Tag: security

Why Cyber matters

‘Cyber’ has become a buzzword, but it does have some serious meanings for managers and business owners

This is the unedited version of an article that appeared two weeks ago in The Australian.

Cybersecurity is becoming an important responsibility for executives and directors. Often shortened to ‘cyber’, it’s easy to dismiss cybersecurity as just being the latest IT industry buzzword however ensuring information systems are secure is now firmly a management issue.

Information breaches have become embarrassingly common in recent times with events ranging from Target exposing forty million of its customers’ records in 2013, a breach which cost the company $162 million dollars, through to national security embarrassments like the Snowden revelations.

Exacerbating the risks to businesses is the dependency upon information systems to normal operations and the damage from denial of service attacks such as the outage across much of the US last weekend can be debilitating and costly. The recent Australian census saga that cost taxpayers thirty million dollars, is an illustration of how costly poorly planned responses to service interruptions and security breaches can be.

Compounding the risks for Australian executives are the breach disclosure laws tabled in Federal Parliament last week which threaten 340,000 dollars fines for individuals and 1.7 million dollars for corporations that fail to act quickly on data privacy failures.

In such a high risk environment business leaders need to be proactive says Leonard Kleinman, the Asia Pacific and Japan Chief Cyber Security Advisor for security software firm RSA, “the legislation is aimed at organisations that I’d call ‘wilfully blind’ or like to employ the concept of ‘plausible deniability’.”

As that period of ‘wilful blindness’ and ‘plausable deniability’ comes to an end, executives and directors have to start taking their responsibilities in protecting data far more seriously. The challenge lies in understanding the risks.

“What a lot organisations – both private and public – haven’t done well is their ‘Crown Jewels assessment,” says Glenn Maiden, Principal Security Consultant at Canberra’s ?Shearwater Solutions. “It has to be contextualised. My crown jewels might be credit card numbers but for that may not be the interest for foreign intelligence agencies.” Then understand where the risks are for those critical data and processes.

In understanding what those ‘crown jewels’ are, it’s important to consider what is valuable within the organisation. While to the marketing team the most valuable information may be customer data, to the COO it may be ensuring continuity of service while to external parties it could be pricing details or legal correspondence.

“The things I’ve suggested in the conversations I’ve had with organisations is simple stuff; review things like your instant response strategies – can you start an investigation quickly,” says RSA’s Kleinman. “It’s probably good to review your contracts. If you have a cloud services providers that experiences a breach, how are they going to go about doing the notification?”

In a world where subcontracting and outsourcing is normal business practice, the risk from third party vendors is real and goes beyond cloud providers. The disastrous Target hack being due to an air conditioning contractor’s compromised system and Edward Snowden himself wasn’t a direct government employee.

Privacy and security breach notifications are only part of the broader cybersecurity picture though and the field is becoming more complex. Last weekend’s massive denial of service attack that compromised many US based online services was caused by the Mirai botnet, that exploits vulnerabilities in cheap internet of things devices.

With business processes becoming increasingly connected and automated, management concerns are extending to the security, integrity and reliability of devices being used in their organisation. Even if the business critical sensors being officially purchased are of high quality, everything from smartphones to connected kettles being bought into the staff tearoom could be a potential risk to the corporate network and a business’ reputation.

It would be a mistake however to think cybersecurity is purely a technology problem however. “Ultimately insider threats are about people,” says Senior Vice President of Nuix’s threat intelligence and analysis, Keith Lowry. “These are all people who used tools or technology to do what they did and they got away with it because others were focused on the technology rather than focused on the people.”

As the business world becomes more dependent upon data and connected systems, the governance of networks and their security is going to be increasingly the responsibility of business leaders.

Similar posts:

  • No Related Posts

Security as a people problem

Security is more of a people problem than a technology issue believe’s Nuix’s head of threat intelligence Keith Lowry

Are we focusing too much on technology and not enough on people when it comes to insider threats? Talking to Keith Lowry, the Senior Vice President of threat intelligence and analysis for Nuix, it’s hard not to come away with the impression there is too much emphasis on technology and not enough on human factors when looking at IT security risks.

