- BT « Secure Thinking

Posts tagged - BT

Wednesday, January 25, 2012

World Economic Forum: Shaping New Risk Models

By Tara Savage, Senior Marketing Manager, BT Global Services

Today’s business, economic, government and social climates are driven by data. Sharing information is fundamental to how states and businesses address the world’s most pressing challenges. And, while data connect us, it is also the source of many risks that threaten the success of these collaborative efforts.

How should world leaders and CEOs assess and manage this risk?

Ray Stanton, BT’s Vice President of Professional Services, and one of the session co-leaders at the World Economic Forum inDavos-Klosters,Switzerland, on ‘Risk in a Hyperconnected World’. Ray will draw on his many years of experience and expertise in the field, as well as on feedback form ISF 2011 to present on issues that will loom large on the agenda of global security leaders in 2012.

Thursday, October 27, 2011

How can the growing challenges of compliance be met at affordable cost?

Part 2: The Economics of Compliance

By Paul Kearney, Chief Security Researcher, BT Innovate & Design

In the first installment of this blog post, I commented on the major challenges public and private sector organizations are facing in complying with security-related standards and regulations. I cited a 2011 survey by Ponemon, which reports that the average cost of compliance is more than £2 million, but the cost of non-compliance is almost £6 million. Studying the results of the survey led me to some interesting observations about the economics of security that I would like to share before moving on to describe our work towards a methodological framework and accompanying software toolset in a subsequent posting.

Forty-six organizations in a variety of sizes and market sectors responded to the Ponemon survey, providing figures on what they are spending on compliance programs and what they are losing due to compliance failures. The majority of the latter costs related to the impact of security breaches – business disruption, lost productivity and revenue, etc. – rather than fines and penalties. Most organizations spent much less on compliance than they lost, though in six cases the amounts were roughly equal, so there is certainly scope to reduce losses by increasing spend.

The study authors also calculated Security Effectiveness Scores for the participating organizations. As expected, they found that high security effectiveness correlated well with low per capita losses. Interestingly, security effectiveness was not correlated with per capita spend. Taken together, these suggest that compliance budgets are not always spent wisely and that adopting the risk governance principles required by standards and legislation is more important than checking boxes.

So, what is the right amount for an organization to spend on compliance?

Economic theory would suggest trying to minimize total costs, i.e. the sum of spend and losses. We would expect losses to decrease as we spend more on security, rapidly at first, but with diminishing returns, so that eventually additional spend outweighs incremental benefits and total costs begin to rise. There will be an optimal point where a pound of additional compliance spend yields a pound of reduced losses. Where this sweet spot occurs depends on the shape of the curve relating security spend to losses.

I was reminded of a conversation with a colleague who works in risk management. He had sketched a graph with axes of security risk and spend, with points plotted on it corresponding to different risks. He had speculated that you could draw a straight line through the origin of this graph dividing the risks on which too much was being spent from those to which more budget should be allocated. Having been a theoretical physicist in the past, I leapt for my pencil and paper and soon satisfied myself that there was indeed a simple mathematical function relating risk to cost that ‘looked right’ and for which the optimal solution for spend is a straight line through the origin. The function I found was characterised by a single free parameter that I imaginatively name “k”.

If my function is on the right lines, choosing a value for “k” would enable you to estimate your optimal security spend and, indeed, to work out which of the Ponemon respondents (if any) had got it right. I am not claiming my function is correct. Furthermore it is quite likely that different types of organizations would be characterized by different values of “k.” Nevertheless, it would be interesting to use it as an analytical lens through which to view risk estimates or security control cost-effectiveness figures.

Regardless of absolute correctness, the equation can be used to get an intuitive feel for the dynamics of security economics. For example, a risk frontier separating acceptable from unacceptable levels of risk appears as a horizontal line on the graph. Varying the security spend up or down allows you to move your risk point along a curved trajectory from top-left to bottom-right on the plot. If this trajectory crosses the optimal line at a point above the risk frontier, then you are only going to mitigate the risk by spending over the odds on controls.

