from HP Enterprise Security · PDF filethe rise of “hacktivism”. Politically...

The rise and rise of cyber attacks According to a report in The Guardian the UK Ministry of Defence blocked and investigated more than 1000 potentially serious cyber attacks in 2010. In a June 2011 speech to the London Chamber of Commerce the Defence Secretary Liam Fox told business owners that between 2009 and 2010, security incidents more than doubled.

He said that government was unlikely to be successful in defeating such attacks on its own. He made the very good point that in cyberspace the boundaries between government, business and individual users is increasingly blurred – part of the social trends that has led to consumerisation and shift in working practices.

"We now see weekly reports of cyber attacks against businesses, institutions and networks used by people going about their daily lives. The cost to the UK economy of cyber crime is estimated to be in the region of £27bn

a year and rising. These are attacks against the whole fabric of our society. When it comes to cyber security we must fi ght this battle together." he said.

Liam Fox’s comments follow the 2010 announcement by the UK government that cyber terrorists were one of the most serious threats to UK security, second only to physical terror attacks, and that an additional £500 million had been ear-marked for increased cyber security.

This was announced as part of the strategic defence review (SDR), which noted that the West's long-standing technological advantages over the rest of the world are likely to disappear in the coming years, adding that 'further game-changing technologies, such as artifi cial intelligence will become mainstream in the next 20 years'.

Cyber attacks on the 2012 Olympics have been identifi ed as a signifi cant threat after Beijing suffered 12 million attacks a day during the 2008 games.

Enterprises are also increasingly aware of and worried by the threat. A survey commissioned by Symantec revealed that 77% of European businesses believe cyber is the number one security risk. This far outweighed fears around internal threats and conventional crime or even natural disasters.

To the general public hackers are not perceived as dangerous – the image of the lone teenager breaking into networks from his bedroom persists, helped no doubt by the recent arrest in Scotland of a 17 year old alleged to be behind the LulzSec attacks.

But that would be to miss the point. Cyber is about much more than teenagers; cyber attacks are likely to

The threat of cyber attack on enterprises and organisations is very real. Inform looks at the issues and some recent high-profi le incidents.

be perpetrated by state actors. Indeed a recent report sponsored by McAfee revealed a quite startling degree of cyber attacks against major institutions and businesses and defence contractors in the last fi ve years.

According to security experts at McAfee, a fi ve year operation it dubbed “Shady RAT” claimed 72 major organisations among its victims in a large number of countries including the United States, Taiwan, South Korea, Vietnam, Canada and the UK. According to press reports 49 of the victims were US based companies and government agencies.

McAfee vice president of threat research Dmitri Alperovitch said in a blog post: "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate fi nancial gratifi cation that drives much of cyber crime”.

In this operation, he said, the hackers were looking for "closely guarded national secrets (including from classifi ed government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas fi eld auctions, document stores, legal contracts, Scada confi gurations, and design schematics.”

“I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defence contractors and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.” he said.

His fi nal comment was a wake up call for anyone who perhaps does not yet feel that cyber is a major threat to businesses and western economies: “What has been witnessed over the ‘past fi ve to six years has been nothing short of a historically unprecedented transfer of wealth'.

Of course there are plenty of cyber attacks that are fi nancially motivated and these seem to be getting bigger and more ambitious in scale, intent on industrial levels of data theft and attacking some of the world’s biggest brands.

Probably the most notorious recent attack was that on the Sony Playstation Network in 2011 which left the online gaming network suspended for weeks.

In this case the attack resulted in the loss of user names, passwords, addresses, birth dates and possible fi nancial details of the network’s 77 million users.

The attack demonstrated the expertise and tenacity of the forces now ranged against global corporations. For a technology business as well protected and organised as Sony to be successfully breached was a shock. Sony successfully recovered from the attack but industry experts see it as a watershed, enterprises will be looking and learning from Sony’s epxerience

Another big name to be hit in 2011 was CitiGroup when data breach in May that exposed 1% of all its North American credit card customers’ account details. According to reports some 360,000 customers had account numbers, names and email addresses

stolen. It was hit again in August when its Japanese division Citi Cards Japan (CCJ) said that personal information of 92,408 customers had been breached.

These are big numbers and big names which prove that major cyber attacks are here to stay but if that was not enough to be concerned about, the picture is complicated further by the rise of “hacktivism”. Politically motivated hacker groups such as Anonymous and LulzSec have emerged in the last 18 months.

The use denial of service and web site defacement as a means to attack those businesses they deem to be against their revolutionary and often anarchistic beliefs. It is hard to know how big or committed these groups are to their purported ideals (LulzSec has a more prankster-like approach) but its certain that they can cause damage and are increasingly liable to attach themselves to world events and act accordingly.

In late 2010, Anonymous attacked MasterCard, Visa and PayPal in protest at what it saw as those fi nancial groups attacks on WikiLeaks. A number of arrests by British and US law enforcement agencies in 2011 reduced their activities at least temporarily. However the Anonymous boast; “We are legion” is not without some basis – off the shelf hacking kits are available, along with instructions, across the Internet to any kid who wants to join in. And join in they will, and some will graduate to full-blown cyber attacks.

The next attack is waiting to happen.

16 2011 | Inform – Issue 6 Inform – Issue 6 | 2011 17

www.hp.com/enterprise/security Realities of Cyber

from HP Enterprise Security

Do

som

e en

terp

rises

do

secu

rity

bett

er t

han

you?

Are

the

y ge

ttin

g be

tter

RO

I on

thei

r sec

urit

y in

vest

men

ts a

nd e

njoy

sim

ply

bett

er

secu

rity

effi c

ienc

y? H

ow d

o yo

u co

mpa

re?

Thes

e qu

esti

ons

are

wha

t se

curit

y be

nchm

arki

ng is

all

abou

t.

And

it’s

a s

ubje

ct a

ppea

ring

on t

he

rada

r of m

ore

and

mor

e se

curit

y le

ader

s. A

s bu

dget

s ge

t fu

rthe

r sq

ueez

ed a

cros

s th

e en

terp

rise

and

secu

rity

prof

essi

onal

s ar

e ex

pect

ed

to ju

stif

y an

y se

curit

y sp

end,

the

re

is a

nat

ural

ten

denc

y to

look

out

side

th

e co

mpa

ny’s

four

wal

ls a

nd s

ee h

ow

com

peti

tors

are

per

form

ing.

Mos

t im

port

antl

y, t

hey

may

be

achi

evin

g gr

eate

r effi

cie

ncie

s an

d se

curit

y ef

fect

iven

ess

by u

sing

sim

ilar

reso

urce

s m

ore

effe

ctiv

ely.

Your

riva

ls m

ay h

ave

inno

vate

d by

usi

ng c

loud

ser

vice

s or

by

sub-

cont

ract

ed p

arts

of t

heir

secu

rity

func

tion

to

outs

ourc

ed

team

s. T

here

may

be

a gr

eat

deal

to

lear

n if

secu

rity

lead

ers

and

thei

r tea

ms

star

ted

look

ing

beyo

nd t

heir

own

depa

rtm

ents

and

pl

anni

ng. I

ndee

d th

eir c

olle

ague

s

in IT

tea

ms

have

long

app

reci

ated

th

e va

lue

of b

ench

mar

king

.

“Ben

chm

arki

ng h

as b

een

in u

se in

ot

her I

T di

scip

lines

for d

ecad

es.

Whe

ther

it w

as d

ata

cent

er

perf

orm

ance

or n

etw

ork

utili

zati

on,

com

pani

es h

ave

alw

ays

felt

co

mpe

lled

to c

ompa

re t

hem

selv

es t

o ot

hers

. It’s

par

t of

the

com

peti

tive

, w

in a

t al

l cos

ts m

enta

lity

that

pe

rvad

es b

usin

ess.

” say

s M

ike

Roth

man

fro

m in

form

atio

n se

curit

y an

alys

t fi r

m S

ecur

osis

.

The

prob

lem

for i

nfor

mat

ion

secu

rity

is t

hat

it is

onl

y ju

st e

mer

ging

as

a bu

sine

ss f

unct

ion

akin

to

IT.

Ther

e ha

s be

en li

ttle

in t

he w

ay o

f co

ncre

te d

ata

for s

ecur

ity

lead

ers

to m

easu

re t

hem

selv

es a

gain

st.

Som

e ob

viou

s qu

esti

ons

are:

How

do

your

num

ber o

f inc

iden

ts c

ompa

re

to ri

vals

? H

ow d

oes

your

hea

dcou

nt

com

pare

and

are

you

usi

ng y

our

budg

et e

ffec

tive

ly?

Yet

info

rmat

ion

secu

rity,

as

we

know

, is

hard

er t

o qu

anti

fy a

nd m

easu

re d

isci

plin

e co

mpa

red

to IT

whi

ch c

an b

e m

ostl

y re

duce

d to

sim

ple

cost

effi

cie

ncy

and

prod

ucti

vity

met

rics.

