One of the more contentious questions around cyber-security concerns legislated ownership of the problem - where the buck stops in law - and whether tougher legal penalties would prompt security-lax organisations into upgrading their systems; at a specially-convened panel at CeBIT this week the possibility of making CIOs of negligent organisations personally culpable also came up for debate.

As befits an ICT event of CeBIT's reach, security is a major component of the week-long proceedings, with most of the major vendor names in this sector exhibiting in Hall 12 this year. The media briefing to address the topic of 'What is next for cyber-crime' included speakers from very different security solutions providers, including US firewall specialist Palo Alto Networks, UK super-VAD Wick Hill, and the second most well-known Russian anti-virus/spywear/spam vendor, Dr Web.

The panel's purview on the current state of the 'threat landscape' sounded largely discouraging: it foresaw no respite from cyber-criminals' ingenuity and determination to increase their swag of stolen cash and re-salable data. Phishing and extortion continue to rise, as does the exploitation of personal information harvested from social media. The breaching by the leading-edge hackers of encrypted authentication certificates debilitates one of the foundations of the trust framework that enables the use of the Web for financial transactions and trusted information exchange.

Wick Hill chairman Ian Kilpatrick opined that the security threat is enlarging "because the range of vulnerabilities grows each time a new smartphone or tablet PC is switched on for the first time". Statistics support this view, but before we get to vulnerabilities, the question of responsibilities has to be clarified. Some prickly points were raised with special regard to the effect that the proliferation of mobile devices is having on cyber-crime dynamics, such as:

Should end-users be held solely responsibly for ensuring that their Internet-connected devices are properly secured?

Is it responsible for the mobile device industry to sell unsecured products leaving it to end-users to make the arrangements?

Should software companies who disseminate insecure apps and mobile operating systems abetting cyber-crime?

On the question of CIO culpability the panel was divided; some felt it was distractive to the 'real' fight against cyber-crime, others of the opinion that legal penalties remain an effective way of enforcing policy. One speaker stayed silent. Wick Hill's Ian Kilpatrick suspected that whereas CEOs - and CIOs to an extent - will forever be impervious to technological arguments for better security, they will take notice of financial penalties imposed by, for example, the UK's Information Commissioner's Office. "The ICO used to be a toothless tiger; now it has teeth and it is biting people [with fines]". That's when security becomes the kind of financial imperative the execs can understand.

But if negligent CIOs are to be sent to gaol for forgetting to browbeat beleaguered IT departments into upgrading back- and front end network security, shouldn't the same stringency be enforced at a desktop level as well: cracking down on end-users who carelessly respond to phishing attacks and/or mislay sensitive data, by making observance of security policies core to their contracts of employment?

This sort of debate runs and runs in the security sector, but there is one precedent for bring habit change in the way more rigorous health & safety regulations have been introduced and applied. Your reporter was advised during induction by a previous employer that if I spilled a drink anywhere in the building - while carrying a coffee back to my desk, say - and failed to wiped it up, and a colleague slipped on it and injured themselves, I might be personally liable for any damages that ensued. Furthermore, if I saw some spilt coffee that someone else had left, and did nothing about it, I might also be liable. I dunno whether this was just a scare tactic, but it worked. Any splosh of beverage I spotted on the stairs had me scampering for some paper towel.

That employer had IT and computer usage guidelines which I was asked to read, but never asked if I actually complied with that request; nor did it advise me of any penalties that I would face were I to misuse my company email or Web access.

Edited: 29 August 2012 at 03:15 PM by Buzzsore Moderator

It's already turned into a long week for UK law in its struggle to keep abreast of the way in which the web is being inculpated in controversial changes to the workings of society. After Twitter took heat over its role in subverting a superinjunction, today sees the theoretical introduction of the EU's so-called 'cookies law' that mandates that users should be the ones to decide whether they accept cookies or not, rather than the website that the owners of visit.

As Buzzsore's blogmate Pelle Neroth has noted ('View from Brussels', 17 May), the new legislative proposals have sparked much debate about how users will react to being offer a new set of permissions, and the fact that many online services that depend on authentication tools have up till now developed on the basis of a reasonably laissez faire attitude toward cookie acceptance.

Although the law theoretically becomes enforceable as of 25 May, 'passion mixed with pragmatism' law firm Thomas Eggar reckons that mixed messages coming from the Information Commissioners' office mean that UK businesses lack formal guidance as to their obligations and liabilities regarding the directive. 'The huge commercial value to businesses of the information made available by cookies means that there is a large investment to be made in offering users appropriate and informed choices where the information stored could be intrusive,' it says. Meanwhile, businesses will 'take comfort' from the government's assurance that the ICO will 'not be taking enforcement action against them if they are working to address their use of cookies'.

