Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Thursday 10 December 2009, 1:55 PM
Beware of keeping your head in the clouds
Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in 2010 and beyond. However, despite this new-found appreciation companies are set to stumble into new areas for putting data at risk with the do-it-yourself accessibility of cloud computing and a recovering economy fuelling new initiatives before they can be properly resourced.
After the cutbacks in 2009, most businesses will be eager to re-engage business initiatives. They should beware of rushing in without giving proper consideration to the security requirements however especially since security teams and projects have been pared back to minimum requirements it will take time to build them back up.
Adding to this dynamic is the concern that cloud computing will make it very easy for people to get around the internal limitations of their IT department. An Autumn 2009 poll of over 300 (ISC)2 certified security professionals, indicated that over 92 % anticipate employees will circumvent the IT department to trial Software as a Service or cloud-based solutions
On the one hand, a carefully controlled migration to cloud-base services with suppliers that can demonstrate a real appreciation for security can enhance a company’s security stature. On the other, the newly developed do-it-yourself ability for all risks uncontrolled placement of data with cloud service providers of all abilities,” explained Colley. “We face a significant learning curve during which the opportunity to put data at risk will multiply.
More emphasis needs to be put on user accountability. It has never been enough to secure the systems; data is manipulated by the people that use it and they are the ones introducing much of the new risk of its compromise. The good news is both business and individual users trusting cloud services will not tolerate data compromise for long. This will force them to prioritise security and in turn impact priorities for the developers serving this sector.
John Colley, CISSP, is the EMEA Managing Director for (ISC)2, a non-profit professional organization that represents over 66,000 information security professionals worldwide, over 10,000 of which reside in the EMEA region and over 3,300 in the UK. John spent twenty years working in software and systems development before moving into information security. He has held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
After the cutbacks in 2009, most businesses will be eager to re-engage business initiatives. They should beware of rushing in without giving proper consideration to the security requirements however especially since security teams and projects have been pared back to minimum requirements it will take time to build them back up.
Adding to this dynamic is the concern that cloud computing will make it very easy for people to get around the internal limitations of their IT department. An Autumn 2009 poll of over 300 (ISC)2 certified security professionals, indicated that over 92 % anticipate employees will circumvent the IT department to trial Software as a Service or cloud-based solutions
On the one hand, a carefully controlled migration to cloud-base services with suppliers that can demonstrate a real appreciation for security can enhance a company’s security stature. On the other, the newly developed do-it-yourself ability for all risks uncontrolled placement of data with cloud service providers of all abilities,” explained Colley. “We face a significant learning curve during which the opportunity to put data at risk will multiply.
More emphasis needs to be put on user accountability. It has never been enough to secure the systems; data is manipulated by the people that use it and they are the ones introducing much of the new risk of its compromise. The good news is both business and individual users trusting cloud services will not tolerate data compromise for long. This will force them to prioritise security and in turn impact priorities for the developers serving this sector.
John Colley, CISSP, is the EMEA Managing Director for (ISC)2, a non-profit professional organization that represents over 66,000 information security professionals worldwide, over 10,000 of which reside in the EMEA region and over 3,300 in the UK. John spent twenty years working in software and systems development before moving into information security. He has held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
Friday 30 October 2009, 6:19 PM
Now is the time to invest in security skills training
The recent PwC survey into the Global State of Information Security (http://news.zdnet.co.uk/security/0,1000000189,39809565,00.htm) is a timely reminder of the skills adjustment facing our industry. Despite maturing in its short 20-year history, disparate roles are emerging in the security profession: the traditional technical IT security requirement is decreasing while jobs with a managerial focus are increasing. Even the rise in specialist university education has tended to be technically focussed. Security people get passed over for management training and the recruitment process continues to be highly weighted toward the measurable technical skills.
The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.
Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.
The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.
John Colley, CISSP, Managing Director (ISC)2 EMEA
The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.
Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.
The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.
John Colley, CISSP, Managing Director (ISC)2 EMEA
Wednesday 26 August 2009, 6:39 PM
SQL injection attacks point to need for more secure software
The most recent identity theft attack to hit the headlines (http://news.bbc.co.uk/1/hi/business/8206305.stm) was apparently the biggest case of identity theft in the USA. Like an increasing number of such attacks, it exploited weaknesses in web based applications by using the well known technique of ‘SQL injection’ to access and steal 130 million credit card numbers. Hackers understand that there have been significant investments made to protect network, database and server assets and have moved on to attack the application layer. Today they are less interested in causing corporate havoc, and more interested in stealing data. Their attacks therefore are designed to evade detection and move through the easiest door to get to the prize.
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
Friday 7 August 2009, 10:50 AM
Do we all have a role in the UK’s Cybersecurity Strategy?
I think we do – everyone from the private sector in particular IT and Information Security professionals – has a role to play. Not in the least because the UK Cyber Security Strategy requires a lot to be defined. It’s a starting point, albeit a good one, but it doesn’t offer much insight into how the eight work streams assigned to the new UK Office of Cyber Security are going to be achieved; and very little has been communicated on the budget requirements. So the next logical step is for us all to play a part, rather than sit back and wait for the government to define every detail of something that means so much to every one of us.