Ben

chm

arki

ng, l

ong

used

to

mea

sure

IT e

ffec

tive

ness

, ha

s re

cent

ly s

tart

ed m

akin

g in

road

s in

to in

form

atio

n se

curit

y th

inki

ng. B

ut is

it a

n ef

fect

ive

tool

for

CIS

Os?

How

doe

s yo

ur s

ecur

ity

stac

k u

p?

Info

rm –

Iss

ue

6 |

201

1 2

5

Secu

rity

Ben

chm

arki

ng

Consumerisation Cloud

Cyber Collaboration

Consumerisation

Cloud

Cyber

Collaboration

References

4C

Issue 6 EMEA Edition

How Mark Brown, CISO at SABMiller, brewed up a pure business focused security strategy

A distilledresponse

4CJoining the dots between cloud, consumerisation, cyber and collaboration.

The rise of cyber attacksHow cyber attacks took down the world’s biggest corporations and why they won’t go away.

Security benchmarkingWhy your competitor’s security strategy could become your best investment.

©2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, the Check Point logo, and Check Point Endpoint

Security Full Disk Encryption are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates.

Check Point DLP prevents data breaches before they occur

Did I just send that fi le tothe wrong person?

PREVENTdata lossPREVENTdata loss

EDUCATEusersEDUCATEusers

ENFORCEdata policiesENFORCEdata policies

Have you ever accidentally sent an email to the wrong person or attached a document that wasn’t meant to be shared?

Check Point makes DLP work by combining technology and processes to move businesses from passive detection to

prevention, before data breaches occur.

HP Enterprise Security www.bit.ly/hpcheckpoint

When you have finished with this magazine please recycle it.

Issue 6 2011 | EMEA Edition

Published by HP Enterprise Security Web: www.hp.com/enterprise/security

For enquiries about Inform, please contact [email protected]

Produced by: www.crisp-design.co.uk Edited by: PF&A Cover photography: Ivan Jones

The third party views expressed in this magazine are those of the contributors, for which HP Enterprise Security accepts no responsibility. Readers should take appropriate professional advice before acting on any issue raised. Reproduction in whole or in part without permission is strictly prohibited. © 2011, Hewlett-Packard Development Company, L.P. All Rights Reserved.

4 News Security news from leading vendors and events around the world.

8 The Four Cs A look at the relationship between consumerisation, cloud, cyber and collaboration.

13 Roundtable Tom Reilly, Former CEO – Arcsight and Andrzej Kawalec, former CTO – Vistorm discuss enterprise security.

16 Interview: Mark Brown The CISO of SAB Miller talks candidly about affecting change within the brewing giant’s security function.

18 The rise of cyber attacks The changing nature of cyber attacks against big business and the growth of “hacktivism”.

20 Social Networking How CISOs need to use an enlightened approach to deal with social networks.

20 CISO Club Exclusive findings from the latest gathering of HP’s CISO Club in the UK.

22 Q&A: Steve Durbin Global VP of Information Security Forum (ISF), is in the hot seat.

24 Security insights A guide to some leading security research findings from across the world.

25 How does your security stack up? Security benchmarking is an emerging science that can improve your security stance.

Welcome to another edition of Inform, which I’m very pleased to say is now being distributed across the Americas as well as the EMEA region. In terms of business security, it’s proved quite an eventful year so far with high profile cyber attacks on some of the world’s biggest brands and the continued rise of so-called “hacktivism”.

Some commentators accuse us in the industry of exaggerating the cyber threats to global businesses and organisations but, as our feature “The rise of cyber attacks” (page 16) demonstrates, the threat level is very real. Attackers are not only getting bolder in selecting their targets but becoming more aggressive in carrying out their attacks.

Along with its partners and advanced security technologies it has developed and acquired, HP also has the global presence to do a great deal to reduce the risk of its customers falling victim to major attacks. Indeed, two of our leading information security experts Tom Reilly, former CEO Arcsight and Andrzej Kawalec, former CTO Vistorm, feature in this issue (Roundtable page 10) discussing what they see as the best technologies to fight back against the criminals and hackers.

Of course, as a reader of Inform you know better than most that the role of the CISO is constantly being challenged to deliver effective business security – in ROI terms as well as incident free. An emerging discipline is that of security benchmarking which more security leaders are starting to deploy to measure how they stack up against peer groups. It’s a fascinating area and one that is sure to grow as budgetary pressures increase on CISOs. Read our introduction to the science of security

benchmarking on page 25.

We look at another new security philosophy that we are pioneering here at HP by analysing the relationship between what we have dubbed “4C”. This is cloud, consumerisation, cyber and collaboration – the megatrends in IT and IT security which are likely to drive every decision that CISOs and security leaders will make from now on. But as our feature makes clear, it is the symbiotic relationship between the four that is the key to creating a secure business as these trends take hold. Read more on page 8.

Theory is of course, all very well but nothing can substitute real world practice and experience and no issue of Inform is complete without our main interview. This issue we feature Mark Brown, global CISO for brewing giant SABMIller – an $18bn business that has operations across Africa, Asia, Australasia, Europe, North America and South America. Brown explains how he transformed the company's security practice into a truly business focused operation as the company prepares for future growth.

I’ve not even had space to mention all our regular features which just goes to show what a packed issue this is. I hope you enjoy it.

In this edition Foreword

Dan Turner VP Enterprise Security

www.hp.com/enterprise/security

If you would like to subscribe to Inform Magazine please contact us at [email protected]

©2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, the Check Point logo, and Check Point Endpoint

Security Full Disk Encryption are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates.

Check Point DLP prevents data breaches before they occur

Did I just send that fi le tothe wrong person?

PREVENTdata lossPREVENTdata loss

EDUCATEusersEDUCATEusers

ENFORCEdata policiesENFORCEdata policies

Have you ever accidentally sent an email to the wrong person or attached a document that wasn’t meant to be shared?

Check Point makes DLP work by combining technology and processes to move businesses from passive detection to

prevention, before data breaches occur.

HP Enterprise Security www.bit.ly/hpcheckpoint

Check Point

Two Check Point announcements raise the bar in data centre performance and security

Check Point has announced the launch of its new 21400 Appliance that it says combines high-speed networking technologies with lightning fast firewall throughput of up to 100 Gbps and IPS throughput of up to 21 Gbps (default profile).

Check Point says that the 21400 is designed to optimize a full range of software blade protections, providing large enterprises and data centres with industry-leading security and performance.

The company also introduced SecurityPower, a new tool designed to measure security performance which allows, ‘customers to estimate their security needs and compare it to the Security Power Units (SPU) rating of each security solution’.

The company says that for IT administrators, measuring raw throughput (Gbps) of a security device rarely indicates its behaviour in a real-world environment using different security technologies to protect the network. Instead SecurityPower is said to estimate the performance needed in various customer scenarios, enabling customers to choose a gateway that meets their exact needs with enough power and room for future growth.

“SecurityPower gives companies a clearer picture of how to measure performance needs in hardware, with the security needs from the software. It’s a smart and insightful concept that will help businesses better plan for future capacity and spend on security.” said Chris Christiansen, Vice President, Security Products and Services at IDC Research.

www.checkpoint.com

Check Point

Check Point enhances 3D security with latest software blades release

Check Point has announced the availability of Check Point R75.20, the latest software release for its leading Software Blade Architecture. The new release includes a new URL filtering software blade that integrates with Application Control for unified enforcement of all Web controls.

The R75.20 enables businesses to inspect SSL-encrypted traffic across all software blades, providing in-depth security analysis and data loss prevention services for applications such as Gmail, eBay and Facebook.

It also further extends the Check Point DLP solution that now enables customers to protect against internal data leaks. It integrates with Microsoft Exchange, allowing businesses to inspect data sent within the organization to prevent data breaches.

www.checkpoint.com

ACEInsight.com

A new tool that instantly checks websites

According to research visiting the top 1,000 global web sites, you are usually no more than two clicks away from malware. Meanwhile more than 70% of today's online threats are found on legitimate websites.

To help counter this, Websense is helping with ACEInsight.com, a free service that provides instant website safety data. The tool is designed to help users check out new, unfamiliar, or suspicious sites.

The sites gives in-depth analysis in 10 categories: site details, website categorisation, security categorisation, site popularity, reputation, geo-location, antivirus, JavaScript de-obfuscation, site redirects/link analysis, and Twitter details.

www.aceinsight.com www.websense.com

4 2011 | Inform – Issue 6


News

Learn. Earn. Enjoy at www.mcafee.com/dealregistration

PROFITABILITYPROFITABILITY ACCELERATE

Our Enhanced Deal Registration Program delivers a margin enhancement of up to 25%

McAfee

McAfee enhances deal registration program to boost channel partner growthMcAfee has announced enhancements to its Commercial and Enterprise deal registration program. This program rewards partners for securing incremental new business. The enhancement is based on a successful pilot where participating partners experienced increased margins and faster approvals.

“This is the largest investment in partner profi tability in the company’s history, confi rming our commitment to channel partner profi tability,” said Alex Thurber, senior vice president of worldwide channels at McAfee.

