Of all the client inquiries and advisories we get related to risk management, one of the most frequent topics of discussion continues to be the role of risk management. Who should be involved? How? What should our objectives be? How should we measure success?
In an upcoming Security & Risk Council member meeting in London, I plan to take members through each of the five steps of ISO 31000 in an interactive workshop. We will discuss how to build repeatable and consistent processes, demonstrate that process to stakeholders, improve strategy and planning, and show support for relevant corporate functions and business units. If you’re interested in discussing this idea with me and other members of the Security & Risk Council, please consider joining us on March 16 in London. In order to qualify to attend, you must be a senior-level security and/or risk management executive in a $1B+ organization. Please click here for more details on the S&R Council or on the member meeting itself.
Recently I’ve been reading the excellent work by Jamais Cascio and thinking about the concept of "openness." Much of Jamais’ work is focused on geoengineering, but the concept of openness has profound implications on many fields, including computer security.
For those of you who have been following the unfolding story of HBGary Federal and the Anonymous Group, this is what Hollywood movies are made of. In fact, I don’t think a script writer could have penned this any better than the real life version. If you haven’t been following the minute details of this story, this Tech Herald article is an excellent read on how the whole thing started.
A condensed version of the events is as follows:
A week before RSA 2011, the CEO of HBGary Federal, Aaron Barr, said in a Financial Times interview that his firm had infiltrated and discovered the identities of the high-level operatives for the well known Internet hacktivism group Anonymous, and that he planned to publicly discuss his findings at the RSA conference.
Microsoft announced during last week's RSA conference that it would not be shipping Windows CardSpace 2.0. A lot of design imperatives weighed on that one deliverable: security, privacy, usability, bridging the enterprise and consumer identity worlds – and being the standard-bearer of the "identity metasystem" and the "laws of identity" to boot. Something had to give. What are the implications for security and risk professionals?
The CardSpace model had nice phishing resistance properties that cloud-based identity selectors will find hard to replicate, alas. But without wide adoption on the open Web, that wasn't going to make a dent anyway. We'll have to look for other native-app solutions over time for that.
IBM's Watson (natural language processing, deduction, AI, inference and statistical modeling all served by a massively parallel POWER7 array of computers with a total of 2880 processors with 15TB RAM) beat the greatest Jeopardy players in three rounds over the past 3 days — and the matches weren't even close. Watson has shocked us, and now it's time to think: What's in it for the security professional?
The connection is easy to see. The complexity, amount of unstructured background information, and the real-time need to make decisions.
Forrester predicts that the same levels of Watson's sophistication will appear in pattern recognition in fraud management and data protection. If Watson can answer a Jeopardy riddle in real time, it will certainly be able to find patterns of data loss, clustering security incidents, and events, and find root causes of them. Mitigation and/or removal of those root causes will be easy, compared to identifying them . . .
For the second year in a row, I have the honor of hosting our Security Forum EMEA in London, March 17th - 18th. This is Forrester's 5th annual Security Forum in Europe, and each year brings a larger, more influential audience and more exciting Forrester and industry keynotes. The theme of this year's event builds on our fall event in Boston - Building The High-Performance Security Organization. It would have been easy to focus the event on one of the myriad of threats and challenges facing security and risk (S&R) professionals today — from the emergence of advanced persistent threats to the security and risk implications of cloud services, social technologies and consumer devices in the workplace — but the real challenge for S&R professionals is not in the specific response to today's threats. It's building the oversight and governance capabilities, repeatable processes, and resilient architectures that deal with today's threats but can also reliably predict, analyze, mitigate, and respond to tomorrow's threats and new business demands. For many of us in security, we are mired in day-to-day operational responsibilities — or as some of us like to call it, the Hamster Wheel Of Hell.
Quest is making aggressive moves to extend into the heterogeneous, non-Microsoft-centric land of identity and access management. After acquiring Voelcker Informatik for provisioning, Quest just announced the acquisition of e-DMZ, an enterprise-class, high-performance PIM appliance vendor. Novell (now Attachmate) acquired host access control specialist Fortefi, Oracle bought Passlogix (vGO-SAM), CA extended Access Control, and IBM integrated Encentuate's eSSO solution with ITIM as a service offering to manage privileged access. The remaining major PIM players like Cyber-Ark, Lieberman, and BeyondTrust will now face added client RFP scrutiny and price pressures from the competition. Forrester expects that new IAM entrants like Symantec/VeriSign, NetIQ (to compete with arch-rival Quest), or MSSPs will look at acquiring the remaining above vendors.