Lowry gave a briefing to journalists at Nuix’s Sydney office last week discussing the types of insider threats organizations face.  “Why is it, despite all the money we’re spending, we seem to be losing the cybersecurity battle?” he asks.

“The majority of insider threat programs that I’ve seen begin with the foundation of technology when in reality the foundation of a counter insider threat program should be about people,” he stated as one of the reasons why organisations are struggling with security their networks.

Supporting his belief that people are a problem is a 2015 survey by information security company Clearswift that found more than a third of employees are willing to sell their company’s private information.

All of the six examples he cited illustrated the problem facing managers, each breach was as much a failure in managing people as it was technology not being implemented correctly.

Naturally the Chelsea Manning case was one of the headline cases, “Manning was a failure of leadership.” Lowry said, “what’s really interesting is before his unit went to Afghanistan was deemed by a psycologist to be unfit to deploy. They took him anyway.

Two of the other examples, alleged Chinese spy Hao Zhang and Russian intelligence agent Anna Chapman are classic espionage tales while Edward Snowden is a continuing tale that may well define our public security policies for a generation.

Of the examples, Aussie twosome Christopher Hill and Lukas Kamay along with US student Glenn Duffie Shriver are the two that should worry organisations the most.

Duffie-Shriver was sentenced to 48 months jail after being recruited by PRC intelligence officers while studying in China.

Born in 1981, Duffie-Shriver is part of a generation that’s far less loyal to organisations believes Lowry and, coupled with economic pressures such as student loans, they may be far more likely to be tempted by offers such those alleged to have been offered to the American scholar.

The Aussie example is probably more concerning for managements as Hill was passing Australian Bureau of Statistics data ahead of its public release to Kamay who arranged trades. Their insider trading scheme netting Kamay seven million dollars.

Kamay and Hill present a far more typical risk to most organisations as employees motivated by greed, addiction or some vulnerability are much more likely to steal data. This is certainly a human, rather than technology, problem.

Ultimately the focus on technology, foreign hackers and government agencies in protecting an organisation’s data is missing the greatest risk of all in our businesses – the people. How we manage and treat staff is essential to securing information.

Similar posts:

  • No Related Posts

Time to rethink IT security

Last weekend’s webcam launched cyber attacks are a warning that we need to take security seriously

Last weekend a cyberattack launched from compromised webcams crippled a number of high profile services. In response, the Chinese manufacturer has withdrawn the devices from the market.

That dodgy webcams should have been used to launch a massive DDOS doesn’t surprise anyone who’s spent any time in the home automation field. These problems are endemic in the Internet of Things.

In the early 2000s I became involved in a home automation company through my IT support business. Basically we were kitting out Sydney’s harbourfront mansions with state of the art technology.

Very quickly I realised something was wrong. Almost all the home automation and CCTV systems were running on outdated, insecure software. The leading brand of home security systems used servers running on an old version of Windows 2000 at a time when malware was exploding.

It wasn’t a matter of if, but when, these systems would become hopelessly compromised given the networks they were running on were shared with the home users.

The real concern though was when I raised this with the vendors, installers and designers – no one cared. It was clear security wasn’t a concern for the market and the industry.

We could have patched the systems and boosted their security policies but given the shoddy software being used – mainly DOS batch files – and the assumed file permissions we’d have completely broken the systems and it would up to us to fix it given the attitudes of vendors and clients.

After realising this problem was industry wide I pulled the pin on that business venture as I wasn’t prepared to carry the legal risk and moral obligation of helping install dangerous equipment into people’s homes or businesses.

I’ve since watched as the Internet of Things has become fashionable with the knowledge that the industry’s cavalier attitude towards customer security hasn’t changed.

Now we’re at the stage where script kiddies can launch massive attacks from compromised webcams – God knows what the serious bad guys like state sponsored actors, criminal organisations and commercial spies are up to with these things – which shows the industry’s robotic chickens have come home to roost.

What last weekend’s events show is we have to demand better security from our technology suppliers. That though comes at a cost – we’ll pay more, we’ll have to sacrifice some convenience and we’ll have to spend time maintaining systems.