“We continue to aggressively evolve our partner programs and incentives because the opportunity to secure the connected world with our partners and for our customers has never been greater. Today we are changing the game and setting a new standard in margin protection within the security industry.”

http://www.mcafee.com/dealregistration

McAfee

McAfee Android Security Software for Android pre-loaded on new Sony Xperia handsets

McAfee has announced that its technology for mobile platforms will be offered as standard on Sony Ericsson’s Xperia mini pro and forthcoming Xperia pro smart phones.

The software enables users to locate a missing handset with alarm and location tracking, prevent misuse with remote lock and wipe and preserve important memories and personal data with remote back-up and restore, even from a lost or misplaced phone. McAfee Mobile Security also protects against the risk of malware that originates via email, instant messaging and Internet downloads.

“Smart phones represent one of the most signifi cant technological developments of our time. Today’s devices boast far more functionality than many early PCs, but with malware targeting mobile devices growing quarter-on-quarter, there is also the risk of these devices being hacked or infected. The availability of this technology is an important milestone in protecting both the phone itself and the data on it.” said Todd Gebhart, Co-President, McAfee.

www.mcafee.com

Websense

Websense TRITON getspress review plaudits

Two of the UK’s leading technology publications recently awarded their highest scores to Websense TRITON Security Gateway Anywhere.

SC Magazine awarded 5/5 stars for features, ease of use, performance, documentation, support and value for money. They concluded that the solution delivers a remarkable range of web, mail and data security functions, intuitive centralised management, and tough data leakage controls. The verdict read simply, ‘Websense delivers a superb range of sophisticated web, mail and data security features that are easily managed and look unbeatable value.’

Scoring 6/6 stars, IT Pro’s verdict read, ‘Mid-sized business and enterprises looking for a single appliance to take care of all their network security needs will fi nd Websense’s TSGA ideal as it combines a remarkable range of web, mail and data security features with excellent performance. Websense’s TruHybrid is compelling with both the on-premises and SaaS cloud services seamlessly integrated into the well designed central management console.’

www.websense.com

Inform – Issue 6 | 2011 5

Vendor News

Aftermath of UK summer riots sparks controversy over BlackBerry and social media role

The role of the BlackBerry Messenger (BBM) service in the looting and riots that convulsed Britain during the summer was questioned by Police and government offi cials in the immediate aftermath. It was alleged that the service was used to direct looters and outwit the police.

In a blog post, BlackBerry said that it had ‘engaged with the authorities to assist in any way we can' and was working to comply with the UK Regulation of Investigatory Powers Act and was co-operating fully with the Home Offi ce and UK police forces.

This was later defaced by someone calling themselves ‘TeaMp0isoN' who said that RIM ‘will not assist the UK police because if you do, innocent members of the public who were at the wrong place at the wrong time and owned a BlackBerry will get charged for no reason at all'.

At the height of the trouble there were calls for BlackBerry and other networks to be switched off, but in the event this did not happen.

Twitter was also allegedly used by rioters to co-ordinate attacks but this has yet to be proven. The use and role of smart phones and social networks in social unrest will undoubtedly be analysed and could yet be subject to restrictions leading to a debate about Internet and data freedom in the UK and beyond.

Mobile solutions provider data shows rapid consumerisation driven by iPads

Californian mobile solutions provider Good Technology has issued a report that it says demonstrates the changing landscape of IT and mobile enterprise technology among its customers. According to the company the trend of personal smart phones and tablets infi ltrating the workplace is being led by both Apple's iOS and Google's Android smart phone platforms.

However, for the fi rst time ever, the company saw more iOS tablet (iPad and iPad 2) activations than the total amount of Android smart phones activated in the second quarter of 2011.

“While Android may be gaining smart phone market share with consumers, our business users are clearly gravitating to the iPad and doing so in large numbers. This is especially true in the Financial Services sector, which drove nearly half of all our iPad activations over the quarter." said a company spokesperson.

http://www.good.com/resources/Good_Data_Q2_2011.pdf

US confectionery giant is hacked and recipe altered

In an unusual attack, American confectionery giant Hershey had one of its secret recipes altered by hackers amid fears that passwords, email addresses of consumers may also have been lost as they were on the same server.

However the company was quick to react and it said in a statement that there was no indication that the data had been accessed. It said: “Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality.”

Hacktivist groups target US police forces as part of ongoing campaign

The summer saw self-styled “hacktivist” group Anonymous attack US police forces as part of a campaign to undermine the arrests of some of its alleged members and an alleged member of the LulzSec hacker group.

Anonymous claimed it had released more than 10GB of private police emails, training fi les and personal information in an operation it named ‘Shooting Sheriffs Saturday'.

It said that the information contained over 300 email accounts from 56 law enforcement domains, 7,000 user names, passwords, home addresses, phone numbers and social security numbers, online police training academy fi les and a compilation of ‘Report a Crime' names.

In a statement that refl ected the group's growing militancy, it said the release was intended to embarrass, discredit and incriminate police offi cers across the US and that it had no sympathy for any of the offi cers or informants who may be endangered by the release of their personal information.

The emails originated from police forces in Arkansas, Kansas, Louisiana, Missouri and Mississippi, with many of the websites operated by Arkansas-based media services hosting company Brooks-Jeffrey Marketing.


www.hp.com/enterprise/security Industry News

It’s time for technology to bend to our will. To be user not device-centric. To free potential and open up new business possibility. It’s time for User Virtualization.

By unlocking the user-layer from any device, operating system or application, you manage a single user instance. The result? Enterprises are re-writing the economics of their IT, massively increasing productivity and accelerating initiatives like Windows 7 migration, BYO and cloud computing.

Interested? You’re only human.

www.appsense.com

I am at the center of

everything

AppSense_A4_CMYK_final.indd 1 22/08/2011 18:11


It’s time for technology to bend to our will. To be user not device-centric. To free potential and open up new business possibility. It’s time for User Virtualization.

By unlocking the user-layer from any device, operating system or application, you manage a single user instance. The result? Enterprises are re-writing the economics of their IT, massively increasing productivity and accelerating initiatives like Windows 7 migration, BYO and cloud computing.

Interested? You’re only human.

www.appsense.com

I am at the center of

everything

AppSense_A4_CMYK_final.indd 1 22/08/2011 18:11


Cyber CollaborationHow 4C thinking is the future for IT professionals and provides opportunities for global CISOs.

It’s unlikely that any CISO would deny that any of the 4C’s listed in the title are credible security trends individually but they may not have made the connection between them and how the relationship between each can actually lead to advanced business security thinking.

Let’s start with a survey. When Information Week published its 2011 End User Device Survey, one of its top line fi ndings was that: “dissolving fears around consumerisation are dramatically changing IT and its relationship to the enterprise”.

It also stated that some clearly defi ned trends are reshaping IT in wider terms, in other words, the rush to mobile and advanced consumer devices. The effect this is having on the enterprise is profound.

At the same time the survey revealed that some things have remained the same: 51% of CIOs still equip the majority of its users with “fat” desktops. It found that many IT managers were “trapped” in a three-

year replacement cycle treadmill. So things are changing but also staying the same – what’s going on?

ConsumerisationPart of the answer is that consumerisation and cloud are evolving very quickly and that too many CIOs and CISOs are fl oundering by sticking to an enterprise IT culture that stubbornly refuses to acknowledge these trends – to the enterprise’s ultimate commercial disadvantage.

At the same time the picture is further complicated by IT leaders who want to change but are frustrated at their inability to embrace cloud and consumerisation and shift to full 4C thinking. These leaders know that consumerisation is potentially low cost which allows for IT experimentation (according to Information Week’s survey 66% of respondents spend more than 10% of their IT operating budgets on end user devices, 23% spend more than 21%).

Meanwhile fi gures just released by Gartner show that worldwide sales of mobile devices to end users totalled 428.7 million units in the second quarter of 2011, a 16.5% increase from the second quarter of 2010. These devices will be entering the enterprise regardless – there

is no doubt about that. Adopting and enhancing consumerisation is therefore a key part of moving towards 4C.

CloudCloud is the technology that many security professionals love to hate, as it must be admitted, so do a lot of regular IT professionals. Yet they cannot ignore the business benefi ts are all there: cost reduction, fl exibility, new ways of working, enhanced storage and mobile access to data. Yet the reluctance of many IT leaders is based on two fears: loss of control and lack of data visibility. Both of which lead to signifi cant risk exposure.

But to embrace the 4C they need to overcome this fear because, as with consumerisation, they can. The secure cloud is possible now and possible in confi gurations and options that leave legacy architectures miles behind.

In an article for IDC, analyst Jean Bozman says that: “next-gen cloud computing decisions will be designed to scale up, and scale down, on-demand—and to allocate resources across a ‘grid’ or ‘array’ of pre-constructed building blocks developed by the service provider. It will also demand a careful

4C




Cyber Collaborationevaluation of the customer’s inventory of enterprise applications, to determine which ones could be moved to cloud computing”.

