Yesterday, WikiLeaksreleased emails taken in the highly-publicized Stratfordata breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.
Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC. The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13. These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.
In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Commandabout JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it. Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today? I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.
Data privacy laws are the champions of citizens' rights in the digital age. However, multi-national organizations often find these laws challenging to navigate given the complex framework of global legal requirements. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Leveraging in-depth analyses on the privacy legislation of 54 countries around the world, this product is aimed at helping our clients better strategize their own global privacy and data protection approaches.
Using the tool, one can quickly determine how various countries stack up against each another in terms of their data privacy standards. Each country has been rated across seven key criteria, covering the breadth of law, EU adequacy, data transfer limitations, government surveillance activities, etc. Leveraging this data, our clients will be able to establish their own data privacy “high watermarks”, ensuring compliance in all locales in which their organization operates. One such application is in the use of cloud computing. Since the cloud is borderless, jurisdictional-based privacy laws are often a mismatch when applied to clouds. When considering outsourcing to a cloud service, companies should consult Forrester’s Privacy Heat Map to determine, for example, whether their data will be at risk of residing in a country with questionable governance surveillance practices.
A few months ago I shared a flight with a very pleasant lady from a European regulatory body. After shoulder surfing her papers and seeing we were both interested in information security (ironic paradox acknowledged!) we had a long chat about how enterprises could stand a chance against the hacktivist and criminal hordes so intent on stealing their data.
My flight-buddy felt that the future lay in open and honest sharing between organisations – i.e. when one is hacked they would immediately share details of both the breach and the method with their peers and wider industry; this would allow the group to look for similar exploits and prepare to deflect similar attacks. Being somewhat cynical, and having worked in industry, I felt that such a concept was idealised and that organisations would refuse to share such information for fear of reputational or brand damage – she acknowledged that it was proving tougher than she had expected to get her organisations to join in with this voluntary disclosure!
Across the US and Europe we are seeing a move toward ‘mandatory’breach disclosure; however they have seemingly disparate intentions. US requirements focus on breaches that may impact an organisations financial condition or integrity, whilst EU breach notification is very focussed on cases where there may have been an exposure of personal data. Neither of these seem to be pushing us toward this nirvana of ‘collaborative protection’.
In the UK, I’m aware that the certain organizations, within specific sectors, will share information within their small closed communities, unfortunately this is not widespread and certainly does not reflect the concept of ‘open and honest’ as my flight-buddy would have envisaged.
In approaching the research for my recently published TechRadar™ on strong authentication, at first I struggled a bit with overlapping concepts and terminology (as can be seen in the lively discussion that took place over in the Security & Risk community a few months back). The research ultimately revealed that form factor matters a lot -- smartcards in actual card form, for example, have some properties and use cases distinct from smart chips in other devices. So smartcards became one of the 14 categories we included.
The category that quickly became my favorite was "bring-your-own-token." BYOT is Forrester's term for the various methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have. The classic example is a one-time password that gets sent in an SMS message to a pre-registered phone, but we see emerging vendors doing a lot of innovation in this space. You can get a surprising amount of risk mitigation value from this lightweight approach, in which you can treat provisioning not as an expensive snail-mail package, but as a mere self-registration exercise. In a world where hard tokens and smartcards prove themselves to be, shall we say, imperfectly invulnerable, lightweightness can have a value all its own. In fact, BYOT showed up just behind these two venerable methods in the "significant success" trajectory on the TechRadar.
Security threats develop and evolve with startling rapidity, with the attackers always seeking to stay one step ahead of the S&R professional. The agility of our aggressors is understandable; they do not have the same service-focused restrictions that most organizations have, and they seek to find and exploit individual weaknesses in the vast sea of interconnecting technology that is our computing infrastructure.
If we are to stand a chance of breaking even in this game, we have to learn our lessons and ensure that we don’t repeat the same mistakes over and over. Unfortunately, it is alarmingly common to see well known vulnerabilities and weakness being baked right in to new applications and systems – just as if the past 5 years had never happened!
A recent report released by Alex Hopkins of Context Information Security shines a light on the vulnerabilities they discovered while testing almost 600 pre-release web applications during 2011. The headlines for me were:
On average, the number of issues discovered per application is on the rise.
Two-thirds of web applications were affected by cross site scripting (XSS).
Nearly one in five web applications were vulnerable to SQL injection.
It makes depressing reading, but I’m interested in why this situation is occurring:
Are S&R professionals simply not educating and guiding application developers?
Are application developers ignoring the training and education? Are we teaching them the wrong things or do we struggle to explain the threats from XSS and SQL injection?
Are our internal testing regimes failing, allowing flawed code to reach release candidate stage?
I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.
So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay? This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners. Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP. In any negotiation it’s also always good to know what the other side is thinking. Here’s the list:
1. Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?
2. Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients? Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?
3. Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?