Those of us with the knowledge, the professionals who have dedicated our careers to tackling cyber security issues, have a critical responsibility to help the rest of society, which has a very steep learning curve to climb. It really is time to get involved: Efforts to improve security awareness are proliferating, with many reaching out to children, small business people and communities. (ISC)2 ‘s cyber security awareness portal is a good example. The Cyber Exchange uses videos, presentations, posters and more supplied by top experts in the information security field, our members, to help spread the word on the secure Internet use. It’s time to find an initiative or start one within your own community or workplace. Or consider lending your expertise within a consultation group directly linked to one of the defined work streams: Safe, Secure and Resilient Systems, Policy; Doctrine and Regulatory Issues; Awareness and Culture Change; Skills and Education; Technical Capabilities and Research; Exploitation; International Engagement; and Governance Roles and Responsibilities. I for one am looking forward to participating in working groups examining the skills and education situation in this country.
At the very minimum, each and every professional should have read the document by now and considered how well their own organisations are managing these areas. After all this is an opportunity to highlight them with management as well. But more than this it’s an opportunity to really influence a Secure Digital Britain. What are you doing?
John Colley
Managing director for EMEA of (ISC)2
(ISC)2 is a non-profit consortium that represents more than 3,000 information security professional members in the UK and 66,000 globally.
Those of us with the knowledge, the professionals who have dedicated our careers to tackling cyber security issues, have a critical responsibility to help the rest of society, which has a very steep learning curve to climb. It really is time to get involved: Efforts to improve security awareness are proliferating, with many reaching out to children, small business people and communities. (ISC)2 ‘s cyber security awareness portal is a good example. The Cyber Exchange uses videos, presentations, posters and more supplied by top experts in the information security field, our members, to help spread the word on the secure Internet use. It’s time to find an initiative or start one within your own community or workplace. Or consider lending your expertise within a consultation group directly linked to one of the defined work streams: Safe, Secure and Resilient Systems, Policy; Doctrine and Regulatory Issues; Awareness and Culture Change; Skills and Education; Technical Capabilities and Research; Exploitation; International Engagement; and Governance Roles and Responsibilities. I for one am looking forward to participating in working groups examining the skills and education situation in this country.
At the very minimum, each and every professional should have read the document by now and considered how well their own organisations are managing these areas. After all this is an opportunity to highlight them with management as well. But more than this it’s an opportunity to really influence a Secure Digital Britain. What are you doing?
John Colley
Managing director for EMEA of (ISC)2
(ISC)2 is a non-profit consortium that represents more than 3,000 information security professional members in the UK and 66,000 globally.
Monday 22 June 2009, 10:56 AM
Does offshoring or outsourcing increase the data privacy challenge?
Last week’s IDG Research Services survey commissioned by RSA highlighted the lack of strategy in place in most organisations for outsourcing business services and information to the cloud. It is a reminder that offshoring and outsourcing present a real challenge to data privacy and data protection but is the risk any more than the risk of data that is not outsourced or offshored?
There are many risks associated with offshoring and outsourcing. The information security risk combined with operational risks including the risk of vendor concentration should determine the direction and pace of the offshoring strategy. Information security professionals must apply industry standard confidentiality (integrity, availability) principles in a risk assessment to ensure that corporate data is not exposed to unnecessary and unforeseen risk. For those professionals working in multi-national organisations, the topic of cross border data movement and data protection zones are not new. However, if data is made accessible to third party vendors or other combined legal entities (captives), the involvement of Legal professionals is paramount to understand processing and disclosure principles and policy.
The offshoring and outsourcing risk assessment may then reveal that existing cross border and service provider policies and standards are inadequate even for existing business processes. Thus confirming that outsourcing does not increase risk, but can actually reduce risk, by improving internal controls.
For Firms and organisations with a complex mix of environments and vendors, control “edge” solutions can be developed for the handling of data, based on “need to know” and “least privilege” principles, delivering sensitive data at the very last minute in the process, and linked to pre-defined and agreed data disclosure rules.
Offshoring and outsourcing programmes may increase the complexity of the environment, and can also increase the burden of supervision but do not increase information security risk. There is no hype with offshoring and outsourcing, rather basic control principles apply.
Alessandro Moretti, CISSP, Member of the ISC)2European Advisory Board and Executive Director, UBS Investment Bank, IT Security Risk Management.
There are many risks associated with offshoring and outsourcing. The information security risk combined with operational risks including the risk of vendor concentration should determine the direction and pace of the offshoring strategy. Information security professionals must apply industry standard confidentiality (integrity, availability) principles in a risk assessment to ensure that corporate data is not exposed to unnecessary and unforeseen risk. For those professionals working in multi-national organisations, the topic of cross border data movement and data protection zones are not new. However, if data is made accessible to third party vendors or other combined legal entities (captives), the involvement of Legal professionals is paramount to understand processing and disclosure principles and policy.
The offshoring and outsourcing risk assessment may then reveal that existing cross border and service provider policies and standards are inadequate even for existing business processes. Thus confirming that outsourcing does not increase risk, but can actually reduce risk, by improving internal controls.
For Firms and organisations with a complex mix of environments and vendors, control “edge” solutions can be developed for the handling of data, based on “need to know” and “least privilege” principles, delivering sensitive data at the very last minute in the process, and linked to pre-defined and agreed data disclosure rules.
Offshoring and outsourcing programmes may increase the complexity of the environment, and can also increase the burden of supervision but do not increase information security risk. There is no hype with offshoring and outsourcing, rather basic control principles apply.
Alessandro Moretti, CISSP, Member of the ISC)2European Advisory Board and Executive Director, UBS Investment Bank, IT Security Risk Management.
Previous