Needless to say this will need to be done securely but the key is fl exibility and instant scalability – something that is simply not possible with legacy systems. The world's leading cloud providers do, however, have the expertise to make this happen.

CyberThe security concern is why cyber is central to 4C strategies. Nothing can happen in IT today without consideration of cyber threats, which can be simply defi ned as any attack launched against a business via its total IT architecture. This includes fi nancial attacks, IP theft, denial of service and politically motivated attacks. Cyber is a constant threat to business continuity.

The fi nancial implications on their own are disturbing. The Organisation for Security and Cooperation in Europe (OSCE) has estimated cyber crime theft amounts $100 billion annually. Cloud and consumerisation simply cannot function unless security is integrated within the enterprise stack.

CollaborationWhich brings us to collaboration which is potentially the most revolutionary and innovative part of 4C pulling as it does, IT permanently out of its remaining silo. Treating IT and information security as a business enabler was just a start. It must now be a fully collaborative part of the business, not just in IT terms but right across the enterprise.

Collaboration will also cross outside the enterprise to customers, partners and outsourced suppliers through the use of advanced tools such as security analytics and business intelligence systems. Through these IT leaders can develop reporting that improves functionality, processes and effi ciencies in departments previously considered alien to IT engagement such as Marketing (including social media), Finance and HR.

IT cannot be an end itself. It must serve the business to encourage employees to be innovative in their jobs. If the CIO and CISO cannot embrace innovation, how can others?

Too many IT leaders have got bogged down in rules, fi xed thinking and keeping to their own self imposed restrictions. This is even truer of the IT security departments. Many

IT people have forgotten that they are in charge of the one department that has the means to innovate and use technology to benefi t the business like no other. They can be enablers and deliverers. The connectivity of 4C is a unique opportunity to do just that.

The fi nal word goes to Information Week: “Cloud and consumerisation have (hopefully) taught us that business technology decisions are negotiations rather than edicts. The end user device paradigm shift offers signifi cant opportunities for business technology innovation, but you’ll miss out if you’re purely focusing on span of control and defensive IT.” Time to think 4C.

References

Information Week End User Survey: http://bit.ly/mFb8to

Gartner report “Market Share: Mobile Communication Devices by Region and Country, 2Q11:www.gartner.com/resId=1764117

Cloud Computing for the Enterprise Steps Forward: Lessons Learned and Key Takeaways – IDC, Jean Bozman:http://bit.ly/ori6Rz


The 4C way of thinking

Tom Reilly

Inform kicked off the discussion by asking what have been the most signifi cant developments in information technology in the last few years and conversely in the types of threats to the enterprise. Andrzej has little hesitation in listing social media and mobile technology at the top of his list.

“It’s causing us as individuals to fundamentally change the way we live – how we work, rest and play. At the same time it’s causing organisations to fi nd ways to exploit and govern this explosion of access and content. The commoditisation of hacking tools has also changed the economics and demographics of the industry. Where the industry was once defi ned by a small number of expert threat actors, we now fi nd ourselves in a situation where easy to use hacking tools and code can be bought off the shelf.” he says.

Tom Reilly agrees wholeheartedly with this assessment: “The sheer scale of attacks in the last few years has been astonishing. We have witnessed the growth of cyber attacks which have been politically and even militarily led and the arrival of Advanced Persistent Threats (APT).”

“Yet security tends to follow IT innovation – we’ve had mainframe to client, then the internet, onto the cloud and now mobile. As we get more threat vectors exploiting these changes we need more innovation to beat the criminals. But like any type of crime it will not go away – it just gets smarter so we have to be smarter too.” says Reilly.

So what is HP bringing to the table in terms of technology, to help CISOs get an edge on the cyber criminals and hackers knocking at the door? What can they expect?

“HP is unique in its ability to meet these converging mega trends – increasing cyber threat, rise of mobile and social media and the changing cloud delivery models. No other organization has the capability or scale to understand the information security challenges facing enterprises.” says Kawalec.

“Right from the consumer interaction via phone or HP TouchPad to Cyber Situational Awareness through our leadership in cloud and data centres, HP can offer real insight into how

to protect information assets and enable business growth.” he adds

Tom Reilly says that HP is developing defence in depth technologies with Security Intelligence and Risk management to enable customers to get the earliest indication of attack. “We are investing heavily in this. Technology will always give an edge yet it’s still also about people and processes. Unfortunately we have a shortage of skilled security professionals. In our industry we can’t hire fast enough!” he says.

Reilly adds that HP Universal Log Management enables integration between its Security Projects so the company can understand the value of assets as they come under attack. “HP is one of the few that can do this because of our resources. For example, Our Digital Vaccine labs will be leveraged across recent acquisitions ArcSight, Tipping Point and Fortify. We are an IT Operations Solution provider as well as an IT security solutions provider.” he says.

Kawalec adds that HP’s acquisitions means it can integrate the delivery platforms and technology to give greater access to real-time information and correlated

Tom Reilly, Former CEO Arcsight and Andrzej Kawalec, former CTO Vistorm talk openly about HP’s vision and strategy in Enterprise Security. These two leading security gurus discuss the changing face of information security and how emerging technologies will assist the CISO.

Face to face



Andrzej KawalecFace to facemonitoring. “We can start to build what we call Enterprise Security Intelligence. We are working towards a vision which allows our clients to take a snap-shot view of their security threats and performance, whilst being able to measure security risk against their business objectives.” he says.

Both men say that they work very closely with the CISOs at some of the world’s most important companies and this helps them understand fi rsthand what they need in terms of solutions, how to deliver them and what professional challenges they have.

“Our CISO Customer Advisory Board discusses the latest types of attack and innovations they use to stop them. The challenges for CISOs are insuffi cient funding and boardroom awareness for investment. They also need providers to give them the tools and the technology to relieve the risks. Most of all they want ways to be proactive rather than reactive.” says Reilly.

Kawalec agrees. “My development teams have two very clear objectives in mind when we build new services for the CISO. Firstly, how can we enable the CISO to give the board the confi dence that the correct security investments are being made? Secondly, how do we increase the operational control that the CISO has over the data, services and infrastructure under their infl uence?” he asks.

“It’s also about being able to invest in answering the questions we haven’t yet asked – the so-called unknown unknowns. This is the value we get from our close working relationship with HP Labs. For example: What are the economics of Security? How much will human factors infl uence the development of security technology? We actively work with our CISOs to develop practical methodologies and solutions that address business needs.” says Kawalec.

Security Information and Event Management (SIEM) is now very much part of HP’s line of advanced security solutions thanks to the acquisition of ArcSight. How important are such systems likely to become in the future?

Andrzej Kawalec: “The pure explosion in terms of devices and volume of data demands that SIEM systems are able to act in a much more intelligent and semi-autonomous way. Being able to provide fi rst line analysis and triage as part of an integrated response will be increasingly important. The SIEM space will also continue to be stretched by the rapid changes to working practices, technology and evolving business models – thinking about how SIEM can work in a cloud environment, or across services and devices the enterprise doesn’t own, will defi ne the next generation of intelligent security solutions.”

So fi nally what do CISOs tell our two

experts what’s on their minds and

what kind of advice do they give

them? Kawalec says that they

ask themselves: "Are we next? –

and if we are, what is the best way

to respond?"

“The predominant shift I have seen is an acceptance that no-one is immune. CIOs and CISOs are taking a more rigorous and questioning approach to their security projects while being aware that they have probably under-invested in security over the past few years.”he adds.

“Become more proactive, minimise

your risk. Assume you have been

breached and put plans in place to

fi nd out where. Above all take a RISK

approach to your job. Assess your

data’s value and apply accordingly.” is

Tom Reilly’s no-nonsense advice.

Kawalec ends with this: “Have a clear

and shared view about what your

optimal model for security is. Use

this view to make some bold choices

about process and architecture.

Incremental security controls will

not allow CISOs to stay ahead of the

threat or changing business models.

You need to align security to a

business level strategy”.


Face to face with Tom Reilly and Andrzej Kawalec


C

M

Y

CM

MY

CY

CMY

K

UK HP advert A4 4August11.pdf 2 04/08/2011 16:05:05

C

M

Y

CM

MY

CY

CMY

K


The CISO at global brewing giant SABMiller is known for being a no-nonsense, forward thinking security professional. Paul Fisher discovers what drives his passion for business focused security.

Mark Brown’s security career began in 1994. He spent 11 years in the Army ending up as an Intelligence Analyst. Then in 2005 his career in the private sector began which has since included stints with defence contractor Harris, risk management specialists Pilgrims Group and in 2007, SunGard. Then in December 2009, two career fi rsts marked his appointment with SABMiller: his fi rst CISO position and the fi rst time in a company that has nothing to do with security.

Mark Brown


Mark Brown interview

C

M

Y

CM

MY

CY

CMY

K


C

M

Y

CM

MY

CY

CMY

K


So some cultural changes then and an immediate challenge to deal with. Brown was charged with changing the security set up. So what was wrong with it?