What we would all like to do, of course, is to maneuver our risks at right angles to this trajectory, decreasing spend and risk simultaneously. To do this, you need to change the value of “k” governing the trajectory, which means working smarter rather than harder and changing the type of controls you are using.

Following this little diversion into the economics of risk, security and compliance, I will return the trajectory of this article to its originally intended path. In the next instalment, I’ll discuss the importance of closing the loop linking policy to selection and deployment of controls by measuring the operational effectiveness of the controls and using the results to update policy. I’ll then outline the results of a project I’ve been part of recently that addressed such issues. However, that’s a topic for another day.

Tuesday, August 23, 2011

Is Internet Filtering Effective?

By Sushila Nair, Product Manager, BT Counterpane

Ubiquitous connectivity to the Internet has fast become an expectation. In Estonia, France, Spain, Finland and Greece Internet access has been made a human right. It is estimated that there are 360,985,492 Internet users, approximately 30% of the world’s population. Never before have we had the capability to reach so much of the world’s population.

It is a very exciting time but the Internet has exposed myriad of issues everything from copyright violations to work productivity. The question becomes, how we control who does what and when and determine the effectiveness of filtering. Does it work?

The OpenNet Initiative (ONI) announced that 25 countries around the world, out of 41 surveyed, block or filter Internet content, indicating a global trend towards Internet censorship.

In fact, the Australian Federal Government has announced its intention to introduce new legislation to compel Australian Internet Service Providers (ISPs) to filter all information transfer in Australia, with the intent of stopping the general public from accessing selected information.

Some of the other countries that implement filtering include China, Saudi Arabia and Burma, China, Iran, Pakistan and South Korea. Even the UK, as a result of the London riots, is exploring whether to turn off social networks or stop people texting during times of social unrest. David Cameron the UK prime minister said the intelligence services and the police were exploring whether it was “right and possible” to cut off those plotting violence. Just recently, the UK high court ruled that BT must block access to the site Newzbin which is seen as a land mark ruling for content providers and increases the likelihood of a growth of Internet filtering through ISPs.

The questions surrounding filtering are many. Beyond the ethics of filtering is how to implement filtering without it being easily defeated and does not create a bottleneck.

List based filtering schemes, which are built on reporting by the general public and auctioning by a government-nominated organization struggle to keep up with the pace and volume at which content is added to the Internet.

Static lists can only capture a small fraction of the material that would be classified as harmful. Dynamic content generation and the use of dynamic addressing adds further complexity. The ease at which a list-based filter can be defeated by using a proxy further limits the effectiveness of any such scheme.

There is no doubt that Internet regulation is only likely to grow, given the importance and far reaching capabilities of the medium. With this growth we’ll see new and more innovative trends in filtering where content producers may deny access to their material to specific geographic locales such as BBC Iplayer and more intelligent, automated methods exist for detecting content and building lists.

No doubt however encrypted traffic, proxy services and other methods for defeating filters will also grow in sophistication. And so the battle continues!

Friday, August 12, 2011

Mobile App Devs Make the Same Old Mistakes

By: Konstantinos Karagiannis, Principal Consultant, Ethical Hacking, BT Global Services

In the realms of arts and leisure, everything makes a comeback. Bands take on retro sounds, movies get remade, and forgotten fashions cyclically find their way into shopping malls. Yet no one expects to say “what’s old is new” in the realm of technology.

Technology may be constantly evolving, but old development mistakes can plague even the most cutting edge applications or devices. There will always be someone who can find a way to use a gadget or application in a way the developer never intended. Needing to do so is the hacker spirit defined; looking for certain basic design mistakes, the core hacker skill.

Some of the basic coding mistakes we’ve seen in the past continue to creep up in apps developed for Fortune 100 companies. Otherwise, you wouldn’t hear of cross-site scripting (XSS) or SQL injection or session hijacking. But secure coding has come a long way and a good number of web app devs “get it” now.

