It’s time to understand the differences between corporate secrets and custodial data.

Secrets refer to information that the enterprise creates and wishes to keep under wraps. They tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD. Secrets that have intrinsic value to the firm are  almost always specific to the enterprise’s business context — where an interested party could cause long-term competitive harm if this information is obtained. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage.

Typically, companies in knowledge-intensive industries such as aerospace and defense, electronics, and consulting generate large amounts of confidential intellectual property that present barriers to entry for competitors. Unlike with toxic data spills, failures to protect secrets are almost never made public.

By contrast, legislation, regulation, and contracts compel enterprises to protect custodial data. Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws. Custodial data has little intrinsic value in and of itself, but  when it is obtained by an unauthorized party, misused, lost or stolen, it changes state.Data that is ordinarily benign transforms into something harmful.

When custodial data is spilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity. Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, email, and phone number; government identifiers; payment card details like credit card numbers and expiry dates; and medical records and government identifiers like passport numbers. Many well-known companies have graced the front pages of major newspapers with toxic data spills.

Interestingly, enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services, and transportation have between 70-80% of their information portfolio value from secrets while healthcare firms and governmental entities are nearly exactly the opposite, most of the value of their information assets are custodial data assets.

Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage. By contrast, employee theft of sensitive information is costlier on a per-incident basis than any single incident caused by accidents.

Unfortunately, compliance drives spending on security for all companies and smaller ones have a difficult choice to make.  “Compliance” in all its forms has helped CISO’s buy more gear, but it has distracted IT security from its traditional focus, keeping company secrets secure. All companies, large and small really need to do a better job of understanding the value of their corporate secrets.

Read my next blog for some recommendations on achieving the right balance.

• 

Here’s some of the good things that have resulted from the investment

• SOCA took down 36 website domains that sold credit card data –a small tip of the iceberg, but progress.
• 15,000 fraud websites were suspended
• GCHQ announced a scheme to help companies deal with cyber attacks and give guidance on response to a compromise
• 8 universities have been given the Academic Centre for Excellence in Cyber Security and Research
• CISP, the Cyber security Information Sharing Scheme

However, there are still areas that need further investment

• 60% of the budget was spent on ‘detect and defend’ – we hope that ‘response’ is also a large portion of this investment although it’s not very clear
• The government needs to do a lot more to collaborate with the security industry and ensure that skills and knowledge can be exchanged
• According to the UK National Audit Office it will take the UK up to 20 years to meet the required skills in Cyber security.  The universities are a good start but a lot more will have to be done to educate the citizens and raise awareness on cyber security
• Agility is a key factor on where and how this budget is spent.  A continuous challenge facing any government is how quickly they can invest with a cyber security landscape that is evolving every day.

The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack.  It’s good that the Government has articulated their policy and published some results to date.  We’ll have to wait and see if the remainder of the funding is spent to meet the goals initially set out.

• 

Social Media is here to stay; it is not going to go away so organizations really must start to define a clear policy when it comes to Social Media. It should not be a standalone policy and must be integrated into the overall security policy and process. Companies often make the mistake of having a complete separate policy and the risk is that some controls fall by the wayside. It also must involve all the key stakeholders in the business on who owns what and define a clear incident management responsibility. For example, legal/compliance owns the liability issues, marketing owns sentiment management, and security owns technical monitoring solutions.
Response plans that may have worked in the past don’t work for Social Media due to the massive audience outreach and the speed with which the information can propagate. So, it may be time to have a dummy run of a breach via Social Media. For most organizations the far reaching security issues in Social Media only come to light when it’s too late.

Onto my favorite topic – User training. Social media due to outreach and speed requires a completely different level of training. Users may not be aware of the fact that a damaging tweet can be re-tweeted thousands of times within seconds. So, set out clear training around the use of social media and some of the issues it can create for companies. Set clear boundaries via technical controls and training.

And finally organisations often forget to monitor the social media for threat management. Brand monitoring on social sites is used by organizations to address reputational risk and customer services can also be monitoring to see if customers are escalating unsolved issues. Social media monitoring could also highlight hacktivist group activity that may be a concern for the organization.

All of these controls raised here shouldn’t come as a big surprise to a security professional but it time to re-think them and ensure you have the controls in places to mitigate any risks via Social Media.
Look out for my next blog on Must Have Competencies for Big Data in 2013.