Are we prepared to wear those costs? Is the tech industry prepared to move beyond it’s ‘good enough’ attitude toward security? Are governments prepared to legislate and enforce proper design rules?

We may not have a choice if we want to enjoy the benefits of technology.

Similar posts:

  • No Related Posts

Lessons from the CIA investment fund

Dawn Meyerriecks, the CIA’s Deputy Director for Science and Technology, gives an interesting insight into the agency’s investment philosophies

One of the little discussed reasons for the US tech industry’s success is the role of military and intelligence spending by the government. Not only are various agencies funding research and enthusiastically buy technology, they are also being strategic investors in many companies.

In Sydney last week Dawn Meyerriecks, the CIA’s Deputy Director for Science and Technology, gave an interesting insight into the agency’s investment philosophies at the SINET61 conference.

The conference was aimed at drumming up interest in the technology security industry along with showcasing the connections between Australia’s Data61 venture and the US based Security Innovation Network (SINET).

SINET itself is closely linked to the United States’ security agencies with chairman and founder Robert Rodriguez being a former US Secret Service agent prior to his move into security consulting, venture capitalism and network-building.

Compounding the organisation’s spook credentials are its support from the US Department of Homeland Security along with the UK’s Government Communications Headquarters (GCHQ), so it was barely surprising the Australian conference was able to attract a senior Central Intelligence Agency officer.

Investing in flat times

“Flat is the new up,” says  Meyerriecks in describing the current investment climate of thin returns. In that environment, fund managers are looking for good investments and the imprimatur of the CIA’s investment arm, In-Q-Tel, is proving to be a good indicator that a business is likely to realise good returns.

“If you can predict a market – and we are good predictors of markets – then the return on investment is huge,” she says.

“In-Q-Tel really leverages capital funding for good ideas. We get a twelve for one return, for every dollar we put in it’s matched by twelve dollars in venture capital in emerging technologies.”

Attracting investors

For the companies In-Q-Tel invests in along with those that supply technology to the organization, the CIA encourages them to seek private sector investors.

“What we’re telling our supply chains is you go ahead and tap into the capital markets,” Meyerriecks says. “If you can turn that into a commercially viable product then will will ride the way with the rest of the industry because it’s good for us, it’s good for the country and it’s good for the planet.”

Adding to the CIA’s attractions as a startup investor are the opportunities for lucrative acquisition exits for the founders, she believes. “Not only are we using that venture capital approach for emerging technologies but our big suppliers are sitting on a ton of cash.”

Diversity as an asset

Another lesson that Meyerriecks believes will help the planet, and the tech industry, is diversity. “Globalisation has show isolationism doesn’t work,” she says.

“Back in the day when I was a young engineer the best way to make sure your system was resilient was to harden its perimeters. the best ways to be ‘cyber resilient in the old days was by drawing the barriers to keep the bad guys out.”

“The best way to be cyber-resilient in the old days was to draw big boundaries around yourself to keep the bad guys out. The latest studies look at other things because you want to be resilient, you want high availability.”

Now, system diversity is seen as an asset.“Biologically the three factors that contribute to resilience are the ability to adapt, the ability to recovery and diversity,”  Meyerriecks says. “We look to deliver high availability among components that may not themselves have high reliability.”

The future of investment

“I think we’ll see commercialisation still driving investment for applied R&D in particular,”Meyerriecks said in a later panel on where the agency is looking at putting its money.

“The big game changers will be around the edge, taking SDN (Software Defined Networking) to its logical extreme giving everyone their own personal networks, not just in data centres but at the edge of the network.”

“I think there’s lots of things that the commercial industrialisation of the technology and physical system are going to force us to grapple with on many levels.”

Risks in managing identity

An interesting aspect of Meyerriecks’ talks at SINET61 was her take on some of the technology issues facing consumers and citizens, particularly in the idea for individuals having their own personalised network.

