Advanced Persistent Threats (APT)

APTs are as David Lacey says in his post on Computer Weekly blog that we need to find some learning points from how we manage them. I agree that ticking controls as compliant is not the way forward, although clearly it can demonstrate “due diligence” and provide certain safeguards. My opinion is that most business owners really don’t care until they’ve been exposed to the consequences of this type of attack. I believe that the reason why is 2-fold:

1) they have invested in “security theatre” technologies for too long now, i.e. technologies that don’t improve security, but make you feel safer. Often the impulse to invest in security is triggered by scaring the audience into digging deep in their pockets, powerpoint slides, press reports, etc., it is like the boy that shouted “wolf” one time too many.

2) Secondly there is a serious lack of alignment between the technology/security technical parts of an organisation and the Line of Business (LoB). McAfee have written a really good book on this (Security Battleground) and I advise reading in order to focus your investment, and get the ear of the business owner having money to spend on security. They don’t mention technologies once. I have met once of the authors here in Sweden recently (Kevin T. Readon) and he is a sound guy, he really knows his stuff!

So what is their advice? Basically from a LoB angle focus on the 3Rs: 1) Rich, what makes your business rich?; 2) Ruin, what can ruin your business?; and 3) Regulations, what do you need to be compliant with? I would say to just demonstrate “due diligence”.

I also believe in deeply the stuff that David has been co-founder of that security should follow the information, or be close to the information, i.e. perimeter security is not the future (Jericho Forum). And I’m an avid follower of what Intel is up to with their VPro, security from the chip-level up (I know technically it is not a perfect description ;-)).

One of the major challenges I believe for now and the future is authentication/authorization with the BYOD trends, and the fact too that many of the APTs do attack humans. The most promising trends I seen to date is that from Lequa, they are placing the identity in the hands of the individual. No more PKI, or Identity Management top level down… that is not, let’s face it, scalable to 6bn persons worldwide? I don’t know if they will succeed, but if they don’t I still think that a bottom-up approach is the way forward, especially if this is integrated with what Intel is upto.

Proving you are secure over compliance

I am a follower of David Lacey and his school of thought. He was an initiator for the BS7799 standard later adopted as ISO27001/2 in the EU. Beginning of September I participated in a telepresence conference with him and many others from the BCS around the globe. This was organized by David Misell. In the telepresence many influentials in thought leadership in information and cyber security.

This one meeting has influenced much of my thinking since. It is impossible to prove you are compliant, even if you follow the rule book, you cannot prove you are 100% compliant even with the best and most dedicated security consultants in the world, especially on large accounts that I am normally exposed to. Moreover, even if you could, proving you are compliant does not prove that you are secure.

So what is the answer, well as David Lacey believes smart use of technology is a part of a way forward. For example did you know that over 85% (maybe more) of PCs shipped today have a chip that supports trusted computing (TPM) and that Intel has acquired companies such as McAfee (DeepSafe and DeepCommand) and Nordic thern Edge (One-Time-Password, OTP). They are placing security at the chip level.

Now if you can prove your organization is secure by implementing secure technologies (note that I don’t say security). This is almost getting close to what the Common Criteria is trying to do, but never really succeeded wide scale because it just became too complicated, and customizations made by individual organizations, each with special needs made any CC status assigned void. I believe that secure at the chip level is an amazing step forward, and more companies should be looking into this, particularly when they are finding their existing IAM infrastructure is just getting too complex.