Edited: 25 May 2011 at 05:03 PM by James Hayes

'Everyone seems to be jumping on the Royal Wedding bandwagon,' admits Imperva in a wedding's-eve cyber-crook alert, 'including hackers who are using it as a revenue generating opportunity' - and, of course, data security firms looking for a PR bung.
A poll Imperva conducted last week among visitors to Infosecurity Europe 'reveals' that 38 per cent of security professionals have witnessed tomorrow's confetti fest being used for 'malvertising', 34 per cent have seen wedding-related spam (the email kind, rather than canned meat in the reception buffet), and 20 per cent incidents of search engine poisoning.
"We're not surprised by the results," says Imperva's rather ingenuous CTO Amichai Shulman; yet, he observes, in one of the understatements of the week, "it is worrying that criminals are systematically jumping on every opportunity to illegally make money by identifying, and utilising, revenue-generating opportunities that utilise stolen credentials or inject malware." Um, worrying... Yes...

Edited: 28 April 2011 at 04:00 PM by James Hayes

"Let me ask you a question: what is easier to sell - aspirin or vitamins?"
Philip Lieberman, CEO & president of Lieberman Software answers his own question: "You'd say aspirin, right? Because it relieves you when there is pain. But if I then try to sell you vitamins, as a preventative against future pain, you would likely decline because the aspirin is still making you feel good, even though the old pain is still there behind the palliative. You can apply the same lesson to how we think about anti-virus/anti-malware software - the 'aspirin'."
Former physicist (Michael Faraday is a hero) Leiberman is at Infosecurity Europe to launch the latest version of his firm's Enterprise Random Password Manager, which automates the credentials management process of privileged accounts in data centres. He also takes the opportunity to expound his take on 'plausible deniability', which in the information security context describes how and why many stateside enterprises - large and small - continue to spend hundreds of thousand of dollars of anti-virus and anti-malware software, rather than take a step back and ask the unpalatable question 'Do we really need to be buying this stuff?'
His view is that the information security industry now thrives to great extent on the fact that many companies would rather operate on the 'business as usual at all costs' model, than fully address the reasons why their IT systems are still vulnerable to attacks from cyber-criminals and other Web-borne malevolence.
"Plausible deniability in this scenario means that no matter how flawed a company's defensive strategy is, and how much it spends on traditional security products, when attacks keep coming, and the systems are compromised, and data is lost, they can, if challenged by a regulator, hold up their hands and say 'Not our fault. We have security systems in place. Blame them'."
Lieberman's prognosis describes a defensive landscape when revenue considerations supersede those of utmost governance, and increasing numbers of corporates opt to spent on IT security only what they need to in order to demonstrate that they have recognised a requirement and made an effort toward it. This may sound scary to the big players that dominate the AV/AM software market - Sophos, Symantec, Eset, McAfee, Kaspersky Lab, Trend Micro, et al - because it means that the market may prove less and less willing to pay a premium for innovation.
And if as a result of failing regulator compliances - like SOX and Basel II, etc. - due to poor security enterprises are fined by regulators, they will simply write-off the cost.
"In short, they prefer to pay fines rather than properly remediate the problem," Leiberman says, "because fine is a cost to daily business, whereas security re-engineering that might disrupt operations is a cost to business. It is as simple as that."

Edited: 26 April 2011 at 10:31 AM by James Hayes

Despite the assured successes displayed by the IT security industry evidenced at Infosecurity Europe this week, one key question that has been haunting this sector for years remains unanswered:
if it is agreed that thoughtless employees are now the cause of a significant proportion of enterprise security breaches, shouldn't they be subject to the same tough legal penalties that we expect law enforcement agencies to direct at cyber-criminals and other online do-badders? We're not necessarily talking about those staff who willfully transgress, but the kind who do stupid things like responding to phishing attacks, leave access codes and passwords openly displayed, download inappropriate content, or let their children use a work laptop to access insecure websites, etc.