“This opens up a whole range of things, ” she suggests. “Do I eventually not just be an IMSI or EIMI (the mobile telephone identifiers) but do I become an advertising node, does that become my unique ID? Do I a become a gaming avatar?”

“Then we get into the whole Big Data area. Computational anonymity is a phrase we use. At some point people start saying ‘this is crossing the line’ – it crosses the ‘ooooh’ factor.”

Changing Cybersecurity

“I think the definition of cybersecurity will be expanded to much more beyond wheat we’ve classically thought about in the past.”

Meyerriecks’ presentation and later panel appearance was a fascinating glimpse into the commercial imperatives of the United States’ intelligence community along with flagging some of the areas which concern its members as citizens and technology users.

The US security community’s role in the development of the nation’s tech sector shouldn’t be understated and Meyerriecks’ observation that private sector investors tend to follow the CIA’s investment path underscores their continued critical role.

Similar posts:

Protecting yourself online

Keeping your home computer safe is pretty basic says Nuix’s Chief Information Security Officer, Chris Pogue

What can consumers do to protect themselves online? Nuix’s Chief Information Security Officer, Chris Pogue, believes it’s all about sticking to the basics.

“It’s honestly easier than you think. It’s basic IT hygiene.” “Just the basics – bad passwords, reutilisation of passwords. There’s password managers available for ten dollars a year. Don’t reuse passwords.

“Close your wi-fi, don’t broadcast your Wi-Fi SSID. Make your PSK password longer than normal. Just make sure that you’re being smart and you’re exercising due diligence and you can stop a lot of attacks.”

Pogue also points out no computer, or device, is unhackable. The point with security is to make your devices less attractive to opportunistic cybercrooks.

“If you make it a little bit harder, the attacker have an ROI for their time. It’s a business, a multi-billion dollar business. They’re not going to mess around with you if you’re messing up their gross margin. Just make it not cost effective.”

“Nothing is unhackable but you just make it so it takes too much time,” he says.

One useful resource for home users is the Australian Signals Directorate’s Top Security Tips for the Home User. While basic, that advice is well worth while for those looking at protecting their systems.

Paul travelled to Las Vegas for the Black Hat conference as a guest of Nuix

Similar posts:

  • No Related Posts

Forget eliminating risk

We can’t eliminate risk, but we should manage it recommends Huawei’s chief security officer

“How are you going to manage, not stop, risk?” Asked John Suffolk, the Global Cyber Security & Privacy Officer of Huawei Technologies at the company’s ICT roadshow in Sydney today.

Suffolk’s message is one that should be heeded by all business owners, managers and executives in areas more than just IT security.

One of the conceits of the late Twentieth Century management philosophies is that risk could be managed out of business, partly through technology but mainly through legalisms that attempted to push liabilities onto suppliers, contractors, resellers and customers.

That philosophy still holds true in many organisations today, particularly government agencies, and it costs them dearly.

In truth, business is risky and trying to eliminate risk is a fool’s errand. How it’s managed is the real test for leaders.

Similar posts:

  • No Related Posts

Trust, security and the internet of things

It may prove impossible to secure the Internet of Things. If so, we’re going to have to develop new trust mechanisms.

I’ve spent the last week in Las Vegas attending the Black Hat and DefCon security conferences. Among much of the discussion about protecting oneself against the misuse of technology, one thing that stood out was the focus on the Internet of Things.

Listening to some of the discussions and speaking to various people, it’s increasingly clear the consensus is the IoT is effectively unsecurable – the range of devices connected to the internet is just too great to be protected.

Compounding the problem are the plethora of poorly designed devices where security is, at best, a vague afterthought along with an older generation of equipment that was never intended to be connected to the public facing internet.

Given many of these devices are going to be critical to business and individual lifestyles, their reliability and quality of the data gathered by them is going to increasingly come into question and the systems that rely upon them are going to need ways to validate the information they receive.

Perhaps this is where machine learning and artificial intelligence are going to be valuable in watching for anomalies in the information and flagging where problems are happening within networks.

As those networks become more essential to society, we’re going to have build more  redundancy and robustness into our systems, the key component though may be trust.

Similar posts:

  • No Related Posts