- BT Security « Secure Thinking

Posts tagged - BT Security

Tuesday, November 8, 2011

BT Opens a New SOC in Sydney, Australia

By Tara Savage, Senior Marketing Manager, BT Global Services

Today BT will be opening its latest Secure Operations Center (SOC) in Sydney, Australia. Jeff Schmidt, Global Head of BT Assure, BT’s global security capability unit said “the Sydney facility is a strategically important investment for BT and will enable our customers to transact business in the region with added levels of security and confidence.”

This is the twelfth 24×7 center to be opened by BT and continues to build on BT’s investment in the region and commitment to support Australian and multinational companies as they expand into the Asia-Pacific region.

The facility, will manage customers’ security environments within the healthcare, finance, retail, and manufacturing sectors and will integrate seamlessly with BT’s other SOCs to ensure that threats are managed proactively and assist customers in meeting compliance and governance mandates.

Like all of BT’s SOCs, the Sydney facility will be staffed by highly trained security experts who monitor and manage customer networks and devices on a ‘follow-the sun’ pattern. BT’s SOCs have maintained a 100% uptime since they commenced operations and are accredited and audited to ensure they meet global and local information assurance standards, such as SAS70 and ISO 27001.

Wednesday, August 3, 2011

Evil Dad and the Internet

By: Martin Brown, General Manager, Security Technology & Strategy

I have a small swarm of kids, four to be precise, not enough to form a football team, but enough to cause chaos.

My kids are of the age, like the majority of the population who are between the mud and deodorant stages of life, where they have always known the Internet, and the things it bring us.

I, for my sins, am a security bod. I have worked in security for around 20 years, and am currently in BT Security strategizing what future technologies will need to look like if we’re going to be online securely. I refer to myself as a “Technology Funalist” as I enjoy pretty much enjoy all facets of technology, and have the electricity bill to match. My wife introduces me as “the gadget man” and endures this hobby well, being generally accommodating to my techno wishes.

I have, on occasion, had to resort to devious methods to gain access to the latest tech – take the iPad for example – knowing the likely repercussions of returning home from yet another “just having a look” trip to the local computer superstore with a shiny new gadget.

As the “I thought you were only looking!?” conversation began, with dramatic flair I presented her with her own iPad. With an audible “whoosh” the pressure abated, the smile appeared, and we began our blissful life of sharing of apps, music and other tablet-esque adventures. Mission accomplished!

Unlike most normal people, I run our home network like a small business and apply the security controls in a similar vein, despite the groans and moans from the kids.

Whilst they don’t realise it, the kids indirectly benefit from my enthusiasm, getting access to some pretty cool tech stuff which is integrated, just works and is locked down with the intention of keeping it and those using it secure and safe.

That final point is where my kids and I begin to have differing views on the controls around using the Internet, how it should be used, what they can do and where they are allowed to go.

Yes, some of their friends do have access to more stuff than they do, and whilst my kids might think of me as being just to the right of Attila The Hun in terms of internet controls this is because I tend to stick to the rules of the (Internet) road, and pay attention to what ages products and services are intended for. Sadly, this does not seem to be the case for all…

A good example is social networking. Many of the children at school have Facebook accounts, despite being below the minimum age, but we are sticking to the rules – this creates an imbalance which our kids are keen to redress, and are supported by their peers when discussing the tales of woe around how evil Dad is about such things.

As you would expect the sites and materials they want are not offensive, adult or inappropriate, however it’s managing the access to the grey areas where the information, or site, is legally, or based on the end user license, placed just outside their reach.

So how do we maintain and apply these home policies. There are four children in our house, each with around 3-5 years between them. This means there is no such thing as a one size fits all option – each needs to be addressed individually. It is not fair on those who do have Facebook to find they can’t access it and are expected to make do with cartoons and other cuddly images.

As a first step, all the house traffic is routed through a cloud based filter before it gets to the house. This service does a reputation based category web check, and malware checks on web and email as well as providing us with our anti-spam filters.

Each of us has a login which authenticates for web access. Besides some blanket category blocks there are unique restrictions and permissions per user appropriate to age and content type. Attempting to go to a site which is blocked, results in the following user friendly message:

What a handsome chap!

The next layer in is the firewall. As well as being a firewall, has some IDS and is also blocking all SMTP inbound and outbound other than that destined for my cloud-based mail security providerP2P torrents and the like have no place here!

Finally we get to the client.

All computers, including servers, PCs and Macs have antivirus and firewall on them. No exceptions. There is a mistaken view that Macs do not need AV. That is not the case, and as Apple’s market grows, so does the risk of encountering malware on OSX.

My children are used to this now. They generally accept it and, along with the final piece of the puzzle, education, they are frequently reminded the Internet can be a bad place, and you can only trust someone is who say they are of you seen each other to face and discussed meeting online. Sure, they still click the wrong thing from time to time, but that’s what the layers of protection are for…

And finally, one unintended little “benefit” of running the kids’ laptops in a Windows domain, is when you see their laptop is on at some ridiculous hour, ‘shutdown -i’ is my friend, allowing me to remotely shutdown their laptop. You can tell if they were awake by the immediate response as it shuts down in front of their eyes!

Evil Dad strikes… again!

Tuesday, August 17, 2010

Reputation Damage – The Key to Assessing Business Threats

By Malcolm Stokes, Head of Operational Risk, BT Operate

When assessing threats to business, how can we tell whether security and resilience are good enough? The answer depends largely on how we value reputation; however, there’s no recognized method for measuring damage to an organization’s reputation. BT Security is piloting an approach that aims to solve this problem.