“What was wrong?” he says to me. “There wasn’t one. It’s as simple as that!” It seems that SABMiller’s CIO had decided that it was time for a shake up, as Brown explains.

“SABMiller was moving from a federated business model to a centralised global model, and there was a need to change the culture and capability of employees within the central team. There was a total reappraisal of what the security team should be.” he says.

Brown inherited a blank white board, a set of rules ready to be ripped up and an expectation that new ones would be written. What the CIO wanted was somebody who would move away from being a techie who focussed on policy, to someone who could, in Brown's words, ask from a business perspective, ‘What should we be doing, and how should we approach it?’.

“That’s pretty much a unique opportunity in this size of company, to be able to completely reshape what was happening to what should be happening.” he says.

So at the beginning, Brown found himself with his blank white board, ripped-up rule book and a single member of staff in the shape of an outside contractor. So what was his main priority once he got used to this blank canvas and the scale of the challenge (and opportunity) ahead?

“To stop myself being fi red I think is the key one!” he says. “If you see that your predecessor who’s been here for six and a half years gets removed because he’s not doing what the business wants, you have to recognize that is the start point.” he says.

“So I spent the fi rst three months getting to know the business. And rather than me decide what I thought

the business needed, I went round and asked the business exactly what they needed. I developed a “state of the nation” type report on the risks and issues: Where have things truly been going wrong? What’s the low-hanging fruit? What can we change immediately to get the quick wins and get the business on side? What systemic problems had to be fi xed?” he says.

The results of this exercise according to Brown were illuminating and affected everything he did afterwards. In particular, he says, it was a process that confi rmed that anything he did from now on had to have a business benefi t, as he explains.

“Brand reputation is key in this business. It doesn’t take much for the fl agship brands to be right at the top of the game one day, and next year to have plummeted through the sales curve. We’re at 16 in the FTSE 100. That brings with it responsibility.”

“So it’s moving to a risk focus and ensuring we have an information risk management strategy in an operating region which it requires us to do. One of the pieces of work we’ve been doing recently is some low-level business process modelling. When we started talking about how the impact of a virus on a SCADA system runs into millions of dollars of lost production per hour the business quickly got the message.” he says.

And being a global business affects the risk position in the various markets it operates in. One of which is a joint venture with the Chinese government.

“That brings with it its own challenges of information-sharing: what do we share; what don’t we share. We have lots of joint ventures globally that we have to consider. But it really does come down to, or come back to, understanding your business operating model and educating your users.” he says.

Since 2009, Brown has been able to develop his thinking in business led security and is increasingly involved in corporate affairs and brand integrity initiatives. One of his key partnerships is now with the Corporate Affairs Department looking at brand reputation and what is being said about the business externally. This is quite a departure from the traditional role of the CISO, let alone the information security manager. But Brown sees it as a natural extension of the role.

“How do we arm the business with the information that enables them to respond in an educated and timely manner? It can’t be that just in time or just after time response but if we can see that people are talking about us in a negative manner we can be proactive.” he says.

This approach is bearing fruit already and he’s bullish about this part of his role–he clearly enjoys it–seeing it as a signifi cant part of moving away from traditional IT security business constraints.

“Are you as a CISO happy being an IT security offi cer, or do you want to be an information security offi cer? And there’s a marked difference between the two. If you’re happy dealing with tech, then be stuck in IT. If you want to evolve to the business leadership level you have to move beyond the tech. I’ve spent more time speaking with the rest of the business than I do with IT. IT delivers things for me, but I’m guiding them as to what to deliver.” he says.

Brown says that SABMiller has a very South African culture, one where you have to withstand intellectual challenge and rigour and where anyone must be prepared to be challenged on their thinking by senior management.

“Most of the time it’s a case they’re looking for you to validate and prove the rigour behind your argument. And certainly the times that I’ve presented to the board it wasn’t



that they didn’t see the benefi t of it, but that they wanted to ensure they believed in it when they were cascading the message to the regions.” he says.

Any CISO working across different global markets will know it’s a challenge keeping pace with the varying compliance and governance. How does Brown cope?

“This is where knowing the resources you have at hand comes to the fore. In my experience if country and regional based resources are only ever viewed as such, and not given a larger virtual role, then it is impossible for a centrally managed team to ever maintain an up to date understanding of local regulatory and compliance burden.”

“Empowerment of local resources and ensuring that they truly understand their role, responsibilities and accountabilities within the larger regional and global function is paramount to ensure an ability to keep up to date with ever-changing compliance laws.” he says.

Brown has been on the security conference circuit recently evangelising the merits and positives of consumerisation. He is well ahead of the curve and doesn’t mind who knows it. He‘s passionate about it as he explains.

“It’s the changing face of IT. Again for me it comes back to understanding the business operating model. Why wouldn’t we look to use modern technology? Why do we want to be stuck in that very small corporate list of approved product when, by evaluating the risks on it, we can embrace technology. Why would we not look to do so?” he says.

“For me the biggest challenge has not been how we bring in new technology, it’s how do we enable the traditional IT support mechanism to handle it? It requires new thinking. It requires a change from ‘the answer’s no, now what’s the question?’, to acknowledging that there is nothing wrong with consumer devices if you’re not in a regulated environment.”

“We now have a situation where we have many of our board members who travel without their laptops. They’re quite comfortable just travelling with iPads. They’ve got the ability to receive their e-mails, to edit documents and to re-send them. That, in many respects, is all they’re looking for.” he says.

But what of his peers who may share his enthusiasm but still face a degree of opposition and hostility? What advice would he give them?

“A lot of the negativity in my experience towards consumerisation is actually that people don’t understand the new technologies, and it’s that non-understanding nature which almost makes it easier to say “no we’re not going down that path”, rather than taking the time to actually look at the

new technologies and understand how could this work for us. I think there is a problem that legislation and standards are behind the times. We almost don’t care what the device is, as long as it can meet a base level of compliance. That is because it's all about how people can access the data from that device.” he says.

Brown is one of the most positive CISOs I have come across. He is more than excited about the future, both his as well as the future role and development of the global CISO.

“I think there is a change in the CISOs group. I don’t think I’m alone in this “illuminati” group. I think they are an enlightened 5% to 10% of CISOs who recognize the need to move beyond IT. In fact they nearly want nothing to do with IT because they’re almost hamstrung by being there.”

“So I do think I am different to the vast majority and maybe it’s my willingness to challenge the norm. I’m not afraid to do that. I do understand P&L accounts. I do understand business strategy. I don’t think enough of us do. I think the industry could be well served at looking at how we educate the new breed, those going through the universities now.” he says.

“Are we teaching them from a technical perspective or are we arming them with the business skills that actually are the fundamentals that they will require to be successful in the future?” Which is a very good question to pose from a man who already has delivered a lot of considered and effective answers at SABMiller.


Mark Brown interview

The rise and rise of cyber attacks According to a report in The Guardian, the UK Ministry of Defence blocked and investigated more than 1000 potentially serious cyber attacks in 2010. In a June 2011 speech to the London Chamber of Commerce the Defence Secretary Liam Fox told business owners that between 2009 and 2010, security incidents more than doubled.

He said that government was unlikely to be successful in defeating such attacks on its own. He made the very good point that in cyberspace the boundaries between government, business and individual users is increasingly blurred – part of the social trends that has led to consumerisation and shift in working practices.

"We now see weekly reports of cyber attacks against businesses, institutions and networks used by people going about their daily lives. The cost to the UK economy of cyber crime is estimated to be in the region of £27bn

a year and rising. These are attacks against the whole fabric of our society. When it comes to cyber security we must fi ght this battle together." he said.

Liam Fox’s comments follow the 2010 announcement by the UK government that cyber terrorists were one of the most serious threats to UK security, second only to physical terror attacks, and that an additional £500 million had been ear-marked for increased cyber security.

This was announced as part of the strategic defence review (SDR), which noted that the West's long-standing technological advantages over the rest of the world are likely to disappear in the coming years, adding that 'further game-changing technologies, such as artifi cial intelligence will become mainstream in the next 20 years'.

Cyber attacks on the 2012 Olympics have been identifi ed as a signifi cant threat after Beijing suffered 12 million attacks a day during the 2008 games.

Enterprises are also increasingly aware of and worried by the threat. A survey commissioned by Symantec revealed that 77% of European businesses believe cyber is the number one security risk. This far outweighed fears around internal threats and conventional crime or even natural disasters.

To the general public hackers are not perceived as dangerous – the image of the lone teenager breaking into networks from his bedroom persists, helped no doubt by the recent arrest in Scotland of a 17 year old alleged to be behind the LulzSec attacks.

But that would be to miss the point. Cyber is about much more than teenagers; cyber attacks are likely to

The threat of cyber attack on enterprises and organisations is very real. Inform looks at the issues and some recent high-profi le incidents.



be perpetrated by state actors. Indeed a recent report sponsored by McAfee revealed a quite startling degree of cyber attacks against major institutions and businesses and defence contractors in the last fi ve years.

