Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Tuesday 5 May 2009, 4:07 PM
Invest now – payback later
I was in san Francisco last month for the 20th Anniversary celebration of (ISC)2’s formation. While there I was fortunate enough to have dinner in one of the city’s many excellent Chinese restaurants. At the end of the meal the proprietor gave each of us a Chinese fortune cookie. We all broke open our cookies and read the saying inside (actually we played a game which I better not go into here). The saying I had in mine was “Your investment in time now will lead to success later”.
It got me thinking about what a great saying it was. No matter what we do, we generally do it better by investing time into it before hand. This applies as much to information security as it does to any other profession. This is particularly relevant when discussing the value of security qualifications and certificates. Many of the arguments hotly debated focus on what the certificate covers and how good the examination process is. It ignores the fact that one of the main values associated with security qualifications is that they show that the individual has made an investment in time to study for and take a qualification.
This process does not stop there. Most of the leading information security qualifications require that individuals continue to invest time in continuing professional development and education. This is one of the most important aspects of professional qualifications. If a qualification does not require you to commit to making sure you keep abreast of new developments in your field then it probably isn’t worth having. We see this approach in many aspects of professional life. Airline pilots have to be regularly assessed and have to be “rated” for whatever type of aircraft they are flying. First Aid certificates have an expiry date on them (usually three years). Both the medical and legal professions demand continuing professional development.
In the current climate where recruiting the right individuals and, if you are looking for a new position, convincing a prospective employer of your value, the investment individuals have made of their time in obtaining and maintaining a security qualification is critical. When I was sitting on the recruiter’s side of the desk I would always ask a candidate what qualifications they had and why they had chosen specific ones. What criteria did they use in selection? How were those decisions made? Those that did not have any qualifications were not necessarily eliminated but were asked why they hadn’t got any. This was not to be critical of them but to find out how they had invested time in their careers.
So to quote an old Chinese proverb “Your investment in time now will lead to success later”.
John Colley, CISSP, Managing Director, (ISC)2 EMEA
It got me thinking about what a great saying it was. No matter what we do, we generally do it better by investing time into it before hand. This applies as much to information security as it does to any other profession. This is particularly relevant when discussing the value of security qualifications and certificates. Many of the arguments hotly debated focus on what the certificate covers and how good the examination process is. It ignores the fact that one of the main values associated with security qualifications is that they show that the individual has made an investment in time to study for and take a qualification.
This process does not stop there. Most of the leading information security qualifications require that individuals continue to invest time in continuing professional development and education. This is one of the most important aspects of professional qualifications. If a qualification does not require you to commit to making sure you keep abreast of new developments in your field then it probably isn’t worth having. We see this approach in many aspects of professional life. Airline pilots have to be regularly assessed and have to be “rated” for whatever type of aircraft they are flying. First Aid certificates have an expiry date on them (usually three years). Both the medical and legal professions demand continuing professional development.
In the current climate where recruiting the right individuals and, if you are looking for a new position, convincing a prospective employer of your value, the investment individuals have made of their time in obtaining and maintaining a security qualification is critical. When I was sitting on the recruiter’s side of the desk I would always ask a candidate what qualifications they had and why they had chosen specific ones. What criteria did they use in selection? How were those decisions made? Those that did not have any qualifications were not necessarily eliminated but were asked why they hadn’t got any. This was not to be critical of them but to find out how they had invested time in their careers.
So to quote an old Chinese proverb “Your investment in time now will lead to success later”.
John Colley, CISSP, Managing Director, (ISC)2 EMEA
Tuesday 31 March 2009, 1:50 PM
Will software ever be flawless?
More news this month of critical vulnerabilities in software – including but not limited to Cisco’s IOS software that powers the majority of Cisco routers and switches as well as HP OpenView’s systems and network management software and Sun’s Javascript too. At the same time a couple of security researchers have declared that software vulnerabilities should no longer be given away – in other words bugfinders should be paid for finding vulnerability flaws and no longer notify software vendors in advance of disclosure.
All too often, security is bolted on at the end of the development process in response to a threat or exposure. This is of course costly since the relative cost of fixing defects in production is something like 100 times more expensive than if proper security had been baked in during the design phase. Engraining security into the culture, processes and lives of software developers, testers and improvers of software is now critical if we are to close the massive number of unlocked doors in software.
Contrary to its intention, change will not be driven by governments wanting to legislate against software vendors (see Science and Technology Committee of the House of Lords published a report on “The Internet and Personal Security”: but, rightly, by customers who have started to question why they ever accepted the current release and patch cycle that is endemic within software. No longer just PCs to control, but smartphones and laptops too, patching and keeping the proliferation of endpoints operational as well as closed doors is getting more difficult and expensive to manage every day.
But software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. Many argue that secure coding techniques have been developed, but this too is a limited approach. Little of the data that the software is designed to handle, and the associated risks to it are addressed by security coding alone. Clearly when the idea for a software program is developed, the associated risks to the data it will handle should be considered. The software on a iphone that accesses financial transactions, for example, should have robust security functionality built in – should it not? If change happens, we could well see a world where security is flawless – well at least with less holes than most software releases have today.
John Colley is managing director, EMEA at (ISC)2
All too often, security is bolted on at the end of the development process in response to a threat or exposure. This is of course costly since the relative cost of fixing defects in production is something like 100 times more expensive than if proper security had been baked in during the design phase. Engraining security into the culture, processes and lives of software developers, testers and improvers of software is now critical if we are to close the massive number of unlocked doors in software.
