points to the most common threat to an organization’s data: the corporate insider.

We have no knowledge of how this information was obtained at T-Mobile, but in an industry that has many employees, contractors, third-party suppliers and partners all with access to a wealth of customer data, it should be no surprise that an insider is very likely involved. It was predicted. Telecommunications service providers have long taken the “defend the edge” approach to security, with a focus on keeping threats off the network. This makes is more difficult to monitor and block an insider from accessing information. For all carriers, assume that your data is under scrutiny from the inside as well as outside and take this week’s happenings as a call to action.

Paul Davie

Monday 8 June 2009

Careless Talk

Reports are emerging today of a suspected breach on T-Mobile’s network, with hackers offering to sell customer and financial data to the highest bidder. Since Saturday, security analysts and T-Mobile have been trying to verify the breach and to determine exactly the type and amount of data compromised. What makes this potential breach especially unnerving is the weaknesses it shows in standard data protection among carriers. Earlier this year, leading communication service provider Verizon issued a report that found that 285 million electronic records were breached in 2008 and that organized criminal gangs were behind a large percentage of these breaches.

Since their inception, carriers have taken an externally facing, ‘at-the-edge’ approach to security. In simple terms, they focused on protecting the edge of the network from external attacks, believing that most threats would initiate off the network, and the edge would be the place where hackers and others would gain access. This completely ignores the risks posed by their own staff, contractors, suppliers and partners. What has occurred almost simultaneously is the rise of multifunctional phone devices that act as wallets, contact databases, email terminals, mini-computers, organizers, etc. Any carrier network now contains a wealth of personal and financial information and, with dedicated criminal organizations going after data to steal and sell, the carrier database is a natural target. Indeed, T-Mobile has been here before, as Paris Hilton no doubt remembers.

The “deflect at the edge” approach will not stop these types of criminals, who have shown the ability both to bypass these external controls and to infiltrate an organization with the prime purpose of stealing data. Therein lies the problem facing those who wish to protect the carrier database: just how do you get a clear, immediate snapshot of what is occurring, including whether or not data has been stolen? If this T-Mobile proves threat to be a hoax, which it may well do, it should still act as a wake-up call to all carriers as to the vulnerabilities inherent in protecting data. To ensure full protection and data integrity, the database should be protected from the inside out to the network edge, rather than the other way around. This approach would alert administrators to data movement or unusual activity around the database, protecting unauthorized access from both internal and external sources.

Paul Davie

Founder, Secerno

Wednesday 3 June 2009

Unhackable? Unsinkable! -- bold government claims

I am saddened to hear that the current crisis in the UK parliament over members' expenses has resulted in the demise of the Home Secretary. I enjoyed being interviewed last year on national radio to comment on her claims that the UK government's proposed ID card system would be "unhackable". A bold claim indeed, and I said as much at the time.

Anyone involved in IT security will recognize that there are no absolutes as strong as "unhackable" and that there are threats from more than outsiders. (Her claim was that as the ID card database would not be connected to the outside world it would be safe.)

When they pushed her off the docks in Belfast harbour they said that the Titanic was unsinkable. It is a shame the Home Secretary has found herself in need of a lifeboat.