ISF congress post 8: Information security – Where next?

Keynote with – Bruce Schneier (BT) and Quentyn Taylor (Canon)

This was a very free flowing discussion, but I have tried to capture the main points that were made;

Thoughts on the state of the security industry today; 

Quentyn – Things never change.  Technologies change, but we still have the same issues as always.  We seem to have a mentality of if I can just get the next best thing installed we’ll be secure.  We are obsessed with the new – the next threat, the next big issue – these meant new technologies and new things to base next years budget on.

  • Focus on the basics.  Verizon threat report – the vast majority of the issues are old and simple – related to patching etc. and not the latest advanced threats.
  • Look out for the new upcoming EU regulations.

 

Bruce – Some way things haven’t changed, some thing have.

  • Security is proving hard to sell.
    • Economic reason – It has got more complicated than the buyer can cope with.  Many specialised, niche products that are hard to understand if you are not an expert in that specific area.
    • Psychological reason – Greed is a much better sell than fear.  Security is fundamentally a fear sell.  Other tricks are magazine awards and reviews.
  • Cloud may not be new, but it is new that everyone is using it.  For cloud services we don’t ‘do’ security – we have to trust the vendors.  What O/S does Facebook use? Do you know? Do you care? – you don’t have to, but you have to trust them.  We have to trust the cloud vendors to be sensible, and this is fundamentally a law and regulatory issue, but there are some technologies coming along to help as well.
  • Without this trust things can go very wrong – since the recent NSA and encryption revelations, here have been many discussions around people doing their own thing for cryptographic solutions.  Doing your own encryption is almost always a disaster, but a lock of trust makes people do silly things.

 

Quentyn – Comment on the fear sell, in the 60s politicians promised to get us to the moon, now politicians promise to avoid disaster.

  • If there is a disaster at your company, do people take it and learn from it, or do people get blamed and fired?

 

Evolution of the CSO role and the complexity of the technology – is the CSO a translator to the board?

Bruce – yes in a way, someone needs to, and the most senior security person is likely best placed.  Communication skills are key.  Risk management is key.  Security is increasingly part of general risk management.

Quentyn – Dislikes the term CSO.  Rarely does the CSO sit properly on the board in the same way as CFO, CEO, CIO etc.  Is the role really C-level?  Both agree it probably isn’t, and the C implies more than CSO / CISO really / usually is.

Securing the supply chain, what are we going to do about it?

Quentyn – A lot of security people don’t read the company reports etc. and don’t really understand in detail the business they work for, so how can they secure the supply chain?

Bruce – This is fundamentally a trust issue – I have to trust the companies that supply me to do their jobs, so the question is how do we get this assurance (audit details, contractual details, external assessments etc?)  Do I need to include my supply chains audit reports in my overall audit report?

Quentyn – Example of Canadian bank discussion – we now have a requirement to audit, not to trust.  Question is how to get this from large vendors.

Bruce – There needs to be enough demand, and legal regulations to enforce this and make large brands such as Microsoft produce public audit and compliance reports for their customers.

Quentyn – Other side of this is what the vendor / service provider has to loose.  If a cloud provider, or mail processor or whoever is caught with someone in their business reading you data or mail, they stand to loose a huge amount of business if the trust in their service is lost.

Bruce – Largely agrees with this.  Trust can be regulated especially with government examples such as a drivers license, a certificate in a Drs office.

 

Some more detail on the EU data protection act;

Quentyn – the fines for this are now capped at either 100Million Euro, or 5% or corporations global revenue – which ever is larger.  This could mean huge fines for some breaches of this legislation.

Bruce – Reputation is a powerful reason for companies to act in a trust worthy manner, as well as fines.

Why is this a future issue, rather than the same as now

Bruce – if things are owned by you and run in house governments get less involved.  When you are using multiple cloud companies and data plus processing is global, government will regulate the providers much more.  This means more reliance on international laws, and getting better at combating international cybercrime.  We do seem to be getting better at this.  Yes there are bad actors and bad things happen, but things are no where near as bad as we (myself included) predicated.  We all bank online, we all bank on our phones, and we all know better!  However we do it because it’s actually relatively safe and we know this too.

Microsoft vs. Apple – we all thought it was better to have freedom to run what we want, yet Apple has less vulnerabilities than Microsoft.  (no mentioned of historical user base etc.).  However the downside of this is when Apple owns the device and manages the device, how do you know what is in memory?  How do you know if files have really been deleted etc?

 

Discussion around mobile devices, use and Data

Bruce – The difference with phones is that while they are just small computers, you carry them all the time so they are more easily lost.  He is more scared crossing boarders with his smartphone than any other device as with Apple, he has no visibility of what is really on the device or in the devices memory.

 

Where are we going with Apple vs. Android – which will win – controlled walled garden (Apple style) vs. openness and freedom.

Bruce – likely more control and less freedom, sadly.  Users want security to be invisible, and don’t really care, us IT security types are not representative of normal users!

Quentyn – Agree’s, saw a headline about iPads not winning because IT managers don’t like them, he thought it was a joke headline..

Should security drive business decisions?

Bruce – No, we should influence them, but not drive them.  And we are annoying.

Quentyn – we’re the no no no department..  But seriously, should influence and be involved, but not drive.

Were are we going, are things getting better?

Bruce – yes we are getting better, and we are improving at teaching security.  However the problem is IT is expanding, so medical IT, cars, smart grid etc. are all learning the same painful issues – of course it’s secure, what do you mean you can hack a car? then they get hacked, then we have to secure them.

Quentyn – Think we need to wait 3-5 years to see if we are really improving.  Dick Cheney has raised a concern that his pacemaker could be hacked as it has bluetooth!

Bruce – Likely if you ask the vendor why the pacemaker has bluetooth, the answer will be ‘because it was on the chip we used’..

Bruce – issues often caused wham computers added to physical world – e.g. we are adding IP stacks to medical devices introducing a host of vulnerabilities and attack vectors that were not there before.  Imagine if your smart ridge got a virus – it wouldn’t be fun!

Five points / key trends to bring the discussion together;

  • Translator role between IT and business (CISO discussion)
  • Reputation and risk
  • Fines might work
  • Driving towards control – people will often give up control for convenience.
  • Building security in, especially as we add IT to more devices and features.

K

Leave a Reply

Your email address will not be published. Required fields are marked *