Yet, as we in the Ethical Hacking Center of Excellence (EHCOE) are finding, mobile platforms are “like, totally retro.” Lured into a sense of false security, mobile developers are making the same types of weak input validation and excessive trust mistakes as the early days.

Consider the cardinal sin of weak input validation. You can never trust user input.

Before XSS and SQL injection became popular hacks, apps were being ownedviaa simpler validation attack: parameter tampering. Say an app would request a user’s info with a parameter such as userid=bob. An attacker would change this parameter to userid=jim and get Jim’s info instead. Sometimes even a wildcard character like an asterisk (*)could be used, returning everyone’s information at once.

The earliest such attacks were possible because developers thought that only browsers could interact with an app. As developers learned, hackers always find a way. For example, a local web proxy allows attackers to intercept data streams sent by a mobile phone or device, whether it’s transmitting over Wi-Fi, 3G, 4G, or likely anything that comes next.

This kind of parameter tampering was possible because of a form of excessive trust. Logging in with a user ID and password is a good start, but the app has to then handle the session to ensure only the logged in user has access to data thereafter. With a lot of trial and error, sane ways of handling session via strong cookies and changing token parameters came into widespread use in the 2000s.

Then user integrity took a dive when Web 2.0 apps were introduced.

While the main functions of most of these types of interactive apps would be secure, the Web 2.0 piece of the app, say Flex or AJAX, would make dangerous calls in the background, often to unhardened extra servers. Some of these calls would request personal information without any authentication!

Much like the example of changing userid=bob to userid=jim, Web 2.0 apps sometimes give information to anyone who guesses at a parameter and makes a properly formatted request. The rationale was that a user couldn’t see this traffic, so why secure it. Of course, that kind of thinking was wrong in the early days of the web, then in Web 2.0, and now in mobile apps.

We have seen some severe examples of weak input validation and excessive trust in mobile applications. Much like Web 2.0 apps, mobile apps often make dangerous, insecure calls to servers.

As a result of our ability to proxy traffic and see all calls that mobile apps make, we have saved clients major embarrassment or financial loss by finding flaws before the bad guys did. I’m not just being dramatic. Here are two dangerous examples of what we’ve seen:

Imagine a gift card app that lets an attacker generate hundreds of thousands of dollars in gift card codes for free. You better believe finding this led to one of those emergency conference calls. This was excessive trust at its worst, with an “invisible” server that happily sent codes to whoever requested them. All you needed to do was see how the app requested a valid card, and then tamper with parameters to get other codes.

Consider the disaster awaiting users of a loyalty program if the mobile app lets attackers get the complete personal information of all other users. All an attacker needed to do was log in with his or her account, then intercept subsequent parameters the app was sending. Guessing at other loyalty numbers (trivial) would return sensitive information of associated accounts. And it gets worse … the returned information could be used to take over these other accounts by resetting passwords, etc.

There is no mystical protection provided by mobile platforms. The servers that these apps reach out to are accessible by any Internet-capable device, including a hacker’s tool-laden laptop. And the apps themselves live on devices riddled with flaws—no system-wide encryption, default passwords for root-level accounts—that only make things worse.

For now, we’re enjoying the wild wild west vibe of mobile hacking. Why would we do this job if there were no opportunities for eureka moments and ego-boosting exploits? Still, we can’t hack every app in the world before it goes live.

Developers need to consider that mobile apps are no different than web apps in terms of secure coding practices. They have to make sure the apps deny all but what’s required to function, and mistrust the infrastructure on which they’re running.

Retro can be fun, but we really don’t need the amount of vulnerabilities that sprang up in the 90s any more than we need a flannel-laden grunge rock rebirth.

