Friday, 17 February 2012

Intellectual property rights

Copyright and patents have taken a lot of headlines recently, there have been big battles between Apple, Samsung, Motorola and anyone else that wants to weigh in with their patent for a pound of flesh. ACTA has hit a hurdle in Europe with a lack of support and ratification and SOPA has been left largely unsupported in the US.

This is a difficult subject for me. One one hand, my company makes money from its intellectual property, creates job  (mine included) and manufactures in the UK - yes, UK manufacturers DO exist!
On the other hand, I do not appreciate the additional cost of my electronic devices due to costly and otherwise unproductive patent battles. I do not appreciate being described as a criminal for making a backup copy of a CD or DVD or converting it to another format.

There needs to be patent protection to reward innovation. There should be copyright to encourage creativity. I believe the time limits on patents and copyright need to be seriously readjusted. The fact that copyright extends to between 50 and 70 years after the death of the creator in the majority of the world, is ridiculous. Copyright is intended to permit the creator of the work to make a fair profit from their efforts. This may have been a realistic timeframe when transporation speeds were such that creative works would take many years to pervade all of humanity but, with today's electronic communication, it is possible for a work to circumnavigate the globe in seconds therefore it is practical that a creative artist can exploit their art in a very short timeframe. I believe that a creative artist should be able to exploit their art within a single year, possibly less. There may be scope for different mediums to enjoy protection for differing lengths of time, it is a broad subject that requires great discussion.
The bottom line with regards to copyright and file copying on the Internet (I refuse to classify it as piracy) is this: The Internet industry generates a great deal more income than the creative industry, if the best argument from the copyright protection industry is job protection, let's look at the number of people employed in the Internet industry and make a fair comparison.

With regard to patent protection as I stated before, there should be protection for innovation to allow inventors to profit from their creations. Again, the patent protection timescales need to be adjusted along with a rationalisation of patent applicability. They are not currently as long as copyright protection but some of the patents currently under dispute are frankly, ridiculous. There needs to be a test of fairness - if a patent covers an idea that could reasonably be reached by another person, that patent should be blocked. Again, the devil is in the detail and the dispute will come down to what is considered reasonable.

Thursday, 22 September 2011

Why DLP is virtually useless

DLP is one of the greatest vendor TLAs at the moment. Pretty much every security vendor has a DLP 'solution' that they would have us buy.
The bottom line is that DLP has very little to offer us.

Don't get me wrong, there are a few instances where DLP can demonstrate a small value, preventing the accidental information leak from an ill-informed user but that is pretty much it.
Let's face it, if full DLP is implemented, an information system becomes so bogged down with warnings, alerts and reminders that normal productivity cannot be achieved. If industry figures are to be believed, more than 80% of information leakage is carried out by malicious insiders. If those malicious insiders are intent on extricating your information, they'll find a way to bypass your security controls - or are you going to ban printouts, handwritten notes even?

I have seen (and built) high security systems that had very little opportunity for information to leak. Logging of printers, hardcopy document registers, no export to optical or magnetic media, no onward connectivity, no removable media access permitted. How usable would these systems be beyond the single-use they had? Nil. Would the security controls prevent a malicious user from jotting down a few notes of what they saw on the screen or, heaven forbid, remembering a few salient points? Not a chance.

Our businesses employ personnel they trust. If we don't trust them, why do we employ them? It is entirely possible that staff become disillusioned or corrupted in some way, that's why we verify. It's an old adage but worth repeating - Trust, but Verify.
We should be enabling our users to be as productive as they can be, protect them from silly mistakes, allow information on a need-to-know basis but provide them with the tools that make them efficient. The deployment of DLP in the vast majority of cases will be a business disabler and users will find workarounds that are below the radar.

Wednesday, 3 August 2011

Staff vetting

I mentioned vetting in my previous post and I'd like to expand on the vetting of staff, contractors and temporary workers.
I have been through some pretty heavy vetting. I'm glad to say I passed but not without a warning or two - a sign of a mis-spent youth. The vetting process was quite in-depth and included background checks, reference interviews and a face-to-face interview.
During my vetting, I was completely honest and advised my references to be just as honest. I have encountered some managers advising their staff to be less so, particularly in certain areas. This was especially apparent when working in the private sector, providing services to HMG. If consultants did not pass their vetting, they were unable to work on ANY projects for HMG therefore the pressure to pass the checks was quite high. Don't get me wrong, I don't think the people that were lying were any higher risk to security than those that didn't, if I did, I would have spoken up but the vetting scheme requires complete honesty in order that you don't leave yourself open for blackmail, those that lie have this vulnerability.
Why do they lie? It is apparent that, depending on the area you are being vetted for, the tolerance levels for certain behaviours is higher, or lower, than others. Some areas would have no tolerance for alcohol abuse where others may take a softer approach. Some areas my be more tolerant of a past instance of employee theft where others may not.
What does this mean? To put it succinctly, there are a number of people working for HMG either directly or via contract, that hold high levels of clearance, that are (slightly) vulnerable to blackmail.
I am acutely aware that those that are likely to disclose information would also lie to protect themselves and to achieve clearance and it is obvious, at least in my experience, that the vetting staff are not trained to spot obvious body language tells that would indicate a less honest answer.
The alternatives are unpaletable. I understand anecdotally that in the US, vetting is accompanied by a lie detector test. I do not believe that would be acceptable in the UK and would certainly be rejected by many. I am also aware that it is possible to be trained to defeat the lie detector just as easily as one can be trained not to provide body language tells. If we were to rely on further reference interviews, the costs would soon increase - vetting is not a cheap process and I'm sure the vetting agencies are under pressure to keep costs down and if one reference will lie for you, I'm sure many others would also.
The bottom line is that many potentially good candidates are put off by the draconian requirements for vetting and some previous behaviour will preclude a candidate from attaining the highest level of clearance where other candidates who are prepared to lie are achieving clearance, leaving them open to blackmail. I elieve the system is broken and there is no easy fix.

