The hot topic in IT (and beyond, for many organizations) in 2012 will be Security, including all its facets such as Identity and Access Management, SIEM (Security Information and Event Management), Anti-Virus and IDS/IPS (Intrusion Detection/Prevention Systems), and all the other components. That will also give the GRC market (Governance, Risk Management, Compliance) another strong push, because GRC tools are increasingly used to define and manage security controls in a consistent way. GRC is becoming the business interface to security management, translating the complex information for the business and providing a consistent insight. This consistency is mandatory for a holistic view on increasingly complex attack scenarios.

The reason why security will be the topic in IT this year is simply that the number of attacks from the Internet is increasing. In popular terms this frequently is named “cyberwar”. However, most of it isn’t war; most of it is organized crime. So we should be careful with the term “war” in that context.  Nevertheless, there are more cyberthreats than ever before. More precisely, there are many groups of attacks on the Internet. Governments are attacking other countries – as (most likely) in the Stuxnet case. Hacker groups are attacking states and industries, as in the recent Symantec source code leak, which appears to have been an attack of an Indian group of hackers against an Indian government agency or in the recent Anonymous attack targeted against the finance industry. And many different groups, from nation-states to politically-inspired hacker groups to organized crime, are attacking companies. The reported numbers of large companies having been attacked in 2011 is coming close to 100%. There is an increasing number of attacks against SCADA (Supervisory Control And Data Acquisition)  systems, i.e. systems controlling industrial environments and the likes.

There are different motivations of attackers. There is the “war” part, which most likely runs as part of a bigger “hidden war” (think about the recent killing of an Iranian expert from the nuclear industry) for example between Israel and Iran. There are the criminals, looking for money. There are the hackers, looking for honor and glory, for acceptance, for domination; following their social or political targets, they are also attacking a lot of different targets.

Regardless of the motivations, the game has fundamentally changed during the past two years. And I’m convinced that what we see is only the tip of the iceberg – and only the beginning. However, in 2011 not only the threats have increased but also (fortunately) the awareness of organizations has increased as well. Nevertheless, there is a significant gap between the level different attackers have reached and that of the potential targets. So the potential targets have to react and invest in security.

As I’ve written in several of my other posts, especially around SIEM and the need for holistic security concepts, it is mandatory to address the growing security challenges with a holistic perspective. APTs (Advanced Persistent Threats) are proving that attacks are getting more complex and sophisticated – and that there is no way to counter them with a single layer of security.

If you want to learn more about these issues, EIC 2012 is the conference to attend. See you in Munich in April.

This week was the 6th National IT Summit in Germany. Like always, that’s where big speeches are made and little happens. The German BITKOM (Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V.), the IT and communications industry lobbyist association put the topic of smart networks (or grids) on the table. They requested initiatives (and money) to build such networks. That comes as no surprise, given that the smart world will require massive investments. So driving this forward makes sense.

However, the big problem to solve for this smart world – whatever it will look like – is security. I’d blogged about this quite a while ago, titled “Is an insecure smart planet really smart?” This question is not even still valid, it has become increasingly important. In Germany, there has been a large exercise – sort of a field exercise – just recently called LÜKEX. Many governmental organizations, police, and others are involved, this time upwards to 3,000 persons. In former years it has been about terrorist attacks with bombs and the like. This year it has been about CyberSecurity.

Networking the world requires a very well thought out approach on security. And it requires the willingess not to connect everything. The problem is that many of the initiatives around smart “whatevers” ignore this. There is a BITKOM presentation of mid 2011 which does not even mention security. Fortunately, BITKOM at least mentioned the need for security at the National IT Summit. Nevertheless it looks like the need is neither fully understood nor adequately prioritized. My perspective is that it has to be the priority number one for everything which is done around the smart world. Without security, nothing will be smart.

And even with well-thought security we have to be always aware that everything we network, especially including all the SCADA devices, will massively increase our security risks. So being not too smart might be smarter sometimes.