Monday, June 20, 2011

Security of the Cloud: Challenges and Landscape

Theo Dimitrakos, PhD, Chief Security Researcher, BT

The cloud landscape continues to evolve quickly, and, as a true ecosystem, has seen the introduction of several new technologies, delivery models and players into the market. It is characterized by pooling and sharing of resources, broad network access, rapid elasticity, on-demand service provisioning (with a strong self-service element), offering measured service, supporting (although not necessitating) multi-tenancy. Cloud architecture offers a means of delivering information and communications technology (ICT) infrastructure, platform (i.e. application execution environment) and software as a service (SaaS), all of which support private, community, public and hybrid deployment models. The benefits of the cloud include cost and performance optimization, economy of scale, flexible utilization and charging model, ease of connectivity and access to shared services, cost efficient introduction of redundancy and continuity of provision.

These benefits of the cloud model for IT service delivery are attractive, but the very nature of the model means that customers have less direct control over the infrastructure and the data that is being hosted or processed by the external cloud providers. While this perceived lack of control is not a new development, the relatively new model of the cloud brings this issue into highlight.

Security, resilience and compliance are the main concerns that are challenging wider use of cloud computing and are the most likely to drive remaining innovation and market differentiation efforts in this area. The key security challenges facing cloud computing include regulatory compliance, absence of security standards and certification, confidentiality and integrity of data at rest or in motion in the cloud, data and process isolation, multi-tenancy of shared security services. Such challenges come on top of the common security issues relating to the exposure points and layers offered as a service (i.e. infrastructure, platform, and software), the risk of externalizing management processes commonly performed by privileged users, vulnerabilities introduced by inadequately protected use of virtualization technology to empower cloud services, and the security of integration with corporate IT infrastructure, and lack of implementing protection in depth, while effectively de/re-perimeterizing through the integration of cloud services into the corporate infrastructure.

And, of course, the people factor is as important with cloud as with any other new paradigm at the peak of its hype. Once in the cloud, consumers often forget that data location and protection need to be treated diligently, and may relax governance controls that should continue to be applied. In addition, security and IT management professionals sometimes lack the necessary understanding of the key differences between traditional and cloud infrastructure deployments, hence running the risk of offering misleading advice or using outdated means to tackle new problems.

Several efforts have already been carried out and are also currently underway to help organizations understand these security issues and to help plan for them. The “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance (CSA) as well as the “Cloud Computing Risk Assessment” and “Security and Resilience in Governmental Clouds” reports by the European Network and Information Security Agency (ENISA) are some of the works in which BT has been involved from the very beginning. This is part of BT’s effort to understand and address the security issues facing its customers, as well as be forward-thinking and participate in exploration of new security ideas for BT and the industry.

We will discuss these efforts in an upcoming post.

Friday, June 17, 2011

Hold the IT Security front page

In the last few years YouTube, Twitter, Facebook and others have literally revolutionized the media environment; anyone in the world can now broadcast to the rest of the world…in seconds. And, as we have seen, they can do so ignoring injunctions and super-injunctions, and risking the wrath of governments to get their message out. Consequently the role of journalists is evolving from having the monopoly on providing information to taking on the role of helping people to derive meaning from what’s happening.

Nowhere is this more the case than in the security sector. So whether it is highlighting a new wave of phishing attacks or particularly aggressive virus, security journalism is playing an increasingly vital role in raising awareness among businesses and the public about the issues surrounding security and the solutions they can implement to remain secure.

To reflect the important role that security journalists play, BT’s business continuity, security and governance practice has, for the last four years, been honoring IT security journalism in the UK. And nominations for the 2011 awards are now open for all UK-based journalists, and cover categories including: Best information security news story of the year; Best overall information security feature article of the year; Best privacy feature of the year; Best cybercrime feature of the year; and Best business continuity feature of the year.

The deadline for submissions is 15^th July 2011 and all articles submitted must have been published during the calendar year 2010. The entries will be judged by a panel of leading independent figures from the security industry, and the winners will be announced at an awards lunch to be held in London in October 2011.

You can follow this year’s awards online @btviewpoint on Twitter and #BTISJA is the hash tag for the awards. Regular updates will be posted on the BT Viewpoint blog, Facebook and LinkedIn. And if you want any more information you can email BTSecurityAwards@porternovelli.co.uk.

Wednesday, June 15, 2011

Are you wasting money on security?