According to security experts at McAfee, a fi ve year operation it dubbed “Shady RAT” claimed 72 major organisations among its victims in a large number of countries including the United States, Taiwan, South Korea, Vietnam, Canada and the UK. According to press reports 49 of the victims were US based companies and government agencies.

McAfee vice president of threat research, Dmitri Alperovitch said in a blog post: "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate fi nancial gratifi cation that drives much of cyber crime”.

In this operation, he said, the hackers were looking for "closely guarded national secrets (including from classifi ed government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas fi eld auctions, document stores, legal contracts, Scada confi gurations, and design schematics.”

“I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defence contractors and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.” he said.

His fi nal comment was a wake up call for anyone who perhaps does not yet feel that cyber is a major threat to businesses and western economies: “What has been witnessed over the ‘past fi ve to six years has been nothing short of a historically unprecedented transfer of wealth'.

Of course there are plenty of cyber attacks that are fi nancially motivated and these seem to be getting bigger and more ambitious in scale, intent on industrial levels of data theft and attacking some of the world’s biggest brands.

Probably the most notorious recent attack was that on the Sony Playstation Network in 2011 which left the online gaming network suspended for weeks.

In this case the attack resulted in the loss of user names, passwords, addresses, birth dates and possible fi nancial details of the network’s 77 million users.

The attack demonstrated the expertise and tenacity of the forces now ranged against global corporations. For a technology business as well protected and organised as Sony to be successfully breached was a shock. Sony successfully recovered from the attack but industry experts see it as a watershed, enterprises will be looking and learning from Sony’s experience.

Another big name hit in 2011 was CitiGroup when a data breach in May exposed 1% of all its North American credit card customers’ account details. According to reports some 360,000 customers had account numbers, names and email addresses stolen.

It was hit again in August when its Japanese division Citi Cards Japan (CCJ) said that personal information of 92,408 customers had been breached.

These are big numbers and big names which prove that major cyber attacks are here to stay but if that was not enough to be concerned about, the picture is complicated further by the rise of “hacktivism”. Politically motivated hacker groups such as Anonymous and LulzSec have emerged in the last 18 months.

They use denial of service and web site defacement as a means to attack those businesses they deem to be against their revolutionary and often anarchistic beliefs. It is hard to know how big or committed these groups are to their purported ideals (LulzSec has a more prankster-like approach) but its certain that they can cause damage and are increasingly liable to attach themselves to world events and act accordingly.

In late 2010, Anonymous attacked MasterCard, Visa and PayPal in protest at what it saw as those fi nancial groups attacks on WikiLeaks. A number of arrests by British and US law enforcement agencies in 2011 reduced their activities at least temporarily. However the Anonymous boast; “We are legion” is not without some basis – off the shelf hacking kits are available, along with instructions, across the Internet to any kid who wants to join in. And join in they will, and some will graduate to full-blown cyber attacks.

The next attack is waiting to happen.


Realities of Cyber

How should CISOs deal with the inevitable growth of social media? The fi rst thing NOT to do is react without thinking. In other words don’t automatically assume that all social media is a bad thing. Don’t assume that their use during working hours is a bad thing. Do not assume either that social media is the domain only of those under 25, that they may grow out of them or they will disappear.

For example, Facebook’s user base in the UK is around 30 million – pretty much half the population. In 2010, Mark Zuckerberg, Facebook’s founder and CEO, said it was “almost a guarantee” that the site would hit one billion users. There’s no reason to doubt him, even allowing for some slowdown of membership in recent months. And even if Facebook was to disappear tomorrow, you can be sure that something else would take its place. The new Google+ network is already gaining millions of new members.

Therefore social media, as its name suggests is embedded in our wider society. Further, some CISOs will be aware that within their own organisations there are departments actively looking for ways to exploit social media for advanced marketing and customer relationship purposes.

Often these initiatives will be undertaken without recourse to the CISO offi ce or the information security team. That’s a challenge – but let’s return to that later.

Let’s deal with the fundamental challenges of social media use in the enterprise. Often the knee jerk reaction is to go into lock down mode and block all usage on corporate networks. This is the default option for organisations who believe that employees hog bandwidth and waste time on Facebook and other sites.

But because of the effects of consumerisation (the CIO and CISO’s other challenging techno social trend) employees will spend just as much time accessing social networks on their own devices via 3G networks. So the blocking route is ultimately fruitless.

And we have moved on from the Facebook “panic” of 2007 – the year that Facebook really caught on across the world. There were dire warnings about the cost to industry from employees “wasting time” on Facebook – fi gures of £130m being lost by UK industry each day were bandied about in the media. However, like the fi gures calculated for the effects of strikes, extreme weather and transport failures – they are hard to prove and highly questionable.

There may well be some cost from unregulated social network usage but now it seems a more mature approach to social media is emerging. The problem with blaming lost productivity on social networks – and by extension

According to Wikipedia there are currently around 200 social networking sites in existence around the world. The largest of which are Facebook and Twitter but the use of any of these sites by employees is a challenge for the CISO. However, an enlightened approach is the key.

Socialnetworking for CISOs



web browsing – is it assumes that employees previously spent all their working hours actually working and not chatting, making tea, smoking outside, reading newspapers or other “non-productive” activities.

According to research [1] from Australian technology and communications researchers Datacurve, fears over productivity loss from social media usage are exaggerated and not borne out of reality.

The report, which looked at social media and web usage in Australian enterprises, states that: “Social media’s polarising affect on managers and their workplace policy will continue to persist in light of increasing efforts by enterprises to harness social networks for marketing and customer relationship purposes, while simultaneously trapped by the perception that social networking during work-time is a monumental threat to workplace productivity.” Very true.

It continues: “The hype about thousands of hours lost in productivity due to a social media addiction or pathology is not supported by the evidence. Spread out across a 20-day

working month, Facebook will be accessed (on average) every second day, at approximately nine minutes per session. In the case of MySpace and Twitter, engagement is even less of an issue in the context of workplace productivity. Compared with entrenched behaviours like smoke breaks and coffee runs, social media behaviour is a very distant third in terms of employee ‘distractions.”

The report concluded that the negative connotations associated with the use of social media had been overblown but that there was still a disconnect within some organisations which had a public facing endorsement of social media yet still restricted usage by its own staff.

So there are two challenges for the CISO: first, a change of fixed mindsets to accept social network use by employees within the enterprise based on a TRUST model. Second, ensure that the CISOs department is engaged at fundamental points with Marketing, Communications and HR teams to ensure safe and risk-assessed usage

of social media within the business for both personal and business usage.

This will entail a reworking of Acceptable Use Policies to embrace social media, taking full account of the above fi ndings. On an ongoing basis it will mean full integration with marketing teams and other C-level teams so that social media campaigns are conducted for business benefi ts with minimise risk.

The paramount concerns must be that business-critical data and information is not exposed on social media and that employees do not bring the organisation into disrepute or fall foul of the law or compliance regulations via their social media usage.

Finally, remember the big lesson of consumerisation: empowering employees with their own devices makes them happier. Trusting them with social media will have the same effect.

[1] ENTERPRISE 2.0: Looking Inside Out – Benchmarking web usage and social media behaviour in the workplace http://bit.ly/datacurve2010


Social Networking for CISOs

The EU's Privacy and Communications Directive came into force on 26 May 2011. In a nutshell it means that web site holders and owners must obtain user consent before using cookies in code. However due to the complexities of implementing this, UK plc has been given a year to put its house in order by the ICO.

At the meeting it was felt that CISOs need to take these new laws very seriously and not sit back and do nothing because they have a year to sort it out.

The move by the EU was seen as a reaction to public concern at the rise of targeted advertising that tracks users across multiple sites.

The challenges are identifying and modifying an existing web presence so that it complies to the new rules but doesn’t drive customers away and impact on the business benefi t of web sites. Some felt that cookies did bring user convenience. For example, when they log on, they don’t have to keep adding in the details they did the last time round.

Some thought that the new directive could be bypassed by the less scrupulous. People’s browsers, their operating system, plug ins and PC set ups provide a unique footprint which meant that businesses could identify

and track user behaviour without ever putting a cookie on their devices.

There was also the diffi culty in dealing with customers asking for privacy online but who also have credit cards, loyalty cards where they happily give information away in return for vouchers and fi nancial rewards. It was felt that people are looking for privacy yet they’re willing to give it away if it suits. However, in the realm of privacy the consumer is king and the CISO must deal with the reality of the situation.

On balance however, most felt that the new directive was welcome and will end bad practice and that major UK brands have little to worry about if they plan and implement a compliant web strategy in good time.

But there is a danger that some less scrupulous businesses will just set up sites elsewhere making it diffi cult for compliant UK companies to compete for customers.

If all companies acted honourably, there would be no need for any consumer protection. If the directive is to work as the EU intends it needs to have teeth and be enforced properly right across the EU. People rarely stop doing bad things just because of a regulatory issue. They do respond to fi nes and prosecution however.

