Directory —
Technology —
Blog Details for "David Laceys Security Blog"
David Laceys Security BlogDavid Laceys Security BlogDavid Lacey is a leading international authority on Information Security Management with more than 20 years professional experience of building Security and Risk functions for large organisations 
Articles
A Step Back for Biometrics
2008-03-24 14:10:00 The debate over BAA’s proposal to fingerprint passengers at Heathrow’s new fifth terminal is a sign of the times. It’s part of the growing dilemma of how to optimise the balance between security, privacy and convenience. BAA claim that the extra security measure is needed to authenticate that the person arriving at a gate is the same one that checked in, thereby preventing domestic passengers from switching boarding passes with international travellers in the shared passenger lounge. Passport checks are clearly not sufficient, so just how do you design a system that's fast, easy, reliable and secure? Fingerprints seem a reasonable approach, especially if the system is secure and they’re thrown away after 24 hours (though one has to question whether four of them need to be taken). A few years ago, the Co-op retail supermarket trialled fingerprint reading with customers without any great fuss. At the time they claimed it to be "the least squeamish and the most acceptable... More About: Back , Step , Biometrics
Responding to e-Crime
2008-03-21 11:37:00 Computer Weekly reports that the Home Office turned down a request by ACPO to find £1.3 million cash to fund a pilot e-Crime unit. At first glance this might seem a setback. But, in my view it’s nowhere near enough, no more than a token gesture. We need a much bigger, strategic response. That’s what we should press for.
Collaboration Oriented Architecture Hits the Road
2008-03-20 20:55:00 The Jericho Forum will be unveiling details of its new Collaboration Oriented Architecture (COA) at the RSA show in San Francisco in April followed by Infosecurity in London. COA provides guidance on how organisations can achieve secure business operations across a de-perimeterised network environment. Meanwhile, Ron Condon provides a nice summary of the principles behind COA in his recent SearchSecurity feature. More About: Hits , Road , The Road
Network IPS is Dead - Long Live Application IPS
2008-03-18 22:25:00 Back in 2003 Gartner announced that Intrusion Detection Systems were a costly failure and would be obsolete by 2005. They saw problems with false positives, false negatives, bandwidth limitations and the growing resources needed to carry out monitoring and incident response. Better to invest in firewalls they said. Yet five years later IDS is alive and well. And it’s Intrusion Prevention Systems that are failing to penetrate the market. False positives continue to be a problem for network-level systems. So nine out of ten security managers still prefer to monitor rather than block. It might be resource-consuming but the risk of blocking an important business transaction is too great for most companies. But the future is brighter. Security is always more intelligent and effective when applied at the application and data level. New products such as the impressive intelligent database activity monitoring technology from Secerno are much more reliable. In fact Paul Davie, Secerno ... More About: Network , Live , Dead , Long , Application
Regaining Public Trust in e-Government Services
2008-03-15 23:59:00 The British Computer Society have just published details of an interesting survey of UK citizen's views on e-Government services. You can guess the outcome. Not surprisingly there is high concern about public sector management of sensitive citizen data. Is this a setback for e-Government? Yes, but it's not an unexpected one. In the face of increasing threats and growing impacts, it's always been necessary for all government service providers to keep raising their security game. However, in the absence of hard evidence of future trends, increases in budgets and resources are automatic. Instead we have to play a reactive game. Fortunately, most reactions to major issues and incidents overstate the response. So the next step should – fingers crossed - be a welcome step change in security assurance. We need to start with better leadership in presenting the facts. In fact we're already seeing this in Sir James Crosby's recent report on Identity Assurance. Then we must focus ... More About: Services , Public , Trust
Turning Threats into Opportunities
2008-03-15 01:51:00 Most IT security professionals are aware of the damaging influence a major incident can have on brand value and company reputation. But it doesn't have to be that way. At this week's MISTI CISO summit in Orlando, several presenters expressed amazement that the stock of price of TJ Maxx had increased after last year's highly publicised data breach. But it was no surprise to me. Anyone who has studied the aftermath of company crises will appreciate that heavy media coverage is also free advertising. If you handle a crisis well you will come out on top. Academic research by Deborah Pretty at Oxford University several years ago confirmed this counter-intuitive phenomenon. Any organisation that spends millions of dollars on security consultancy and fixes following an incident gives me confidence. I'd rather trust a product from a company that's been hit and learned a lesson, rather than one that might have just been lucky. And clearly the stock markets also think that way. More About: Opportunities , Threats
The Softer Side of Security
2008-03-13 20:35:00 For the last few days as I've been over in Orlando speaking at MIS Training Institute's excellent Infosec World. It's one of the most comprehensive conferences in terms of subject area coverage, with 11 simultaneous streams of in-depth presentations. And the feedback from delegates is always good. So it provides an interesting perspective of the state-of-the-art of the US security community and an indication of the challenges facing security professionals. In the UK we're used to looking to the USA for an idea of what's coming next. But in the information security world the opposite has often been the case in recent years as US companies adopt UK innovations such as ISO standards, ITIL management processes and de-perimeterisation strategies. However the traditional gap between US and UK security emphasis - the former having a stronger technology focus and the latter more process-oriented - has largely disappeared. Programmes such as Infosec World now have a strong emphasis ... More About: Security , Side
Confidential Briefings and the Chatham House Rule
2008-03-10 23:19:00 I’ve always been a great admirer of the Royal Institute of International Affairs (RIIA) otherwise known as Chatham House . And I’ve always trusted colleagues to respect any confidential briefings disclosed under the Chatham House Rule (there’s only one by the way), which states that: "When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed". Perhaps rather naively I’ve always assumed that even journalists respected this world-famous rule. So my eyebrows were raised when my instructors on a recent media training course emphasised that “There’s no such thing as off the record”. “Surely that doesn’t apply to an exchange carried out under the Chatham House Rule? “ I asked. “No” they replied “the story always comes first”. I'll certainly be more careful in future.
