TISS-Taking Information Security Seriously!

Guess the personalityTISS – Trust and Information Security? Seriously?? Who are we kidding?

It has now been a long year since I got into blogging and thanks to all my friends and well-wishers each blogpost was prompted by a discussion or a line from them.There has also been a long hiatus in me writing another blog piece for sometime. There was quite a bit of activity happening in the infosec arena and definitely big hits in the hackerspace. This all led me to sit back and reflect on the current issues that surround us.

  1. Finger pointing between nations that the other was using cyberspace as a the new cold-war front
  2. Several vulnerabilities in Java, Adobe discovered and more pouring in each day
  3. Companies/Agencies that want to use your data for their own ends (Consumer-Spying)
  4. The NSA building a massive data centre to store the data pouring in from all touchpoints
  5. Privacy of the common cybercitizen at inflection point
  6. Security Breaches in organisations holding your consumer data
  7. Governments storing data on each and every citizen, to be trawled and mined
  8. Targeted DOS attacks on Institutions rising
  9. Specfic targeted attacks on the White House staff and other governmental agencies

I will only discuss the few prominent topics in this post and keep the others for a later post.

The first 3 months of 2013 saw the number of DOS attacks on UK educational institutions equal the total number of DOS attacks that happened in 2012. This unprecedented rise of attacks could mean that this could be used as a test-bed for larger attacks or just that reporting mechanisms have improved. However, information sharing about attacks and breaches among corporates and other Institutions are yet not openly discussed so it is difficult to pinpoint actual numbers, but we will have to surmise what’s happening. For a better judgement of what is actually happening is that there needs to be maturity in the Information Security industry and while small initiatives are in place, we need a consolidated view that can be shared easily across the industry.

On another track Information Security is sold to the Infosec Officer who may well know the threats and what needs to be done. But, are we really selling to CEO and to the Board? The threat scenario really needs to be sold at the top level, CIO/CISOs cannot convince the CEO when large investments are required to ensure the security of the organisation. The language of the security domain needs new translators; it needs to go beyond compliance to something bigger; quantified in terms of revenue loss, reputation be quantified in justifiable money terms. Product release has to have security built into it from the design and not as an add-on. Why not have a Balanced Scorecard that reflects Information Security and Information Governance right there on the Balance Sheet? Proactive Information Security instead of Defensive Strategy?

There is a definite shortage of information security professionals, beyond the tick-marker level. This includes all levels; from encryption algorithm design, ethical hackers, secure coding, auditors, information governance, et. al.

Organisations have to invest more substantially in infosec; especially in trained professionals and ensure that these professionals are well trained and contribute to the Infosec domain knowledge periodically.

As Bruce Schneier aptly describes the internet as a surveillance state; and we have to unequivocally admit it. Google, Apple, Facebook all track us, whether we use it or not. According to one report, 105 companies can track us while we are on the internet (test was done over a period of 36 hours- tool used Collusion). Schneier further goes on to say “Increasingly, what we do on the Internet is being combined with other data about us. Unmasking Broadwell’s identity involved correlating her Internet activity with her hotel stays. Everything we do now involves computers, and computers produce data as a natural by-product. Everything is now being saved and correlated, and many big-data companies make money by building up intimate profiles of our lives from a variety of sources.

Facebook, for example, correlates your online behavior with your purchasing habits offline. And there’s more. There’s location data from your cell phone, there’s a record of your movements from closed-circuit TVs.This is ubiquitous surveillance: All of us being watched, all the time, and that data is being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.”

Organisations, corporations, governments have collected the data and the new mantra is BIG DATA – resulting problem — now how do we secure it? Do we place our trust in our computing ecosystem and the institutions that run it?

Till the next week – TIPS!! Take Individual Privacy Seriously!!

Identify the gentleman in the photo alongside and what is he famous for?

Advertisements

Liars & Outliers

Bruce has touched upon the 16 interdisciplinary and inter-related subject areas (answers can be found in the 16×16 matrix below) that make up the core of his new book. His new book is all about TRUST and SECURITY. Liars & Outliers is an excellent read with just over 16 chapters and a clear focus on how humans developed the trust they needed to survive over the centuries.

Bruce Schneier and Myself at the BT Stand @ Infosecurity Europe 2012

Bruce Schneier and Myself at the BT Stand @ Infosecurity Europe 2012

The book poses several ideas that may seem new to us security professionals such as Dunbar’s numbers, and the Red Queen effect, and the Hawk-Dove game. Wonderfully explained in Liars and Outliers is the model of trust based on societal, moral, reputational and institutional pressures that security systems need to address to be effective.

The real world examples help to deep-dive into the human mind to understand conflicts and how humans could respond when torn between personal objectives and corporate objectives.

An excellent read for all security professionals, human resource executives and almost anyone with an interest in interpersonal relationships.

Thank you Bruce for the wonderful opportunity to meet up with you and to the BT(British Telecom) staff at Infosecurity Europe 2012 who managed to get me a copy of the book. The hospitality at the BT stand was wonderful – and  lovely coffee too!!

16 interdisciplinary and inter-related subject areas matrix

The interdisciplinary and inter-related subject areas matrix, can you find all 16? If you get stuck have a look at page 8 of Liars & Outliers. Send an email to me if you find all of them!