By the BT Security Think Tank

Are you wasting money on security?

It’s a question you need to ask yourself now and then.

Here’s an example of why…

Once, we did exactly the same as all sorts of other organisations. We employed security guards to protect our key premises – at night, at weekends and, in some cases, during the day.

To begin with, they performed valuable roles. When intruders were found, they apprehended them. Then they called in the police.

But things changed. Thieves started arming themselves. Concerned about the guards’ health and safety, we told them to let the professionals deal with any break-ins. All they needed to do was raise the alarm or otherwise call in the police.

And so things continued … for a while.

Eventually, we took a fresh look at the situation. By then, the guards had become little more than expensive monitoring systems. True – their presence reassured staff working on premises out of hours. But when it came to detecting intruders and calling in the police, it looked like a combination of door and window alarms, CCTV cameras and other technologies would do just as good a job and save us a great deal of money.

The question was would it work? Would our premises be put at risk?

There was only one way to find out – to give it a try. So that’s what we did. And guess what? We found that we were right. The result? We employ fewer security guards, but our premises are no less secure. If anything they are better protected than they used to be. Guards can’t be everywhere, after all. Thanks to an imaginative new use of technology, the eyes we employ are now keeping much better tabs on things that matter a great deal to us – our premises and the assets they contain.

What this story highlights is that you need a clear view of the return you’re getting from everything you spend on security.

The problem is that organisations tend to do this on a ‘fire and forget’ basis. They identify the risks they face and put measures in place to mitigate them. They may well go one step further and check they are getting the returns they hoped for. But often that’s it. If nothing untoward happens, they assume their investments are continuing to deliver a good return so they leave them as they are. If it ain’t broke, why fix it?

The thing is that what we’re trying to achieve with security is a balance between the cost of defences on one side and the costs of breaches on the other. Different organisations have different appetites for risk, so they’ll set the balance in different places along the scale. But as any engineer will tell you, once you’ve decided where you want the point of balance to be, you need a feedback system to maintain it.

All too often, this is missing.

At best, organisations end up paying for a greater level of defence than they need. Cash that could have been spent elsewhere goes to waste.

At worse, they end up with a false sense of security – one based on the fact that they haven’t experienced a problem – well, not yet.

Either way, the failure to get the balance right could cost them a great deal.

So, ask yourself again. Are you wasting money on security? Are you sure those defences are right?

Members of BT Security Think Tank include Ray Stanton (Executive Global Head of Business Continuity, Security and Governance), Bruce Schneier (Chief Security Technology Officer), Peter Scott (Director EUT, BT Security), Martin Brown (General Manager, Security Technology & Strategy), Steve Benton (BT Security – Head of Business Operations), Jim Tiller (VP – Operations and General Manager, BT US & Canada) and Theo Dimitrakos (Head of Security Architectures Research, BT Innovate & Design).

Monday, June 13, 2011

Beyond control

By The BT Security Think Tank

Do you trust people?

Who?

And why?

What makes you confident you can depend on them?

Searching questions, perhaps, but ones everyone involved in IT security is going to have to answer pretty soon.

The fact is that CIOs have less control than they used to – not just of the IT systems their organisations use but of the data they contain.

Take consumerisation – the increasing use of employees’ own devices in the workplace – for example. As it develops, IT managers will have less control of the platforms to which they deliver applications and services.

Or cloud services. To use them, IT managers have to put their organisations’ data in others’ hands.

To add to the problem, there’s the increasing use of closed operating systems, like iOS, that provide security on a ‘take it or leave it’ basis.

And the widespread adoption of social networking. Now it’s built into applications like salesforce.com, it’s getting very hard to limit who can send or say what to whom.

But before you panic, remember this: there never was a golden age when you had complete control. Even when you owned all your organisation’s computers and controlled all its data, you had to trust all sorts of individuals and organisations. Hardware and software vendors. Communication service providers. Outsourcers and other business partners. Suppliers. Governments – they have rights of access, after all. And your fellow employees – the people who work in the organisations it’s your job to protect.