• 

Many information-security and IT teams are under pressure to rapidly support mobility. Although time is of the essence, successfully managing risks requires coordinating stakeholders, creating policy and processes and integrating security into mobile plans and educating users. A basic checklist for a BYOD program must include terms and conditions, including enterprise and end-user rights and responsibilities for using a personal mobile device for work. Here are a few recommendations to get you started:

1. Make signing a legal agreement a prerequisite to using a personal mobile device in fact; a lot of organizations include mandatory training at this stage so the user understands the risks.
2. Stolen or lost devices must be reported within a specific period of time
3. Ensure employees understand the company’s rights with respect to monitoring and wiping devices. Also, users must understand that their personal data may also be wiped.
4. Include specific provisions on how the company will monitor the device, retain the device or wipe the device (complete wipe or just the corporate container)
5. Require the use of an organizations corporate account for storing data in the cloud.
6. Ensure end-users are responsible for backing up personal data
7. Clarify lines of responsibility for device maintenance, support and costs
8. Require employees to remove apps at the request of the organization
9. Establish that the company will disable a device’s access to the network if a blacklisted app is installed or if the device has been jail-broken or tampered with in any way
10. Specify the consequences for any violations to the policy

It seems to me that a lot of these recommendations should be common practice for a good security program as a lot of these actually apply to a corporate issued laptop anyway and let’s face it; most of us have personal information on our corporate laptops anyway…

All of these recommendations will require an enterprise to truly understand the nature of their BYOD estate. I fear a lot of organizations are under so much time pressure that BYOD has been implemented by stealth and not as part of the overall Security program. But the quicker you can gain control of the reigns puts you in a much stronger position to implement a comprehensive BYOD program.

• 

The truth is the number of IT and cyber security professionals in the UK has not increased in line with the growth of the internet and the NAO warns that the UK faced a current and future cyber security skills gap, with “the current pipeline of graduates and practitioners” unable to meet demand.

It warned that the cost of cyber crime is estimated to be between £18bn and £27bn a year. In 2011, ministers announced funding of £650m to implement the UK’s Cyber Security Strategy, which set out the risks of the UK’s growing reliance on cyber space.

The strategy identified criminals, terrorists, foreign intelligence services, foreign militaries and politically motivated “hacktivists” as potential enemies who might choose to attack vulnerabilities in British cyber-defences. To date both SOCA (Serious Organised Crime Agency) and Action Fraud, the UK’s national fraud reporting centre have both been very active in thwarting threats.

How can this skills gap be addresses? It needs investment by the government but also by education authorities and indeed the Cyber security profession.  Many years ago studying IT at a University was very attractive, but it seems to have lost its appeal.  Moreover, how many IT related degree courses actually teach security as part of its curriculum.

I think the industry needs to do its part to ensure that the Cyber security profession is seen as an attractive career choice and start early by evangelizing in schools and colleges.

The TV series CSI did wonders for enrolment into Forensics courses so I wonder if we need an equivalent Cyber security TV series to get individuals signed up.  Whatever, we do we are still going to be faced with a huge skills gap in this sector.

• 

However, on reading the report an interesting statistic about how long APT1 were in organizations stands out. We know from the 2012 Verizon Data Breach Report that breaches lead to compromise much faster than companies can discover them. Security tools are slow, lack visibility and are too often perimeter and signature-based to detect the presence of cyber activity. Here’s a quote from the report:

“APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.”

The challenge for all organizations is that they rely on obsolete technology or signature-based detection systems which are really not adequate for these types of attacks.

Disparate security tools are unable to identify and investigate advanced attacks in a timely manner and SIEM tools have either speed or smarts, but never both. Furthermore, large amounts of blind spots combined with a large window of risk from an attack allows attackers too much free time on the network. Organizations must have a target to reduce the ‘free time’ or ‘dwell time’ in an APT attack, early detection and remediation will minimize the damage. Proving compliance also costs too much and takes resources away from improving security against targeted attacks and we all know that being compliant doesn’t translate to being secure.

Until companies change the status quo and implement Intelligence-Driven security models we will continue to see compromises over long periods of time without companies even realizing they are hosting cybercriminals in their infrastructures. Final thought – Did the company that had APT1 in their network for 4 years and 10 months actually find the attack and stop it? Or did the attackers just get bored? My money is on the latter.

• 

RSA launched Security Analytics on the 30th January. It is a security monitoring system that brings together technologies from the existing technology categories, including network security monitoring, log-oriented SIEM, malware analytics, forensics, compliance reporting, and Big Data management & analytics, to better address the security needs of organizations. In particular the RSA Security Analytics solution provides capabilities that improve the effectiveness and efficiency of security analysts in their discovery (or detection) and investigation of security vulnerabilities and attacks which are underway. In addition, with RSA Security Analytics, proving compliance becomes an outcome of effective security controls as opposed the main driver of them.