Yesterday, news about a new trojan have spread. The trojan is called Duqu or, correctly, W32.Duqu. It appears to be based on Stuxnet code, thus it is targeted against industrial automation equipment. However, unlike Stuxnet the new Trojan isn’t targeted to sabotage industrial control systems but steals data. So it is most likely just the precursor to the next Stuxnet-like type of attack. Duqu was, from what we know, targeted against selected organizations mainly in the area of software development for industry automation. It does some espionage there, collecting information which then might be used in the next attack wave. It appears that Duqu deletes itself after 36 days.

Interestingly, Stuxnet used digital certificates which had been “stolen” before. Duqu used other digital certificates which seem to have been directly generated in the name of other companies, bypassing the security of CAs. That relates well with current attacks on CAs, with DigiNotar being the most prominent victim (and now out of the business) and other indicators.

The server in India which has been used by Duqu to provide information back to its creators is now blacklisted by its ISP and thus no longer works. However, chances are that there are more instances of Duqu and Duqu-like trojans either out there or on their way.

Duju proves two assumptions:

• Industrial automation increasingly becomes a target of attackers – and Stuxnet was only the first of its type (which has been detected)
• Attacks are increasingly sophisticated – APTs aren’t a fairytale, they are real

The consequence is that not only the business IT environments need adequate protection but industrial environments as well – they might even need better protection. And if feasible, technical isolation of these networks is a pretty good idea. No net, no (online) attack. Besides this, there is no reason to assume that you are safe against attacks, whichever precautions you take. Thus it is about being proactive at any stage – preventing attacks, identifying attacks, dealing with attacks.

Some valuable information around that has been provided in a recent KuppingerCole webinar – have a look at the webcast.

Last week, IBM announced the acquisition of Q1 Labs. The same day, McAfee acquired its plans to buy NitroSecurity. Not that long ago, HP bought ArcSight. Obviously, SIEM vendors seem to be very attractive to the large players in IT. SIEM, the acronym of Security Information and Event Management, consists of two disciplines. One is about managing the security information from different sources, the other is about real-time analysis of that information to identity events.

Given the increasing security threats (no, it aren’t just challenges anymore), having approaches in place which help in identifying security issues in time, is essential. Relevant data is found in a large number of sources. Collecting, aggregating, correlating, and analyzing  that data is supported by SIEM tools. However, with incredible masses of data, two issues become evident:

• SIEM requires a strong knowledge about security to be able to understand security information from different systems and their relationship.
• The art of SIEM is to – at best- identify exactly the critical situations which need to be handled. Not more, not less.

Given that real IT security experts are a rare species (at least compared to the demand), it isn’t easy to address the first point. Working with MSSPs (Managed Security Service Providers) might be one option. However, IT security has to play a much more prominent role in education, even while that will close the gap between supply and demand only slowly, if at all.

The other point is that SIEM is not mainly about tools. SIEM tools are only as good as they are used. If you end up with too many events you have to analyze manually, you haven’t won anything. If you end up with a situation in which some critical events aren’t detected, you have lost. Configuring SIEM tools optimally is an endeavour which takes its time and which requires a lot of up-front thinking. It is about identifying the controls you should have in place, it’s about understanding your security risks and the potential attacks, it is about understanding the relationship of different steps of more elaborated attacks like APTs (Advanced Persistent Threats).

So, as popular as SIEM might be: SIEM tools are nothing else than tools, until someone configures them right. So moving towards SIEM is not mainly about buying a tool, but about the controls, the configuration, the use of these tools. So don’t feel save once you’ve bought a SIEM tool – feel a little saver once you’ve done your work around that tool. But never feel save!

This weekend, the German CCC (Chaos Computer Club), an institution which probably is best described as the “white hat” association in Germany and being prominent for a long time for identifying security issues, informed the public about severe issues with the so called “Bundestrojaner”, a trojan used by the German BKA (sort of the counterpart to the FBI) in some cases to hack computers of suspects and to collect internet telephony data.

There are two severe issues identified. The first one is that the trojan is able to do a lot of things which are just illegal. The German Federal Constitutional Court has ruled the German state regarding what is allowed and what not. In fact, only tapping of voice communication is allowed, and even that only within tightly defined boundaries. However, the trojan can for capture keyboard data, take over control of the webcam, and some other things. Interestingly, these things have been explicitly forbidden by the Court.

