A view on cyber security: Commenting on the UK government’s “ten steps to cyber security” advice (http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1120-10-steps-to-cyber-security-executive). Presentation to students at the University College of London studying for MSc in Human Computer Interaction (sociotechnical systems and the future of work, soft systems methodology).
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
A view on cyber security
1. A view on cyber security
Commenting on the UK government’s “ten steps to cyber security” advice
http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1120-10-steps-to-cyber-security-executive
Image source: Ministry of Defence: http://www.flickr.com/photos/defenceimages/6892189807/
9. Home and mobile working Home and mobile working
“Develop a mobile working policy
and train staff to adhere to it. Apply
the secure baseline build to all
devices. Protect data both in transit
and at rest.”
Image source: Simon Collison: http://www.flickr.com/photos/collylogic/5739130295/
10. User education and awareness
User education and awareness
“Produce user security policies
covering acceptable use of the
organisation’s systems. Establish a
staff training programme. Maintain
user awareness of the cyber risks.”
Image source: Kaptain Kobold: http://www.flickr.com/photos/kaptainkobold/5181464194/
11. Incident Management
Incident Management
“Establish an incident management
response and disaster recovery
capability. Produce and test incident
management plans. Provide specialist
training to the incident management
team. Report criminal incidents to
law enforcement.”
Image source: kenjonbro: http://www.flickr.com/photos/kenjonbro/6289681274/
12. Information Risk Management Management
Information Risk
Regime
Regime
“Establish an effective governance
structure and determine your risk
appetite – just like you would for any
other risk. Maintain the Board’s
engagement with the cyber risk.
Produce supporting information risk
management policies.”
Image source: Aidan Morgan: http://www.flickr.com/photos/aidanmorgan/5589187752/
13. Managing User Privileges
Managing user privileges
“Establish account management
processes and limit the number of
privileged accounts. Limit user
privileges monitor user activity.
Control access to activity and audit
logs.”
Image source: Angus Kingston: http://www.flickr.com/photos/kingo/4051530414/
14. Removable Media Controls Removable Media Controls
“Produce a policy to control all access
to removable media. Limit media
types and use. Scan all media for
malware before importing on to
corporate system.”
Image source: Thana Thaweeskulchai: http://www.flickr.com/photos/sparkieblues/3971234819/
15. Monitoring
Monitoring
“Establish a monitoring strategy and
produce supporting policies.
Continuously monitor all ICT systems
and networks. Analyse logs for
unusual activity that could indicate
an attack.”
Image source: Bun Lovin’ Criminal: http://www.flickr.com/photos/myxi/4129235610/
16. Secure Configuration Secure configuration
“Apply security patches and ensure
that the secure configuration of all
ICT systems is maintained. Create a
system inventory and define a
baseline build for all ICT devices.”
Image source: brunotto: http://www.flickr.com/photos/brunauto/4359223723/
17. Malware Protection
Malware Protection
“Produce relevant policy and
establish anti-malware defences that
are applicable and relevant to all
business areas. Scan for malware
across the organisation.”
Image source: Martin Cathrae: http://www.flickr.com/photos/suckamc/271222157/
18. Network Security
Network Security
“Protect your networks against
external and internal attack. Manage
the network perimeter. Filter out
unauthorised access and malicious
content. Monitor and test security
controls.”
Image source: photosteve101: http://www.flickr.com/photos/42931449@N07/6088751332/
19. In summary
Image source: UK Government: http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1120-10-steps-to-cyber-security-executive
Presentation to students at the University College of London studying for MSc in Human Computer Interaction (sociotechnical systems and the future of work, soft systems methodology).
Good afternoon. Thanks to Malcolm for inviting me back to UCL. And thanks to you all, for coming along this afternoon to listen to myself, and the other speakers here, saying a few words about cyber security.My name’s Mark Wilson, and I’m an architect at Fujitsu. I spend quite a bit of my time commenting on industry trends and IT developments, helping to make the products and services that we sell relevant to our customers.I don’t plan to talk too much about Fujitsu today, but often people think of a camera company (that’s a different company, called Fuji – nothing to do with us, as far as I know), or a PC manufacturer. So it’s worth me pointing out that Fujitsu’s business in the UK and Ireland is far more focused on managed ICT services than on hardware products – my history is from the side of the business that used to be Fujitsu Services and, before that, ICL; although we do have a division which was once the UK arm of Fujitsu-Siemens Computers, so we are an OEM, but that’s just one part of a diverse business.That’s probably enough advertising for now – especially as I need to make something clear - I may work at Fujitsu but I’m not speaking on behalf of the company today. Nothing in this presentation should be interpreted as a statement for or on behalf of my employer and what you’re about to hear are purely personal views; albeit views that are based on almost 20 years working in IT, three-quarters of which have been supplier-side.
This time last year, I was a guest at UCL, talking about an element of IT consumerisation: “bring your own device” or BYOD.This year, it seems that the topic is very different – we may be talking about cyber security but actually, I can draw a link between the two topics – cyber security is actually one of the concerns for many who are looking to implement BYOD programmes…We’ll touch on that in a moment but, first of all…
Cyber…Cyber space…Cyber crime…Cyber security…Are those even real words? What do they mean? And why should I be interested?