Don’t leave it too late, start planning now

Identify an inventory of all the websites you have, not just those you host and manage but those managed by third parties on your behalf. If they carry your brand you need to ensure compliance

Work closely with your marketing teams and audit EVERY web technique and database they use and then set up a management tool to ensure ongoing compliance

Think about how to adjust your sites. For example, give users a very clear option to turn off cookies, explaining very clearly how you use them and the benefi ts to the customer. Cookies on as default is not an option

Action points:

The latest gathering of the HP CISO Club saw delegates discuss the impact of new EU Privacy laws, Advanced Persistent Threats and the possibility of CISO intelligence sharing across industry sectors.

report

EU Privacy and Communications Directive



The CISO Club looked at whether different sectors can share information; can different challenges be relevant to different sectors. If a particular company is targeted, why not pool resources, why not pool information?

The number one priority for any organisation is defence. Prosecution of the perpetrator downstream is highly desirable but the fi rst priority is to be able to defend the business against attack.

CISOs are constantly playing catch up, because when they fi nd an effective way to disrupt an attack mechanism the hostile organisation will deploy another mechanism.

It was felt that some kind of rapid reaction knowledge sharing tool on

attack methodologies (as they are happening), if it could be made to work, would be highly desirable.

At the meeting it was reported that there is now a great deal of seriousness within the government to actually sponsor a collaboration between the public sector and the private sector, to do something about this, because it’s now widely recognised that no one company can work in isolation.

It was felt that there are two types of information that would be highly valuable: the source IP and raw malware. This is the area where the vendors would have a highly important role to play in an integrated intelligence sharing plan.

The growth of sophisticated and

“politically” motivated attacks

against major brands are here to

stay. Enterprises cannot effectively

protect themselves from all attacks.

Even a moderately well resourced

attack that’s well targeted with

knowledge is going to compromise

the business at some point.

There are now a constant stream of

attacks and while hits against big

brands make the headlines, smaller

websites are being attacked on a

daily basis. No company is immune.

And it is affecting public perception and trust in brands and by extension those charged with protecting consumer data. The loss of the CDs from HMRC made people angry not because in the end it impacted on them but because an organisation that they trusted lost their personal information.

Security awareness must be taken absolutely seriously in the organisation if these attacks are to be foiled or at least reduced.

Yet others argued that the challenge is that individuals in enterprises make

their own informed risk decisions when deciding, for example, whether to click on a link in an email–and most get away with it without having to consult up the line, which is not practical anyway. People are under pressure to do their jobs. The problem of course is that every now and then one of those links will be malicious.

So new technologies and new methodologies are urgently needed to take the risk decision away from the employee and update security awareness policies and actions to take account of business realities.

Sharing CISO intelligence and defending against attacks

Advanced Persistent Threats


CISO Club report


SteveDurbin

What are the aims and policies of the ISF?

We aim to supply authoritative opinion and guidance on all aspects of information risk management and security. ISF membership is available to all organisations, irrespective of size, and many of our members are Fortune 500 and Forbes 2000 companies.

With the increasing focus on security and the continuing move for this to be viewed and treated as a business risk issue, the ISF continues to support its members through the provision of research, risk assessment tools and insight in a consistent and easily accessible manner whether the members are based in Asia Pacifi c, Europe or the Americas.

Do you think that the demands of CISOs are driving the industry effectively and are vendors listening?

If you asked the majority of vendors whether they listened to the demands of their clients you’d get a resounding YES! I also think if you asked the clients, they’d say the vendors could always do a better job of listening, or bringing products to market faster, cheaper and so it goes on.

One of the things that categorises the ISF membership base, however, and sets it apart from many others is that it is made up of both of these constituent parts. The ISF, therefore, gets to act as a channel for CISOs to share their views on how to drive the industry effectively and for vendors to hook into that thought leadership and to present their views

in a highly collaborative environment. A good example of this would be the ISF special interest group (SIG) on mobile devices. Here we have some of the world’s leading vendors and developers of mobile devices and applications coming together with some of the world’s smartest user organisations to collaborate on how mobile devices can be made more secure in the enterprise and consumer space.

Are CISOs and senior security professionals becoming more business focused and has the ISF changed to reflect this?

The role of the CISO has certainly changed and I believe will continue to change over the coming years. Security is not an IT issue, it is a business issue and one that has very real business impact. So what can the CISO do and indeed what can organisations do to address these challenges effectively? It will require the adoption of new structures, governance and processes that signifi cantly change the ability of an organisation to manage data breaches and cyber threats. It is a signifi cant change that requires a refocus and alignment with the business. The ISF continues to change as our members change to address the evolving and emerging needs of the corporations that make up the global membership.

Why is Europe struggling to encourage young people into a career in information security?

Information security has had some bad press in the past and is commonly perceived as not a dynamic career

choice. Yet in fact, cyber is a world of opportunity—and one where thousands of public and private sector organisations, and their billions of customers, are now reaping major benefi ts every day. Cyber security, far from being a barrier, is actually a critical enabler for organisations to harness the opportunities available through taking processes and activities online.

Given its unparalleled blend of massive opportunities and profound threats, operating securely and successfully in the information security and cyber environments is among the most pressing and urgent issues facing business and government leaders today. Now that sounds like a pretty interesting and challenging career choice to me and that’s the message we need to get across to young people!

Is consumerisation out of control or can it be a positive force in the enterprise?

It’s not out of control but it’s a fast-growing trend, and the pace of development is only likely to increase as the capabilities and popularity of these devices continue to grow. Its simply added further impetus to the need to manage the use of such technology at work. For example, the question of who owns the device can also have legal ramifi cations on mobile device management and the remote wiping of devices should the need arise.

The benefi ts of using such devices at work include greater fl exibility, increased productivity and reduced costs. They also open the way to further innovation and the identifi cation of new business opportunities that


previously did not exist. Organisations urgently need to formulate a response to this trend if they haven’t already done so. It is a major focus area for the ISF.

How is social media affecting the way CISOs do their jobs, can they harness the power of social media for user awareness?

Social networking is an emerging trend that has yet to reach maturity but one that has achieved scale, is here to stay and will continue to develop. Enterprises can therefore take a number of views – wait and see, restrict or ban the use of social media in the workplace; this clearly removes any of the risk but also any of the potential benefi ts, or alternatively, embrace social media within the organisation with clearly articulated guidelines around its use. It boils down to what risk profi le an organisation wishes to run with.

Clear policies should be developed within the enterprise that ensure that everyone understands the approach to social media that is being adopted. CISOs that have embraced social media can point to benefi ts such as the use of social media to raise user security awareness.

The ISF has talked about the importance of the “Smart Enterprise”, what does it mean by this?

Cloud computing and other fl exible business solutions will affect commercial organisations even more in the future as they look to replace many of their under-utilised organisational assets or infrastructure

with “pay for usage” business models. This marks the rise of the “Smart Enterprise” – an increasingly fl exible business that relies on working with best value providers in dynamic supply chains whilst continually looking for better control on business processes by utilizing new developments.

However, even while the underlying pace of change will continue to accelerate, organisations in general and smart enterprises in particular need to be aware that there will continue to be a balance between moving fast now and the need for good governance, planning and management.

Steve Durbin is Global VP of the Information Security Forum (ISF), an independent organisation that supplies authoritative opinion and guidance on all aspects of information security. It has 300 corporate members around the globe.


Steve Durbin Q&A

nsightsiiHP research shows 56 percent risein cost of cyber crime

New research reveals cyber attacks increasingly plague businesses and government organisations and result in signifi cant fi nancial impact, despite widespread awareness.

Conducted by the Ponemon Institute, the Second Annual Cost of Cyber Crime Study revealed that the median annualised cost of cybercrime incurred by a benchmark sample of organisations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organisation. This represents an increase of 56 percent from the median cost reported in the inaugural study published in July 2010.

The study found that recovery and detection are the most costly internal activities, highlighting a signifi cant cost-reduction opportunity for organisations that are able to automate detection and recovery through enabling security technologies.

Inform readers can download the study to better understand the amount of investment and resources needed to prevent or mitigate the fi nancial consequences of an attack.

Download the study at this URL: http://bit.ly/rlFXI3

IT departments still not trusted inthe enterprise

Now in its fi fth year, Cyber-Ark’s annual survey report Trust, Security and Passwords recently examined the threat of privileged users within an organisation and analysed the views of over 1,400 IT staff and C-level professionals across North America and EMEA.

The survey found that the IT department is still considered the most untrustworthy, with 48% of global respondents identifying it as the most likely to snoop around the network. The study also found that the majority of employees would take confi dential data (66% of global respondents) if they left their company, despite 87% of respondents acknowledging that they had no right to this information.

The research highlights a number of key threats and concerns. Overall it underlines the need for organisations to implement robust security procedures to offer internal and external protection of data from cyber-attacks.

Download the study at this URL: http://bit.ly/gBUqby

Global survey reveals almost 80% of businesses experienced data loss in 2010

A recent survey by Check Point and the Ponemon Institute showed that 77% of organisations experienced data loss in the last year. The survey of 2,400 IT security administrators showed the main cause for data loss was lost or stolen equipment, followed by network attacks, insecure mobile devices, Web 2.0 and fi le-sharing applications and accidentally sending emails to the wrong recipient.