Details have been elusive thus far, but reports indicate that multiple breaches occurred, resulting in “suspicious files” on the company’s servers. A statement released by Nasdaq assures us that its trading systems and customer data were not compromised, and those in the know tend to agree that infiltrating the trading systems would be substantially more difficult than breaking into the web environment and leaving a few files behind. As the investigation continues, hopefully we'll learn more, but what can we take away from this story so far?
The list of attractive hacker targets continues to grow. Whoever perpetrated this breach chose not to go after traditionally lucrative targets like customer/employee data or a more difficult and devastating attempt to dismantle one of the world’s biggest exchanges. Instead the target was a more accessible set of extremely sensitive corporate data – details about mergers, acquisitions, dividends, and earnings. Without much sophistication, criminals could use this information to execute rather impressive “insider trading” transactions or simply find an outlet like WikiLeaks for some of the more embarrassing tidbits.
Mobile authentication is nothing new. SiteMinder, a prominent web access management tool, has been able to handle mobile browsers and sessions for at least 7-8 years. Some users complained of WAP and its limitations, but most could access information and log in to websites with minimal issues.
WAP is gone and it is now replaced by a multitude of devices: tablets, PDAs, smartphones, etc. With the proliferation of Splinternet, we are witnessing not only a boom of content, but also the need to limit access to sensitive applications and data not only from the device but also on the device. Authentication, authorization, and data protection challenges multiply as companies embrace the post-PC tablets, etc.
What do we see people asking about? From the enterprise security perspective, the biggest challenges seems to be protecting the data on the device, performing a remote wipe on a lost or stolen piece of equipment, and making sure corporate information is separated clearly from any private data. Writing mobile applications or designing mobile-capable and still rich, interactive web pages is no easy task either. Companies also wonder about how to deliver and (de)provision applications quickly and securely.
What do we see companies do? Sandboxing corporate data and mandating the use of remotely wipeable devices is the first step. Storing certificates and using transaction signature mobile authenticators to defend against stolen or compromised text messages with one-time passwords is a logical follow-on.
If you're a security and risk professional in charge of protecting consumer-facing applications, you may have heard that OpenID is a “toy,” or it's an insecure protocol, or other critiques. And then here comes the recent news by former early adopter 37signals to drop its OpenID login support, which has occasioned some soul-searching in the Web 2.0 identity community. Check out commentary from Scott Gilbertson of Wired's WebMonkey, Dare Obasanjo, and reaction from “social login” vendor JanRain
When OpenID appeared on the scene, more robust solutions based on SAML were well under way for many years and seeing adoption, but only in scenarios involving limited circles of trust — typically point-to-point enterprise outsourcing scenarios and specialized higher-education communities — rather than in broad-based consumer populations.
In my career, I’ve observed with horror security dismissed as “those techies in the basement” and something for projects to work around. The policing image that’s so prevalent of us constantly makes me cringe, and I hate nothing more at a party than when people ask what I do and hear their immediate response as “Oh, you’re the one who deals with viruses and worms." Ugh! (Note to self: find a more glamorous title to talk about at parties.)
Happily this image slowly but surely is going away as security moves onward and upward in organizations. And what if we, as security professionals, can do our bit in changing this image within the organizations that we serve? What if we actually wake up and start running security as a business? And what business runs successfully without marketing of its products and communication skills?
Look at our security vendors – they work very hard to define and create their product and services and to sell them to us. And all other things being equal, we generally prefer to do business with people that we get along with and who provide us with great service. We cannot dismiss the importance of strong communications.
So why do we shy away from words such as marketing and communications in security? Why are there so few (if any) “security communications managers” in internal security teams? As I discuss in my report, there are methodologies that can be used to create effective and inclusive communications and marketing activities – we just need to start. The marketing of security is a journey – not a miracle.