Identity Cards Get Personal
2008-03-08 11:28:00 HM Treasury has just published Sir James Crosby’s report on Challenges and opportunities in identity assurance. It’s a document that all security professionals should read, not only because it's a hot topic, but because it’s not often that we get to hear the views of a former top banker on a major public policy issue. The report considers both public and private sector uses of identity. It rightly emphasises that “every aspect of an ID card scheme should be designed from the consumer’s perspective”. And it sets out some good principles regarding trust, ownership, informed consent and the need for quick repair of compromised accounts. The report favours a more rapid roll-out. It even recommends that enrolment and tokens should be provided free of charge to encourage citizen buy-in and quick uptake. I’m sure the Treasury loves that one! More About: Personal , Cards , Identity
Sourcing and Security
2008-03-04 18:19:00 The recent seizure of $76 million worth of counterfeit Cisco kit by US authorities comes as no surprise. What’s interesting is that security is cited as a major concern. Security professionals in high threat environments have long been concerned about the sourcing of hardware and software. That's because it’s easy to plant a bug or a back door, but extremely hard to detect one. The reality however is that the business community decided long ago that the economic benefits of overseas manufacturing and services outweigh these security concerns. Counterfeiting is a more insidious threat, because the true sourcing is disguised and the quality of the product is less certain. Perhaps this is a timely wake-up call for organisations in high threat environments to review the security risks associated with their sourcing processes. More About: Sourcing
Professionalism
2008-03-04 10:45:00 I’m pleased that my fellow blogger, Stuart King, takes pride in his new qualification as one of the first full members of the Institute of Information Security Professionals (IISP). It’s certainly a good thing to encourage security practitioners to aim for professional recognition. And as a founding director I have a soft spot for the Institute. But I do worry about the continuing focus on qualifications rather than education. In my view we’re not tackling the real problem. Qualifications don’t make people better at their jobs. The key requirement is training. And there’s simply not enough of that. Security professionals should be encouraged to attain an MSc or post graduate diploma. That’s the minimum standard appropriate to the work, and the target I set for Royal Mail Group practitioners. Obtaining qualifications on the basis of experience is a less demanding route. It might solve a management problem but it doesn’t improve the quality of the work.
De-perimeterisation Gets Closer
2008-03-01 23:35:00 Yesterday’s Jericho Forum workshop was focused primarily on developing a position paper on collaboration-oriented architecture. This might sound like a pretentious new buzz word. But it’s a natural progression in IT architecture, which has been slowly evolving from products to services to processes. It's a little early for breakthroughs, but it’s worth watching this space because the discussions were interesting and mature. However the thing that really caught my eye at the meeting was Paul Simmond’s demonstartion of de-perimeterised Internet filtering and monitoring. He could connect his laptop to the Internet via the local office network and browse web sites with full filtering and logging in accordance with ICI security policies. It’s not rocket science but it’s something you don’t see every day. The technology used was a service delivered by AT&T based on ScanSafe technology. It’s not brand new but it’s the first time I’ve seen it in use and working. Tod... More About: Closer
ATM Security Weaknesses Publicised Again
2008-02-28 10:58:00 I see that Cambridge University have hit the news again with claims of flaws in Chip and PIN reader technology. All commercial systems have security weaknesses. They are a compromise between cost and potential losses. We don’t always get it right. Sometimes we spend too much, sometimes too little. What counts is whether the weaknesses actually lead to losses, and there’s no evidence that any attacks of this nature are being mounted or contemplated. But regardless of that, it’s irresponsible to publicise weaknesses that cannot be readily addressed in systems affecting millions of customers. More About: Security
Internet Governance
2008-02-27 22:30:00 The recent case of Pakistan blocking access to YouTube underlines the need for better governance of the Internet . I’m not suggesting we should have heavy-handed, bureaucratic control. But the Internet is now critical to business and government services so we need a better international understanding of national responsibilities, especially for supporting services such as security and incident response. The UK concept of a “Third Way” suggested by the Rt Hon Alan Michael MP gets my support. More About: Governance
Cyber Warfare is This Year’s Fashion
2008-02-24 13:22:00 If 2007 was the year in which the public and media became aware of the risks of large scale data breaches, then 2008 might prove to be the year that they finally grasp the dangers posed by cyber warfare. There’s certainly a lot of business and publicity building up in this area. Last year’s Die Hard film was only the start. This month Wired magazine has an interesting feature on the intense competition by 15 military towns to host the Air Force's new Cyber Command. Clearly there are big budgets to be won playing this new great game. It’s also hitting the conference circuit. Next month I’ll be speaking at Cyber Warfare 2008 in London. And I keep coming across an increasing line of training services from specialist companies such as Abacus IT Security. Of course one worries about the value we get out of all this. Just what do tens of thousands of cyber soldiers do when there’s no war to fight? Does it mean that we now have a new form of cold war being played out in s... More About: Fashion |
|