Furthermore, 49% of all respondents believe their employees have little or no awareness about data security, compliance and policies – meaning businesses should integrate more user awareness into their data protection and DLP strategies.

Download the full survey at this URL: http://bit.ly/g81sl5

Research from HP Labs helps CISOs make the right security investments

The increasing business reliance on IT and worsening threat environment means that organisations are under pressure to invest more in information security. But the choices are hard when money is tight, objectives are not clear and there are many experts and stakeholders.

A new HP research paper looks at these security economics challenges by relating them to a realistic security problem relating to client infrastructure. The study is aimed at improving decision making, and suggests ways to proceed and test for the impact of new methods on the actual decision makers.

Download the study at this URL: http://bit.ly/pGJXWP

Paper suggests new ways to defend against the threat of social engineering

Social engineering is the art of manipulating people into taking actions that breach even the best technology-based organisational defences. This dark art has been practiced by criminals since the beginning of history and new examples crop up on a daily basis. But new security techniques are available to close this vulnerability by modifying employee behaviour.

Download the paper at this URL: http://bit.ly/iZIis6


www.hp.com/enterprise/security Insights

Do some enterprises do security better than you? Are they getting better ROI on their security investments and enjoy simply better security effi ciency? How do you compare? These questions are what security benchmarking is all about.

And it’s a subject appearing on the radar of more and more security leaders. As budgets get further squeezed across the enterprise and security professionals are expected to justify any security spend, there is a natural tendency to look outside the company’s four walls and see how competitors are performing. Most importantly, they may be achieving greater effi ciencies and security effectiveness by using similar resources more effectively.

Your rivals may have innovated by using cloud services or by sub-contracted parts of their security function to outsourced teams. There may be a great deal to learn if security leaders and their teams started looking beyond their own departments and planning. Indeed their colleagues

in IT teams have long appreciated the value of benchmarking.

“Benchmarking has been in use in other IT disciplines for decades. Whether it was data center performance or network utilization, companies have always felt compelled to compare themselves to others. It’s part of the competitive, win at all costs mentality that pervades business.” says Mike Rothman from information security analyst fi rm Securosis.

The problem for information security is that it is only just emerging as a business function akin to IT. There has been little in the way of concrete data for security leaders to measure themselves against. Some obvious questions are: How do your number of incidents compare to rivals? How does your headcount compare and are you using your budget effectively? Yet information security, as we know, is harder to quantify and measure discipline compared to IT which can be mostly reduced to simple cost effi ciency and productivity metrics.

Benchmarking, long used to measure IT effectiveness, has recently started making inroads into information security thinking. But is it an effective tool for CISOs?

How does your security stack up?


Security Benchmarking

Meanwhile an effective security program can be defi ned as one that prevents breaches, serial hacking and malware infection and so on. And up until recently this was pretty much considered the most effective 'box ticking' metric. But as already mentioned as the security profi le has moved further up the corporate food chain, senior management want to know if the function is working as well as it could – could it be better? Are competitors doing it better and gaining competitive advantage and effi ciencies? In a diffi cult economy, it is now part of the “win at all costs mentality” that Mike Rothman spoke of.

The simple and obvious answer to senior management for all these questions is, “I don’t know”. So given that you obviously can’t ring up your counterpart at your rival and ask how they do things, what can you do?

You then need a data source or, better, a consultant partner that has long-established credentials in understanding and documenting best-in-class security practices. Most importantly it will have access to benchmark data and security metrics based on long term and direct experience of working with security leaders across different sectors and industry verticals. It’s only by working with a benchmarking partner that can offer such insight can you hope to get an accurate assessment of how your security practice and technologies stack up.

Before this however you must determine what it is you and your senior management actually want to achieve from any benchmarking process. A simple comparison is pointless unless you can act on the comparison results, learn from them and make changes. Get back to CISO leadership basics and remember that you are leading a risk-based business function and not an IT-based function. A benchmarking assessment needs to reassure management that the department you are leading is exposing them to the right degree of

risk and that the level of investment to maintain that risk level is correct.

The benchmarking process may reveal that the investment is too high and data is over-protected compared to rivals or it may reveal a worrying degree of exposure in which case more investment is needed. Furthermore it may reveal that investment has been pushed towards the wrong technologies and implementations.

It’s worth emphasising that this kind of insight can only be achieved by engaging a partner that can deliver commensurate levels of experience and benchmarking data for your expectations and type and size of enterprise.

There are other benchmarking options available. Some organisations offer access to benchmarking databases (against a variety of ISO and other industry standards) in which you can conduct your own exercise against that of similar organisations. While this may give a reasonable degree of accuracy, information security is a fast moving and evolving practice and some benchmark data may well be out of date. Ideally you need to engage with a partner that can promise almost up to the minute, real world experience of security benchmarks with resultant data sets. If you have budget, you could carry out a benchmarking study using a combination of both.

Finally however, it’s worth quoting these words from Mike Rothman: “Security benchmarking is not a short-term fix – it’s a long-term journey. One that requires commitment from senior management and an ongoing focus on applying lessons derived from data to refine operational activities, as well as a mechanism to push for accountability from all parts of the organization.” And that is very much the essence of effective security benchmarking. It’s about business, not technology.

1. Defi ne precisely what you want to achieve from your benchmarking exercise. This could be to identify suspected security gaps or to achieve security effi ciencies.

2. If the benchmarking has been driven by enquiries from the board make sure that you work fully with it when planning project goals.

3. Ensure that the goal benchmarking exercise is based on risk and business benefi ts for the enterprise and not simply an end in itself.

4. Simplicity is the key. Don’t try and benchmark everything at once. Work with your partner to ensure that the right sort of benchmarking process is carried out to achieve your stated goals.

5. Don’t compare apples with oranges. You need to compare your security set up to similar organisations not just in terms of sector but also size.

6. Ensure that you and your benchmarking partner have access to the right data sets for your industry or vertical from the outset. If this proves diffi cult, you may question the performance of the partner and ask questions. The wrong data will skew your results.

7. Remember, in effective security benchmarking, data is king.

Benchmarking

Basics



OCTOBER 26, 2011 www.focus11london.com

Don’t miss FOCUS 11 LondonGain valuable knowledge from McAfee executives, customers and other industry leaders.

Topics include:

• Cyber security threats and trends• Hacking• Virtualization• Mobile devices

Where:

BAFTA HQ, 195 Piccadilly, London W1J 9LN

When:

October 26, 2011

Sponsoring partner:

FOCUS 11 London Security Conference offers an excellent opportunity for decision makers, security industry influencers and strategists to network with other professionals, get in-depth security updates, and learn more about today’s most pressing security challenges.

RT Hon David Blunkett MP Former Secretary of State and Chairman ICSPA

Bennett Arron Award-winning Writer, Actor and Comedian

Jacqueline de RojasVice President, McAfee UK and Ireland

Nick Leeson The Man Who Broke Barings Bank

Gert-Jan Schenk President, EMEA, McAfee

Bryan Glick Editor in Chief of Computer Weekly

Steve Shakespeare Director, EMEA Enterprise Solutions, Intel Corporation

Stuart McClure Co-Author of Hacking Exposed

FOCUS 11 London Keynotes

FOCUS 11 London Highlights

For more information on FOCUS 11 London sessions and the full agenda, visit: www.Focus11London.com

227 Bath Road, Slough, Berkshire SL1 5PP


Page title

OCTOBER 26, 2011 www.focus11london.com

Don’t miss FOCUS 11 LondonGain valuable knowledge from McAfee executives, customers and other industry leaders.

Topics include:

• Cyber security threats and trends• Hacking• Virtualization• Mobile devices

Where:

BAFTA HQ, 195 Piccadilly, London W1J 9LN

When:

October 26, 2011

Sponsoring partner:

FOCUS 11 London Security Conference offers an excellent opportunity for decision makers, security industry influencers and strategists to network with other professionals, get in-depth security updates, and learn more about today’s most pressing security challenges.

RT Hon David Blunkett MP Former Secretary of State and Chairman ICSPA

Bennett Arron Award-winning Writer, Actor and Comedian

Jacqueline de RojasVice President, McAfee UK and Ireland

Nick Leeson The Man Who Broke Barings Bank

Gert-Jan Schenk President, EMEA, McAfee

Bryan Glick Editor in Chief of Computer Weekly

Steve Shakespeare Director, EMEA Enterprise Solutions, Intel Corporation

Stuart McClure Co-Author of Hacking Exposed

FOCUS 11 London Keynotes

FOCUS 11 London Highlights

For more information on FOCUS 11 London sessions and the full agenda, visit: www.Focus11London.com

227 Bath Road, Slough, Berkshire SL1 5PP

from HP Enterprise Security · PDF filethe rise of “hacktivism”. Politically...

Documents

Transcript of from HP Enterprise Security · PDF filethe rise of “hacktivism”. Politically...