This is what I think of when I hear cyber-anythingAnd that’s as someone who was traumatised as a child by the Daleks and used to hide behind the sofa if I even heard the Doctor Who theme tune…
In all seriousness though“cyber”Sounds overly technicalAnd it makes people switch off
That’s a problem.Because, when you think about it, many of the issues behind cyber security are behavioural – and addressing these affects not just the CIO but creates responsibilities across the board
So, let’s take a look at the government’s “Ten steps to cyber security” paper…
Home and mobile working“Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline build to all devices. Protect data both in transit and at rest.”OK, that sounds sensible, doesn’t it. Now let’s consider the practicalities. With more and more users demanding to use a ever greater range of devices, or their own devices, applying a “secure baseline build to devices” is becoming less and less feasible. It’s also very old-world thinking, expensive, and part of the reason that 70% of IT budgets are spent on “keeping the lights on”, rather than innovating.Instead of worrying about devices and operating systems, we should be concentrating on data and applications – applying appropriate access controls so that a compromised device on the network is less of an issue. That’s where the last part - protect data both in transit and at rest – makes sense: encrypted partitions on devices, separating personal and business data; and encrypted communications between devices using established technologies like IPSec and HTTPS (SSL/TLS).
User education and awareness“Produce user security policies covering acceptable use of the organisation’s systems. Establish a staff training programme. Maintain user awareness of the cyber risks.”Yep. Fine. Pretty much every organisation I’ve ever worked with has done this (client side or supplier side)… where we can all get a lot stronger is the user awareness. People still click on links that go to places they shouldn’t, and phishing is getting more and more sophisticated. We all need to all be naturally suspicious of any email or web link, and know how to spot the warning signs of something potentially malicious, particularly as more and more of our computing is transacted on web-based systems.
Incident Management“Establish an incident management response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.”Again, no arguments here. Disaster recovery is an interesting one – arguably the availability of low cost infrastructure as a service offerings gives us more potential to build “cold standby” systems. But what consititutes a disaster? Which systems are critical? ICT continuity is another term to investigate here. Either way it’s a combination of people, processes and technology!
Information Risk Management Regime“Establish an effective governance structure and determine your risk appetite – just like you would for any other risk. Maintain the Board’s engagement with the cyber risk. Produce supporting information risk management policies.”The thing to remember about all of this advice is that it costs money. That’s not to say that it shouldn’t be done, but it does make the information management risk regime vital. If you’re not paying too much attention to something, know why you’re not, and know what the implications are.
Managing user privileges“Establish account management processes and limit the number of privileged accounts. Limit user privileges monitor user activity. Control access to activity and audit logs.”Absolutely! If we’re going to drag IT departments out of the world of locked-down Windows PCs and actually start to use IT as an enabler for new ways of working, rather than as a tool that tells us how to use it, we need to move up to a place where we’re securing access to data and where we’re more interested in the applications than the devices. Managing user privileges is key to this…
Removable Media Controls“Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing on to corporate system.”Hmm… This depends on the roles that workers are undertaking. Maybe for task-based workers but the chances are they are only accessing a few line of business applications and don’t have any local data. In my work, I’m subject to controls like this – but I have to justify an exception (renewed annually) in order to be able to do my job properly!
Monitoring“Establish a monitoring strategy and produce supporting policies. Continuously monitor all ICT systems andnetworks. Analyse logs for unusual activity that could indicate an attack.”Sounds sensible? It probably is… but it’s no good collecting logs unless you have a way to process them. Be sure that you know what you’re looking for, and how you’re going to find it!
Secure configuration“Apply security patches andensure that the secure configuration of all ICT systems is maintained. Create a system inventory and define a baseline build for all ICT devices.”As I mentioned earlier, this is getting harder to achieve in reality, with more and more end-user-controlled devices. Corporate machines might be subject to “desired configuration management” and it’s true that we do have software for mobile device management and mobile application management to help with BYO devices but it’s my belief we have to start thinking of the corporate LAN as a “dirty” environment, just as we do home networks and the Internet. Where should be clean though, is the datacentre. Absolutely the controls advocated by the government make sense there.
Malware Protection“Produce relevant policy andestablish anti-malware defences that are applicable and relevant to all business areas. Scan for malware across the organisation.”I can’t believe there is any medium or large IT organisation that’s not doing this already. But as well as preventing the spread of viruses, worms and trojan horses, it’s equally important to recognise attempts to lead users into taking action (clicking on malicious links, for example) and addressing this through the use of software and education.
Network Security “Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.”It’s a cliché but the one shown above is the only sort of secure network… and that’s not too useful for transmitting data…The “perimeter” is an outdated concept. With increased mobile working and cloud computing it’s not practical to view the corporate LAN as a bastion. We need to firewall at the application level, and to protect our datacentres, but spending more and more money plugging holes in an increasingly permeable corporate firewall is a thankless task.That doesn’t mean we shouldn’t monitor and filter, but don’t expect it to be clean.
Nothing is perfect. The governments ten steps are, mostly, common sense. But they could also very costly to implement in full.For that reason, the most important piece of advice is probably to understand your organisation’s appetite for risk. Then, consider carefully the implications of implementing a change, or not.For example, if all of your information is secured in your line of business systems (either hosted on premise, or in “the cloud”), then it’s probably not too big a concern if a device is stolen (as long as access to systems is secure).Similarly, if the access that users have to data is secured effectively, then the implication of a misuse of privilege (deliberate or otherwise) is lessened.And as for hosting data with a third party (outsourced, or in the cloud), many of the quoted security concerns often come down to fear of change and loss of control. With appropriate controls in place, there’s no reason to believe that information is any less secure. Indeed, it may be more secure if the supplier’s processes and procedures are more robust than your own!As a strategist, I have to say that this cyber security advice is aspirational and tactical – but needs to be taken with a healthy dose of pragmatism and an eye to the future. If you can design systems to avoid these issues, then do – but don’t spend time, effort and money trying to fix problems where the risk of occurrence and the associated impact are small.