The other issue is simply that the Bundestrojaner is inherently insecure. It doesn’t authenticate communication and thus can be easily hijacked. So, a suspect could hijack the Bundestrojaner which has been placed at his system, for example. Regarding to current news, some communication of the Bundestrojaner even uses servers based in the US.

I won’t judge about the necessity of things like a Bundestrojaner, but I think the direction given by the German Federal Constitutional Court is reasonable. However, if Germany introduces such tools, they at least should do it right – with respect to the limits defined by the court and with respect to security.

By the way: This evening, the ministry of the interior (“Innenministerium”) denied the use of the trojan that had been analyzed and criticized by the CCC. Notably, they denied the use (not the existence). Let’s see what happens next. Overall, the concern I had from the very beginning regarding the “Bundestrojaner” has been fortified.

Trust is a fundamental concept of today’s IT. Security is based on trust.

We have (or better: had, after DigiNotar?) trust that a web server which has a valid SSL certificate is the server it claims to be.

We had trust that RSA SecurID tokens are secure (whích they still are to some degree, but a lower than before).

We have trust that our authentication in the Active Directory is done in a secure way.

We trust the identity provider when using identity federation.

However, especially the first two examples raise the question whether the concept of trust still is a foundation to build on. On the other hand: Are there any alternatives?

I think we will further need to build on trust as a concept. There is no real alternative. However, we need to be much more careful regarding this concept and add to other approaches:

• Mistrust
• Risk

Mistrust means that we shouldn’t take things for granted. We might challenge “facts” – e.g. authentication decisions and so on. In fact, mistrust is not really new. We might check the URLs behind links which are suspicious – are they really pointing to eBay, PayPal or whomever they claim to do? We add additional tiers of authentication or stronger authentication mechanisms for sensitive interactions and transactions. But in the light of what happens these days, with more cyber-attacks and even the well-secured, experienced ones like RSA becoming victims of successful attacks, mistrust becomes more important.

That is related to the concept of risk. Risk relates to

• interactions and transactions performed and the information assets affected
• the level of mistrust and the “objective”, factual security risks

This relation is fundamental. We need to understand what could happen to our information assets (and the real assets behind them). And we need to understand how much mistrust we need. Based on that we can define what we need beyond the trust we might have today.

Technically, this leads to the need for flexibility and versatility. It’s not about a specific type of solution, it is about the ability to combine multiple technologies (for authentication, fraud detection,…) depending on the risks and the level of mistrust. The bad news however is: Mistrust will increase, trust will decrease, which will make it more complex to achieve an acceptable level of security for specific risks. And some of the concepts – like SSL – are obviously not sufficient by themselves to address today’s and the future’s security challenge. However: SSL++, e.g. SSL plus other approaches, might suit our needs. And approaches like the ones of convergence.io might help us as well in better rating the risks and applying the concept not only of trust but as well of mistrust. And, despite the mistrust we might feel for rating agencies in the finance world, having rating agencies for organizations like CAs we have to trust might be another approach.

I understand the reason behind – but it is still contradictory. People expect IT vendors to quickly inform them about security issues. And people then blame them for the security issues. OK, if there are security issues which affect someone, he has some reason to blame the company responsible for these. Nevertheless, some more fairness would help in achieving even more openness. If you have to admit a security issue and you fix it, then this is obviously better than just trying to hide what has happened.

Let’s take some examples. Microsoft has been bashed for years for not doing even to secure its products. They have built a sophisticated system for patching and informing the public. They are very open regarding security weaknesses. But they are still blamed for being insecure. Apple is much more reluctant in its openness regarding security issues. But they aren’t blamed as much as Microsoft. Fair or unfair? I personally prefer the Microsoft approach – Microsoft has been amongst the first to provide a patch for the DigiNotar case. It took Apple much longer.

The DigiNotar case is my second example. Today the news of bankruptcy spread the news, after DigiNotar had to admit that their root CA (Certificate Authority) became hacked. The bad thing is that it looks like DigiNotar knew about that way before. They didn’t inform the public. Good or bad? I opt for bad – they severly increased the security risks in the entire Internet.

RSA Security is another example. They informed the public about the hack of the RSA SecurID seeds. They informed their customers. And they got blamed. I believe that the RSA approach is far better than the DigiNotar approach. Customers were informed and thus able to react. RSA spend a lot of money for helping customers to address their issues.