Sunday, 10 July 2011

A new approach...

It's been a good while since my last post. I've started a new job, for the first time in a long time, I'm in the private sector and I've been dedicating my efforts into getting up to speed and changing my mindset to address the security issues for an entirely new way of thinking and working.

I've still got plenty to comment on concerning the state of information security within the public sector and the controlling bodies, more of that to come....

Back to my new role. The company I'm now working for are investigating the possibility of utilising cloud resources. Coming from the environment that I have, my immediate reaction was to balk at the prospect but, following the practices I have learnt over the years, applied a suitable risk calculation to the whole idea and it all boils down to whether you feel you can trust your cloud service provider. The benefits are immense - we are considering outsourcing our email to a cloud service which dramatically reduces the cost of the current clustered Microsoft Exchange environment and increases the availability over what is currently achieved via the in-house solution. The ability to scale up (or down) at very short notice delivers considerably more flexibility than is currently possible.

Granted, there are additional requirements on the company to ensure confidentiality of information. For cloud services, it will be imperative to implement two factor authentication, along with all the headaches and potential pitfalls (Re: RSA) that they come with.

The move to cloud services is now primarily seen as a change management project. User acceptance or more likely, the loss of Microsoft Outlook may not be as high as could be hoped and managing the perceived loss will be a primary consideration.

As I alluded to before, the issue of trust of a service provider is the stumbling block. As we meet the various service provides concerned, they become familiar and a trust relationship is built. We want to trust them and naturally, they want us to trust them. Alongside the new-found trust we have developed, is an implied trust of ALL the employees of those companies. Some of the companies we are engaged with have an employee vetting scheme. I have been the subject of vetting and I'm not impressed. Vetting is hugely effective at weeding out potential employees who have been caught misbehaving but fails dramatically when attempting to identify the luckier, or more efficient, dishonest employee. The issue of trust must be an informed decision and ultimately, it falls upon the business to make the final decision, my responsibility stops at providing full information to the board so that the decision may be an informed one.

Tuesday, 15 February 2011

£63 million for the police to fight Cybercrime

So, the police are going be allocated £63 million from the £650 million made available to 'beef up' Britains cyber defences.

My question is: Is this an appropriate organisation to be tasked with this role? I suspect it is not. Now the money has fallen into the police budget, it will offset other spending cuts applied by the government austerity measures. In short, those police personnel that would have been made redundant may now find themselves assigned to cyber defence work, whether they are suitable or not.
I believe the full £650 million should have been assigned to a new organisation tasked with cyber security, with the sole purpose of blocking cyber attacks and, wherever possible, identification and prosecution of offenders. With the police having the funding assigned to them, there is an imperative to retain and retrain staff for the role rather than employing suitably trained and experienced personnel who are ready to commence the tasks required.

A full UK Cyber Defence Organisation could be provided with the authority and access to identify those organisations that are actively being exploited with a view to contacting them directly and perhaps even offering a commercial service to allow said organisations to employ them to secure their systems against such further attacks.
Naturally, such an organisation would require an unprecedented level of access to Internet traffic and there would be immediate privacy concerns over what is viewed by them but surely, it would be better for this to be in the hands of an independent service rather than the police who will have other issues to deal with and might want to leverage the access afforded to facilitate additional investigations, drawing further resources away from the primary objective.

It's not an easy task and the levels of funding being suggested are appropriate to tackle the task at hand but in no way adequate to completely irradicate the threat - no level of funding could be.

I will watch closely how the remaining 90% of the £650 million will be distributed. I'm sure the MoD will be allocated a portion of the funding and the same issues will apply with regards to redeployment of staff, retraining and scope creep. I'm sure that CESG will receive a good dollop and, while I respect the ability of CESG and the issues of conflicting priorities will be lessened, there is the ever-present issue that CESG has an incredibly hard time retaining suitably cleared and experienced staff who, once they have attained the clearance and received the training that CESG provides, are tempted away to high-paying consultancy and contract positions, often returning to their previous job but costing CESG up to ten times as much. Many of the issues at CESG are down to their stringent vetting requirements but that is a post for another day!