All we’re seeing now is a move to the next stage.

The IT business is maturing – fast.

There are far fewer opportunities to profit by doing things yourself. Consumer platforms are hard to beat. Cloud service providers achieve economies of scale their customers stand no chance of matching in house.

And the fact that you no longer have to deal with every aspect of security at every level is a good thing. If the people in and around your organisation can be trusted to do the right things, you can delegate responsibility to them. And if you can do that, you’ll get more time to focus on what matters most to your CEO – on helping your organisation apply information and communication technologies in ways that give it competitive edge.

So what about that first if? Now you need more trust, how can you build it at the ‘volume’ you need?

The answer is to focus on people and processes.

Starting with your workforce, you’ll need higher levels of security literacy than you may have got away with in the past. People will encounter new situations – situations that aren’t covered by standard rules and solutions. And when that happens, it will be their general understanding of how to work securely you’ll depend on – not their ability to follow rules.

Moving on to outsiders, it’s the way you outsource responsibility that makes the difference. And given there are few organisations that do absolutely everything themselves, there’s a wealth of standard tools you can use to do outsourcing properly and protect your organisation against risks. Consider contracts, governance frameworks, due diligence procedures and insurance policies, for example.

So don’t let the illusion that you’re in control today stop you taking advantage of the great innovations the IT business is coming up with. Don’t freak out when the time comes to delegate responsibility to someone else. Just make sure your people are ready, willing and able and the way you outsource responsibility is in great shape.

Monday, June 6, 2011

Guest Post: The Mission of the Cloud Security Alliance

By Jim Reavis, Executive Director, Cloud Security Alliance

Cloud computing is all the rage today, even though many people are still confused about what it is.

Simply put, cloud is about using computing as a utility service with a pay-per-use model, with the ability to rapidly provision more or less compute and storage resources as needed. Cloud aligns the cost of computing with its usage. The primary value of cloud is not the obvious cost savings, but the agility to transform ideas into IT-enabled services in hours or days, versus taking months or years to do the same tasks with traditional IT.

However, the primary barrier to the adoption of any new information technology is the concern over security and trustworthiness, particularly a computer service that may be shared with many other organizations.

To that end, the Cloud Security Alliance was established in late 2008, with a mission to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. CSA is a global, non-profit association with over 20,000 members in over 40 chapters around the world.

CSA is focused on the rapid development of best practices to secure the cloud, educating the community on the latest research and encouraging innovation to secure the cloud of the future. We view our mandate as requiring a broad perspective, addressing governance, compliance and legal issues, as well as many different operational and technical concerns, including information lifecycle management, interoperability, identity management, encryption and virtualization.

We provide our research in the form of a wealth of free whitepapers and tools to simplify the architecture, adoption and assessment of secure cloud services. We also have a user certification, the Certificate of Cloud Security Knowledge (CCSK), an online examination to demonstrate one’s proficiency in cloud computing security issues and best practices. You can find out more at www.cloudsecurityalliance.org.

Tuesday, May 24, 2011

Take the Challenge

By Tara Savage, Senior Marketing Manager, BT Global Services

This week we’ve posted two pieces by Jill Knesek, BT’s CSO on why personal mobile devices do not foreshadow the downfall of corporate network integrity. The bottom line as Jill sees it is that the benefits of having an empowered and educated workforce who can respond to a business need or a client request instantly far outweigh the potential threats posed by supporting personal devices on the network. In fact, when her team conducted the risk analysis the threat posed by personal devices was no greater than by company-approved devices.

It seems like the topic of mobile device and application security and privacy is one of the hot topics at the moment, just ask the folks over at Apple and Google. Bruce Schneier, BT’s CSTO, alerted us to the Develop for Privacy challenge being run by the ACLU and the Tor Porect. In much the same way that Jill’s team seeks to educate BT’s employees about issues related security and privacy, this competition asks entrants to develop applications that will educate users about privacy issues related to mobile device use.

Are you interested in taking the challenge? The competition closes on May 31^st, 2011.

Good luck!