We can blame all, Microsoft, Apple, DigiNotar, RSA, and all the others not mentioned for security bugs. I remember a professor of informatics calculating back in the 1960′s that starting with a defined (relatively low) number of lines of code there is no chance to avoid bugs. Thus, security bugs in code and security weaknesses in IT environments are somewhat “natural”. And, by the way, it’s always a question of how much you invest in attacks to succeed. There is no absolute security. RSA did a lot to secure the seeds, knowing that they are the biggest risk (and every RSA SecurID customer could and should have known of that “single point of failure”). DigiNotar, from what I’ve heard, didn’t do as much. Microsoft has invested massively in improving security, but still is on a long-year journey for better code and so on.

At least, it is a difficult balance. Openness can’t be an excuse for security issues. But openness is better than fuzzing around or hiding security issues. Openness allows the customers to evaluate their risks and to act. And risks are better than uncertainty, which is the result of not being open around security issues. You can avoid risks – but it’s hard to deal with uncertainty.

Data Sprawl appears to me to be one of the biggest challenges in information security. And, by the way, Data Sprawl is not an issue that is specific to Cloud Computing. It is a problem organizations are facing day by day.

What happens when data is extracted from a SAP system? One example: a CSV (flat) file is created with some data from the HR system. This file is delivered to another system, in best case using some secure file transfer. But what happens then? That other systems processes the file in some way or another. It might export some or all of the data, which then ends up in yet another system. And so on…

The point is: Once data leaves a system, data is out of control.

The problem is that this might happen not only with one CSV file but with 100′s of them. And dozens of systems exporting and importing that data. Governance is difficult to implement. You can define a process for allowing exports. You might defined even rules for the use of exported data. You might review the exports regularly – are they still needed? However, reviewing what happens with the data at the target systems (are the rules enforced?) is pretty complex. But there is, up to now, no technical solution to solve that problem.

Things become even worse with Data Warehouse and Business Analytics. Data frequently ends up in large data stores and is analyzed. That means that data is combined, sometimes exported again, and so on. How do you keep control? Implementing Access and Data Governance for Business Analytics systems is a big challenge, and auditors frequently identify severe risks in that area – which is no surprise at all.

Another scenario is PII in the Internet. If we give some PII to some provider for some reason, how could we ensure that he doesn’t give that PII away? No way, I’d say. We might use special eMail addresses or faked information to track back some abuse of PII, but that’s not really a solution.

So what to do? Short term, it is about implementing processes which at least try to minimize Data Sprawl and the associated risk, like mentioned above. These processes and policies are far from perfect. That helps internally, but not for PII.

We might use (very) long-term technical solutions like homomorphic encryption and other technologies which are developed around the “minimal disclosure” approaches to address some of the issues. We then might use an approach like Information Rights Management which works not no a document basis but on an attribute basis. But most of these things will help us sometimes in the future, if ever.

But what about defining a policy standard which is sticky to the data? A standard which describes how data could be used? If systems support this standard, they could enforce it. That would be about having such a standard and allowing exports at least of sensitive data only to systems which support the standard and enforce the policies. If data is split up, the policy has to be sticky to all parts (as long as it applies to all parts). If data is combined, policies have to be combined – the intersection of the policies applies then.

Such an approach has limitations, because it will first of all need some people to define the standard. And, like with all standards, it is about the critical mass. On the other hand: Virtually every organization has the problem of Data Sprawl and lacks a valid answer to the questions which are asked in the context of Data and Access Governance. Thus, there is a real need for such a standard. From my perspective, the large vendors in the markets of Business Applications (e.g. ERP, CRM, and related systems), of Business Analytics, and of all the ETL and EAI applications are the ones who should work on such a standard, because they are the ones who have to support it in their systems. And they should start quickly, because their customers are increasingly under pressure from the auditors.

The data theft at Sony has been in the headlines for some days now. What makes me most wonder is that – from what I’ve read and heard first – even the passwords were stored unencrypted. However, Sony claims to have used a hash to protect these passwords. It looks like Sony also has stored the credit card numbers plus the associated security codes (which are, by the way, one of the most ridiculous approaches to enhance security) together and, no surprise, unencrypted. But if Sony has used hash values: Why did everyone assume that these passwords become common knowledge (at least for the hackers and their “customers”)?

