Analysis: a unified framework for IT security
The IT security sector must take a more unified approach to establishing industry-wide standards for all aspects of secure systems build and maintenance, argues E&T.
In IT security, the nature of the threat landscape is ever changing, ever volatile. Incidents of cyber crime are rising steadily, as is the cost and complexity of protecting enterprise systems and information from hackers, viruses, and other strains of malware. Cases of phishing and identity theft are also escalating. Social networking sites have, arguably, introduced additional vulnerabilities into the picture, as has the threat of criminal activity from imposters posing as legitimate users.
Twenty-first century 'cyber society' has created a generation of e-criminals who individually and collectively have the power to cause significant harm to national economies, upset the running of our national infrastructures, and beset the forces of law and order.
In the United States, President Obama has set out a strategy on how his administration will tackle the threat of malicious hackers, who threaten information systems in the workplace and at home. On the other side of the pond, meanwhile, the European Commission has called for a 'cyber security tsar' to be appointed, following criticism of member states for failing to work collaboratively on a joint e-crime prevention plan.
Action taken to combat security threats in the US, Europe and the UK is positive, but much greater international collaboration is needed to make information security measures more robust. Despite much good work by security industry bodies and trade associations, a unified strategy has not been forthcoming.
With this in mind, the Cyber Security Knowledge Transfer Network (KTN) - run by QinetiQ on behalf of the UK government's Technology Strategy Board - has launched a high-level international Roadmap document on the future of information security, privacy, and assurance. This Roadmap is the combined output of over 50 organisations around the world which all contributed to the research. They include industry leaders like Microsoft, the UK Cabinet Office, and the US Department of Defence.
The Roadmap's key findings address technical facilitation and professionalisation areas relating to improving worldwide information security by establishing a strategy to reduce the number of flaws and vulnerabilities in software. In terms of technical facilitation, the IT industry needs to address the management, modelling, testing, verification and validation of complex software and technology systems to improve security.
Use of secure coding languages for new software must also be increased, the Roadmap argues. Commonly used languages such as C allow - even encourage - programming practices that lead to security vulnerabilities. This needs to be addressed, and the use of secure coding driven throughout the sector. In time we could see market forces demanding that more stringent coding languages are introduced as standard.
Work in developing models and analytical tools to better predict security risk needs to be progressed. We have to address the 'what if' approach to predicting and pre-empting system failures that will be under attack from cyber malevolents. We also need to establish trusted libraries of reusable code and components. Their production could improve assurance, and lead to increased international research funding. This would enable trusted components to be developed and marketed for the benefit of the IT security industry.
Universally, industry must also define interoperability standards for system functionality and testing. In the future, these standards will allow the consumer to compare products on the market, creating more choice for home or business.
Addressing the practice of professionalisation is essential. The Cyber Security KTN is calling for industry to adopt an 'independent architect' to mediate between the technical and business worlds, to ensure security is taken seriously. There is a gulf between the IT department and senior management regarding the need to invest in information security procedures - or simply not bother.
We need to take our collective heads out of the sand to look at developing national and international security standards. Standards spread good practice and assurance. In fact, the security industry suffers, not from a lack of standards, but from regularly adhering to the wrong standards.
Professional ethics should be espoused in the lecture theatres around the globe, wherever ICT or computer science is being taught. The fact that IT undergraduates are not receiving adequate secure software training before they work at the frontline of software development should be a concern. This must change to benefit security measures in the future. Concomitant with this the relevant professional bodies must nurture best practice.
The KTN's mission is focused on collaboration between industry, academia, and government; as part of this it welcomes the development of links with IET members from all disciplines to improve ICT security.
The Cyber Security KTN knows that the Roadmap will not solve the challenges associated with information security threats in the short-term; however, it does hold the potential to change the international mindset on how we address them.
IT security is a critical issue. If action isn't taken now, international governments, businesses large and small, consumers, families and individuals will continue to suffer from cyber-security attacks, which will gain in strength and confidence as our defences fail to improve.
Tony Dyhouse is director of the Cyber Security KTN