Contrary to its intention, change will not be driven by governments wanting to legislate against software vendors (see Science and Technology Committee of the House of Lords published a report on “The Internet and Personal Security”: but, rightly, by customers who have started to question why they ever accepted the current release and patch cycle that is endemic within software. No longer just PCs to control, but smartphones and laptops too, patching and keeping the proliferation of endpoints operational as well as closed doors is getting more difficult and expensive to manage every day.
But software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. Many argue that secure coding techniques have been developed, but this too is a limited approach. Little of the data that the software is designed to handle, and the associated risks to it are addressed by security coding alone. Clearly when the idea for a software program is developed, the associated risks to the data it will handle should be considered. The software on a iphone that accesses financial transactions, for example, should have robust security functionality built in – should it not? If change happens, we could well see a world where security is flawless – well at least with less holes than most software releases have today.
John Colley is managing director, EMEA at (ISC)2
Wednesday 4 February 2009, 11:47 AM
Government as Role Model?
I was reading the article about the Home Office breaching the data protection act and it got me thinking about the recent meeting I and a number of other information security professionals had with Eleanor Laing, MP discussing and advising on what the Tory party policy should be on Information Security. One of the things that we were all in agreement on was that the government should act as a role model for information security. This should, in turn, be achieved not only by the proper investments but also by advancing professionalism and demonstrating skills, knowledge and competencies in this field. The Home Office clearly is an example where this is not happening.
It is interesting to note that generally the government is more careful with its own information than it is with that entrusted to it by the public. When I was working at ICL (now Fujitsu Services), I was the government designated ITSO (IT Security Officer) responsible for ensuring that any classified information that ICL had access to as a “List-X” company was properly protected. Indeed I was required to go on a two day course at the rather bleak building on Millbank to be told the correct ways of dealing with the different levels of protectively marked information. At my office in Stevenage I had one document that was classified above the “Restricted” level which had to be stored in a government approved safe and had to be locked away whenever I left my desk.
It seems strange that one area of government can identify the correct controls required when dealing with their own information whereas another part of government has difficulties in adopting less arduous controls for protecting information that has been provided by the public.
Hopefully the new security measures that the Home Office will have to adopt as a result of the ICO’s intervention will prove adequate and effective. Personally I believe that the most important controls will be those surrounding how well the users of the information are made aware and educated about how they apply these controls.
John Colley is managing director, EMEA for (ISC)2. He has over fifteen years experience in information security and formerly held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
It is interesting to note that generally the government is more careful with its own information than it is with that entrusted to it by the public. When I was working at ICL (now Fujitsu Services), I was the government designated ITSO (IT Security Officer) responsible for ensuring that any classified information that ICL had access to as a “List-X” company was properly protected. Indeed I was required to go on a two day course at the rather bleak building on Millbank to be told the correct ways of dealing with the different levels of protectively marked information. At my office in Stevenage I had one document that was classified above the “Restricted” level which had to be stored in a government approved safe and had to be locked away whenever I left my desk.
It seems strange that one area of government can identify the correct controls required when dealing with their own information whereas another part of government has difficulties in adopting less arduous controls for protecting information that has been provided by the public.
Hopefully the new security measures that the Home Office will have to adopt as a result of the ICO’s intervention will prove adequate and effective. Personally I believe that the most important controls will be those surrounding how well the users of the information are made aware and educated about how they apply these controls.
John Colley is managing director, EMEA for (ISC)2. He has over fifteen years experience in information security and formerly held posts as Head of Risk Services at Barclays, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL.
Thursday 11 September 2008, 8:10 AM
The human factor will always get you
I was reading an excellent article by Jason Holloway posted on the BCS Blogs concerning learning lessons from Monty Python and the Holy Grail. In it he refers to a number of situations in the film and relates them to situations in Information Security. It led me to thinking about how the Tom Cruise film “Minority Report” can also teach us information security professionals a lesson or two In this Steven Speilberg film, set in the future, criminals are caught before the crimes they commit. Tom Cruise plays an officer in the special “Precrime” unit that catches these future criminals. He finds that he is accused of one such crime and sets out to prove his innocence. In this futuristic state, individuals are identified wherever they go by their iris pattern. In order to evade capture Cruise undergos an eye transplant so that he can move about society without being captured.
What’s all this got to do with information security I hear you ask? Well an ex-colleague of mine at the Royal Bank of Scotland used to say that “Minority report” should be obligatory viewing for all information security managers. Why? Because later on in the film Cruise breaks in to his old unit and the way he does it is to use his “old” eyes that he has retained after the transplant as a means of access. As you probably realise, this worked successfully because his user id and access had not been removed from the system.
The lesson to be learnt here is that no matter how sophisticated the mechanisms we implement, without the appropriate manual controls they can always be circumnavigated.
John Colley, CISSP
Managing Director EMEA
(ISC)2
What’s all this got to do with information security I hear you ask? Well an ex-colleague of mine at the Royal Bank of Scotland used to say that “Minority report” should be obligatory viewing for all information security managers. Why? Because later on in the film Cruise breaks in to his old unit and the way he does it is to use his “old” eyes that he has retained after the transplant as a means of access. As you probably realise, this worked successfully because his user id and access had not been removed from the system.
The lesson to be learnt here is that no matter how sophisticated the mechanisms we implement, without the appropriate manual controls they can always be circumnavigated.
John Colley, CISSP
Managing Director EMEA
(ISC)2
Thursday 28 August 2008, 2:33 PM
Customer data found on eBay server highlights people as weak link
The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/security/0,1000000189,39465455,00.htm). What is important here is not the actors' names, but how it happened, what the response was and how could security procedures be improved in the future.
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
Previous