But let’s start with passwords: Even while it is still done frequently, it is anything but good practice to store passwords unencrypted. You not even need to store them encrypted. Just store a hash, apply the same mathematical algorithm to passwords entered and compare the hashes. Even while some of the algorithms in that area aren’t “bullet-proof” that is far better than storing millions of passwords unencrypted. Storing passwords unencrypted is such a fundamental error that you just can call that grossly negligent. That is not a simple fault but ignorance against fundamental security requirements – even more, when that information is associated with credit card information and other types of highly sensitive data like bank accounts. If Sony has stored hash values that would be good practice, depending a little on the algorithm used. That reduces the risk for the Sony customers even while there is still some risk of having the hash values being stolen. Passwords might be derived from these for example based on brute-force attacks.

Let’s look at the next point. Sony has become, from what we know, a victim of an external attack. Accessing large numbers of data most likely involves a SQL injection attack. Interestingly, the Sony Playstation website has been hit by such an attack before, some three years ago. Given that something happened before raises the question why Sony didn’t protect information better. Haven’t they heard about database security tools and especially database firewalls? That’s exactly the type of technology which helps you protecting data like (if you have them) hashed or unprotected passwords or credit card data. We recently had several webinars on database security and database governance, the last one yesterday about database firewalls specifically. All the recordings are available.

Overall it looks like this hasn’t been the most sophisticated hack ever. It looks like no internals were involved (which would lead to the topic of PxM, e.g. protection against privileged access/users). It looks like Sony just has ignored not even best or good practices, but in many areas even average practices in security.

The bad thing about this is, that Sony isn’t alone out there when it comes to ignoring good/best practices in security. The most common reason is that they just don’t think about security – either because it is too complex or because of the price to pay for security. Hopefully, the Sony case alerts some of the others to review their security and to improve it. However, there is a saying in German that hope dies at last. And I feel that this is more about hoping than about really expecting web sites to become more secure by design.

By the way: European Identity Conference, to be held next week in Munich, is about information security, IAM, GRC, and database security. A good place to learn more and to meet the analysts of KuppingerCole to discuss Information Security issues in person.

Today I stumbled about an interesting survey. The core result: More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers. The quote I like most is: “In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach”. Fascinating, isn’t it!? However, it is really somewhat irritating.

There is some reason for financial institutions not to invest as much as they could and should in security. Security comes at a cost and financial institutions still balance these costs against the fraud-related losses. I doubt that this equation really works out as expected, but I had this discussion more than once – frequently with CIOs and CISOs which don’t have the budgets they’d like to have around security.

However, taking some risk is a valid approach. Given that there never ever will be the perfect security, a 100% security, everyone has to balance the cost of security and the (potential) cost of incidents happening. That’s the same approach everyone uses in daily life when deciding about insurances. The fundamental problem in that area is that risks tend to be rated too low whilst costs are seen much more realistic. That’s especially true when it comes to severe issues which might affect the net cash inflow, because that heavily affects the business. However, such risks are frequently ignored or missed when looking at IT security in financial institutions, leading to an underestimated risk and thus a lack of willingness to invest in security.

Another problem is the frequent lack of a holistic security strategy. Attacks at the operating system layer are still possible even when security at the application layer is good – and so on… Investing in point solutions might give the feeling of security, but it seldomly leads to real security.

However, all this doesn’t explain why financial institutions not even are aware of incidents in some many situations. Even when someone takes a risk, he should have controls in place which provide the fraud information. Not doing this is just inacceptable because it moves the things from risk to uncertainty – and thus is against the governance requirements the management has to fulfill. Not knowing about fraud is a clear indicator for an insufficient risk management, because risks are just ignored.

From my perspective, financial institutions have to act in that area by looking at all risks and by acting appropriate – by at least knowing, but better mitigating these risks.

EIC 2011 will have several sessions around security for financial institutions and there will be a lot of experts from the finance industry attending – thus it’s a perfect place to meet with peers and to discuss.