Monday, 7 February 2011

The tragic state of NHS information security.

Recently, I have taken some time to examine the state of information security within the NHS. What I have found is a culture which would shock most information security professionals and should dismay those responsible for ensuring the safety of what is deemed to be sensitive personal information, according to the Data Protection Act.

My sources of information vary from direct observation to anecdotal evidence albeit evidence from trustworthy sources.

My interest in NHS information security stems from a chat I had with the chap who was (at the time, 4ish years ago) responsible for the secrity of the links between NHS trusts. My question to him was innocent enough - 'Who is responsible for the security of the endpoints?' I was suprised to discover the response 'They are.' Meaning, the local trusts, hospitals or even surgeries.

Following on from that chat, I have taken particular interest in the security of information whenever I am in an NHS environment. I have visited several hospitals, primarily when visiting friends or family. I have visited many surgeries and other NHS trust buildings, when employed as a contractor fro the NHS and I have family working within the NHS who often ask me advice concerning the security of their systems.

In every - not most - every hospital I have visited, the mail is delivered around the hospital by trolley, the trolley is left outside wards unattended while the post for each ward is delivered within. It would be trivially simple for an individual to take post from the trolley.

In one particular NHS trust, all laptops were fitted with whole disk encryption. The whole disk encryption installed onto the laptops had the SAME password across the entire estate and the password was written on at least two of the laptops. I have no experience of other trusts laptops so I cannot state how widespread this problem is.

I have witnessed on many sites, account sharing. This is particularly endemic within small user groups, medical centres and doctors surgeries although it is not limited to them. It should be noted that central medical records are protected via a secure session using two-factor authentication however many other sensitive client details and reports are recorded on the hosting computer, with little or no protection afforded to them.

Physical security within the NHS is abysmal. In every - not most - every hospital I have visited, I have noticed network equipment cabinets that members of the public could easily access, either to install an additional device or to cause major disruption by disconnecting cables.
The physical protection afforded to computer systems within treatment and consulting areas in medical centres, surgeries and hospitals is sadly lacking. Many areas are protected by five button simplex locks, which take up to five minutes to brute-force, usually considerably less. Other areas are protected by 13 button locks, the codes for which can be trivially captured with a dry marker pen.

The NHS trust I was contracted to, when asked who was responsible for information security, replied 'I don't know - I think it's the IT director' This was said to me by an IT manager.

I have received medical details by post, of an elderly woman who lives ten miles away from me when appointment details were sent through for my son.

In addition, I have discovered unpatched systems, unsupported operating systems and out-of-date anti-virus software.

These are only a few examples of the incredibly poor information security I have noticed whn within NHS environments. I have many more examples that I could cite but it would achieve little else. I suspect the results of audits (if any are carried out) would make for some pretty grim reading.

The overall information security measures within the NHS, in my experience, are catastrophically poor. Why this is not more widely reported is a mystery to me. Almost everyone in the country has medical information stored and processed by the NHS so this should be a concern to pretty much everyone. I doubt my observations are restricted to the absolute worst NHS trusts - they are not limited to one trust but several trusts. I am sure information security breaches within the NHS are not being reported and if they are, they must be being covered up. The Department of Health has guidelines for Information Security within the NHS but there are no hard and fast rules concerning the protection of OUR information.
I believe it would be in our interests for the NHS to be required to comply with a data security standard. I appreciate there will be a huge cost involved in this, at a time when the NHS cannot afford to spend additional resources. however it is only a matter of time before a huge data loss is reported within the NHS which will cause a knee-jerk reaction to providing adequate protection for NHS held information, along with the associated 'quick-fix' costs such as those that have been endured by the MoD following the loss of the Navystar laptop and the Revenue and Benefits CDs.
It would be prudent for the NS to commence investing in Information Security now, rather than being forced into action at a later date.

Wednesday, 5 January 2011

GSM Phone security

As is the way with many theoretical attacks, this one has now been taken from the realm of theory and placed firmly at the feet of reality.

Wether you are Government, Military or business, it is now abundantly clear that it is possible for mobile communications to be intercepted both trivially and cheaply. While it is accepted that three-letter-agencies have posessed this capability for some time, it is now highly likely that this capability will now be in the hands of criminals, inndustrial spies, private  investigators, journalists - in fact anyone. Mobile communications now have less security than postcards so, if you wouldn't discuss your organisation's business on a postcard, it would probably be best to avoid mobile phone use.

The bottom line is, if your adversary has a couple of hundred quid to spend and a small amount of time, it would be safer to assume that they ARE listening to your conversations and reading your texts.