In most companies’ protection and analysis is done by an army of people relying on point tools and manual or labour intensive processes. According to ESG research, 44% of enterprise organizations believe that their security data collection, processing and analysis qualify as “big data” today. This is simply not good enough to thwart our adversaries. We need real-time security intelligence and situational awareness to give them visibility into their security status at all layers of the technology stack and across their enterprise. This unprecedented view was not possible until now. This level of intelligence will help security executives prioritize actions adjust security controls accelerate incident detections and improve workflows around incident response. All of these can advances can not only improve security but can also lower the overall operational costs of doing so. RSA Security Analytics may just have the tools to help with breaking the kill chain. Read more on RSA Security Analytics

• 

Cloud vendor management has been on our list for a long time but how effective are we at doing this? Ultimately, organizations are responsible for the information that’s held by the Cloud service provider (CSP).  Information security teams must now switch their focus from implementing controls internally to controls implemented by third parties and asking themselves ‘how can we ensure that cloud services providers are meeting our trust levels?’ Are they are attuned to our particular threats?

The conventional controls assurance model is not sustainable the cloud. Client organizations cannot visit every cloud service provider to examine their security controls. Today, CSP’s provide assurance by using questionnaires. This is a wholly inefficient process as all organizations ask the same questions and it turns out to be a box ticking exercise. There are also no standards for these, apart from guidelines issued by the Cloud Security Alliance. A better approach would be third party assessment or certification like the AIPCA’s SOC 2 Report on Controls or the imminent ISO 27017 Standards for Security in Cloud Computing. In the meantime, organizations must find a happy medium to effectively measure controls and detect failures. The basic building blocks of an effective GRC implementations has some of the elements but while these need to mature companies will have to find their own way to measure assurance. Automated and transparent controls together with continuous monitoring will be an important part of the solution.

 
If mismanaged, this assurance process can add cost for sides, companies and service providers so it is important to ensure that overall budgets can be realigned. Companies have to realize that when moving to the cloud a larger portion of their budget is going to be needed to address cloud security. Budget realignment means reinvesting a portion of IT savings the organization achieves by moving to the cloud into managing risks. In the short term this realignment may not prove to be any more cost effective.

 
And finally, organizations must invest in technical proficiency for virtual and cloud environments. We know security controls change in the cloud e.g. the hypervisor in a virtual environment becomes a powerful software security control. Security teams must invest in these skills and ensure they have the knowledge to secure virtual environments within their own data centers and extend that knowledge to both private and public cloud models.

Look out my next blog on – Must have competencies for Social Media in 2013.

• 

Its five main functions are:

• Data Fusion – collecting and processing information on cybercrime
• Operations – Supporting investigations and facilitating law enforcement across the EU member states
• Strategy – Producing threat analysis, trends, forecasting etc.
• R&D/training – working with European police (CEPOL), raising awareness and developing new forensic tools
• Outreach – working with the private sector and relevant industry bodies to share information

I see this as a really good initiative particularly as individual countries in Europe are often left to their own devices to fight cybercrime which may have its roots elsewhere. In addition, a common centre will also increase collaboration between all the countries and allow them to share information. Information sharing has become one of the key weapons against cybercrime.

Of the five functions listed, I believe the last one on outreach is going to be the most significant. Information sharing between government agencies may happen to an extent, but we all need to share information including the private sector. And, although this is something that many countries in Europe including the UK have tried to put in place, a central unit in Europe that works closely with the private sector to understand the threat landscape and share data is definitely a big step in the right direction.

• 

There are three gaps that will help with this reinforcement. Addressing these gaps will require organizations to act now!

1. Security teams have always been seen as business inhibitors and it’s fair to say that this view has been changing. But as organization embraces the new technologies in 2013 they will have to up their skills quickly not only in understanding the security implications of these technologies but more importantly the impact on the overall business. The security team must work with the business to understand the risk and develop protection strategies to mitigate them to an acceptable level. 2013 is the year that information security migrates from being IT-focused to a business-focused problem. The success of security teams will be measured on their ability to enable business which will ultimately require tying security programs to business outcomes.
2. The security industry has lobbied the C-level suite in recent years to elevate the security message and to an extent this campaign has been successful with most CISO’s meeting regularly with the board. This has also been driven by more stringent regulatory requirements. However, it seems the gap is lower down the chain. Middle management seems to be measured on deadlines, revenues or timeframes for delivery and therefore is reluctant to spend any time or resources on security, and typically this doesn’t fit into their objectives. Security teams will have to build relationships with these middle managers to help them understand the value of security. This is not going to be easy…
3. The supply chain in most organizations has been transformed in recent years. We need to focus on each element of the chain. Last year PC’s that were manufactured in China were found to be shipping with malware pre-installed, exposing flaws in the global supply chain. It’s not only hardware but software and applications have moved on dramatically with the ability for a user to download an app in seconds on his mobile device and use it to access corporate resources. So, it’s time to re-visit the entire supply chain and identify the gaps.

Look out for my next blog on Action Plans for each of the four disruptive technologies.

•