Business success, or survival in a crisis, depends ultimately on reputation. If the expectations of customers, employees, suppliers, regulators, and/or investors are not met, reputation is damaged and the bottom line suffers. Safeguarding reputation means continuing to meet expectations of security, reliability, product or service quality, value for money, and integrity. Risk to any of these characteristics can be a threat to reputation, to market share, costs and profitability.

If expectations are not met, customers will buy elsewhere, employees leave, suppliers are reluctant to offer best terms, regulators impose greater scrutiny, and investors may raise the cost of capital. Any combination of these responses will tend to reduce revenues, raise costs and erode profits.

Nearly all business risks have the potential to damage reputation in some way, which is why the phrase — “damage to reputation” — arises so frequently as a possible consequence. Often this intangible part of consequences is said to exceed the tangible losses that may arise from an incident. However, without a consistent way to evaluate reputation damage potential, we may distort our analysis of risks and draw false conclusions.

Market surveys that ask which risks concern managers the most tend to find “reputation risk” at the top of the list, simply because almost all risks are potentially risks to reputation. Look at any risk register and ask yourself if reputation can ultimately be affected. Study a few well-known business failures (e.g., Ratners, Perrier, Pan-Am, Barings Bank, Enron, Anderson, Jarvis, and potentially BP) and consider the role played by reputation damage.

The proposed scheme for measuring reputation damage uses a set of 10 estimated cost components that together represent the overall cost to a company of suffering and repairing a damaged reputation. Not all of these cost components will apply in every case:

Advertising and communication costs to restore trust
Reactive expenditure to prevent recurrence
Cost of de-mergers and re-branding
Value of lost business contracts that are terminated
Cost of acquiring customers to offset increased churn
Opportunity cost of new business prospects and partnerships lost
Increased cost of capital due to lower credit rating
Cost of delayed product launches and smaller market share
Cost of replacing executives and managers who resign
Cost of replacing skilled employees who leave

The process of estimating what reputation damage might cost avoids the pitfalls of trying to value reputation or brands before and after an incident in order to assess the damage in terms of value difference. A series of pilot studies are in progress to demonstrate how risk management and threat assessment can be more effective if reputation takes center stage in the process.

I’ll report back on what we find from the pilot studies. But, in the meantime, join the dicussion and let us know what costs your company associates with risk.

Tuesday, June 29, 2010

BP Oil Spill Wakes Up Country to Need for Stronger SCADA Controls

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

BP – a company name that’s on the minds of most Americans today and probably not in a good way. The crisis we face today with the major oil spill is catastrophic and a direct result of time and cost pressures brought about in response to our increasing demand for energy.

BP is in the news today, but if demand growth for oil continues at this rate and supplies continue to dwindle, the oil spill we face today may seem small in comparison to future accidents.

With the industry trying to keep up with demand, network operations have been centralized, requiring distant controls to be managed over a wide variety of networking technologies, with all the attendant gateways such a model implies.

While this approach can reduce costs and improve efficiency, it can also open the door to attacks by hackers and cyber terrorists. This is a very real threat faced by oil and gas companies today. Researchers have directly warned oil companies across the globe that offshore rigs are highly vulnerable to attacks. In fact just last year, a contractor in California was charged in federal court for hacking into a digital network in an attempt to disable an offshore rig, after allegedly being angry about not being hired as a full-time employee. The attack – against a SCADA control system – was illustrative of the types of threats which, if successful, could have grave consequences. Legacy thinking and a frequent lack of third-party testing and review all combine to create a classic system of unexpected complexity. These are the most likely to suffer compromise, whether malicious or accidental, resulting in catastrophic outcomes.

A multi-layered approach is critical to securing SCADA networks. Each of the following layers plays a role in securing mission-critical, real-time control systems:

Perimeter Controls (Internet or Corporate Perimeter Defense)
People, Policies, Procedures (Business Continuity, Disaster Recovery)
Network Architecture (Firewalls, Routers, Switches)
Network Operating Systems (Domain Security, Active Directory, etc.)
Host Security (Operating systems of servers and workstations)
Application Security (SCADA, EMS, Database, Web, and more)
Unique Secure Requirements for what is being protected (Plant equipment, RTUs, PLCs, etc.)

Each layer requires ongoing testing and evaluation to determine the vulnerabilities that exist in these systems. Oil and gas companies must consider a holistic approach to their security to avoid a potential cyber attack. This approach includes:

Building a road map for security and regulation compliance – what systems are in place and how are they integrated?
Assessing vulnerabilities – identify and understand current vulnerabilities in the security of physical, IT and SCADA controls
Penetration testing – the only way to know if a hacker can get into your network or facility is to actually test the vulnerabilities found with an assessment
Developing an emergency response and disaster recovery plan – as we have seen with BP, there is a need to have a plan for the unexpected. Having a such a plan allows an organization to quickly recover and restore critical operational functions after an unexpected event
Gathering evidence – when critical assets come under attack, quick action is required to gather digital evidence and then use the evidence to prosecute

While this “to do” list for full SCADA security may seem overwhelming, engaging with a professional services organization that can assist in the execution and delivery of these steps — particularly penetration testing and BCDR plan development — can radically simplify the task list. Learn more about how BT helps companies secure their critical infrastructure.