Each day employees get demoted or fired for doing something that contravenes the terms and conditions of their contracts of employment, or some aspect of statutory employment law; it's a fair bet that very often these offences are, on balance, of less importance than transgressions involving IT security.
The issue of enforcing information enterprise security policies and procedures, and of taking disciplinary action against dozy staff who misread or ignore them has long been a red-hot potato inside organisations. The IT function has shied away from suggestions that it should take on the role of IT security enforcers. The HR function typically, while acknowledging the problem, shrugs and says 'We're just simple personnel shunters; what do we know about computers?'
Line managers would seem to be next next obvious candidate to apply disciplinary action against subordinates guilty of losing valuable data, or inviting viruses and malware onto the enterprise system by reckless browsing, but very few organisations have seen the sense in this; as for senior execs, forget it - according to survey after survey, they are the cause of more security incidents than anyone else.
And so, as Infosecurity Europe buzzes toward its conclusion, no viable remedial action is forthcoming, and a large contributory factor to the enterprise security burden continues unchecked.

Edited: 21 April 2011 at 02:22 PM by James Hayes

News released at Infosecurity Europe that 66 per cent of polled junior executives and IT staff would take confidential company information with them if they left their current employer raises one very obvious question: why only 66 per cent?
The findings came today in a survey from esteemed security software provider Cyber-Ark in its latest 'Trust, Security, and Passwords' survey. It found that most IT staff and 'C-level executives' (are there any other kind?) surveyed would 'definitely take confidential company information when they left their organisation'.
"Organisations could find themselves with their data walking out of the door and into the hands of the competition," says Cyber-Ark European VP Adam Bosnian - assuming that these departing self-confessed data filchers would not webmail it away, rather than risk detection by having it about their person as they stroll from the workplace for the last time.
Despite the 66 per cent of respondents who admit that they would take this information, both C-level professionals (93 per cent) and IT staff (86 per cent)  acknowledged that they 'have no right to these details' (87 per cent globally overall). This suggests that there remain around 10 per cent of the workforce who do claim co-ownership over the data they have worked on or are trusted with access to.
Such surveys are prone to overlooking the fact that today's mashup morals mean that many employees are inclined to take a 'proprietorial' interest in data sets they have worked on. The 'moral' relationship between employees and employers has altered radically in the last decade, to the point where self-interested staff see stealing data as 'payment in lieu' of that pay rise or promotion that never came through. 'As ye stuff, so shall ye be stuffed' is the ethic at work here.

A thematic imperative at Infosecurity Europe this year is managing the growing risk created by the rise of the mobile enterprise, and the complexities that this creates for many organisations. But how many of those complexities are the result of kow-towing to user petulance?
Cisco is one of several exhibitors introducing new network control and security solutions to help the IT function address the growing number and range of mobile devices requiring access to their networks. Speaking at Infosec, Cisco's director of security sales Gordon Thomson contends that IT security products have been biased toward endpoint devices, and that security control implemented on the network itself is the way toward making the mobile enterprise secure.
The situation is exacerbated by end-users who are deamnding the right not only to use devices of their own choosing (rather than those procured by the IT crowd), but also devices of their own purchasing (when employer budgets do not extend to meeting the cost of the latest smartphones or tablet PC).
Cisco's Thomson is minded to bow to this - if enterprise networks can still be made secure, and if end-users are willing to commit to accepting full responsibility for accepting - and sticking to - security practice, and take the rap in full when they fail to.
It's all part of the "commoditisation of risk", where 100+ per cent security is not deemed as a operational absolute, and indeed, over-secured enterprise IT becomes a business inhibitor. Snag is, who is best placed to make the value judgment as to where less security is acceptable?, asks Thomson.
Another key point raised by the 'I want to use whatever endpoint device I desire' is getting end-users' agreement to a relation between device preference rights and quantified productivity. People want to use the IT tools that they prefer, because they say that it makes them more productive; but how many of them would revert to using a company bog-standard-issue dumbphone, say, if it turns out that they are in fact no more productive as a result?

Eager journalists attending the first day of the Infosecurity Europe hoping to learn the latest about the dark arts of IT security were intrigued to find the press office plunged in gloom due to a power outage.
"Never mind, we can generate our own energy from the brilliance of our thoughts," quipped one waggish hack, although in the event the collective grey matter of the Infosec press corps proved unequal to the task of keeping the banks of PCs juiced-up. Arriving newshounds scurried off in search of working power sockets and friendly WiFi hotspots in order the file their news stories and blogs.

Edited: 26 April 2012 at 09:24 AM by James Hayes

Security services are reportedly revisiting the investigation into the so-called 'Flash Crash' on the New York Stock Exchange - May 6, 2010 - when some $866bn was wiped off of the value of US stocks. According to a report in today's Times newspaper, what was thought to be caused by a software glitch causing automated trading systems to throw a wobbly, may have been evidence of a cyber banditry; according to Times' journo David Robinson, the Flash Crash incident seems to conform to a pattern of cyber-attacks that has emerged over the last 10 months. You can read E&T's own investigation into the Flash Crash.