Friday, 9 May 2014

Security Think Tank: Secure and seamless collaboration key for business

The Computer Weekly published on 8 May 2014 my regular contribution. This time the subject is the seamless cooperation with 3rd partners and the ways that security teams can help.

Sunday, 6 October 2013

Embrace consumer cloud storage at your peril

The Computer Weekly Security Think Tank published my blog post about security of personal Cloud storage used for business. Please read the original article at:

The full article:

Storing file in Cloud is so tempting. I myself use several consumer Cloud storage platforms, such as DropBox, Google Drive and SkyDrive. The convenience of these services mean I can access my files anywhere, and have them synchronised between all my computers automatically. Many companies, including big enterprises, are evaluating the usage of these cheap and easy to use storage services. Many ore companies are perhaps using such services, at their peril.

Consumer storage services come with big concerns and should induce some serious questions. The biggest security risk is that all files are stored in such a way that the cloud provider does have full access to it. Do no believe the your cloud provider that they will never look at the data. In the USA the National Security Letters (NSL) prevent companies from even informing their customers about such cooperation. In the age of NSA surveillance this is perhaps something to be wary of. Also, there have been a number of high profile incidents related to consumer cloud storage providers.

However, there is a way to overcome this risk: Pre-Internet Encryption (PIE) – encrypting data BEFORE it reach the cloud provider. Services such as BoxCryptor can work on top of cloud storage platforms and encrypt all data with customer-managed keys. This means that the cloud storage provider cannot technically get access to any of your data. Nevertheless, with any encryption comes hassle of key management, which is considered the hardest discipline in IT security. Moreover, loosing the encryption key means the data is lost forever.

The second biggest risk is related to linkage with company’s Identity and Access systems (IAM). As with all company applications, an account should be disabled when an employee or a contractor no longer works for the company. Consumer offerings do not support plugging in to corporate IAM systems; that is typically a premium service of enterprise ready cloud systems.

In summary, the consumer cloud storage services are great if you have files that are not overly sensitive and the company size is such that everyone knows everyone (the theory says this number is around 50). If your files classification and company size do not fit this profile you are most likely better off looking at enterprise class cloud storage offers.

Wednesday, 28 August 2013

Security Think Tank: IP protection is as weak as the weakest link – fix the supply chain security

This post originally appeared in Computer Weekly Security ThinkTank series:

Broken chain
We all know this sometimes overused phrase, which, unsurprisingly, proves to be correct every time in the domain of information security.

When it comes to defending one company’s intellectual property (IP) a risk assessment is in order. I know it sounds tedious and boring, however a well-executed risk assessment for the intellectual property assets will bring a wealth of information.

For example, during the information-gathering phase, a company would document where the IP is located and what processes touch and manipulate it. Still, the most important part of this phase is to document which third parties have access to the IP.

In this well-connected age, it is very rare that the IP is solely accessed by the employees of the company. On the contrary, the sensitive information is frequently shared with trusted partners (individuals or companies).

Consider these as links in your security chain.
Your company may have an excellent security controls, both administrative and technology to protect access to the IP from within your company.

However, as soon as the IP leaves your organisation, your controls no longer apply. For example, a technology company may use regional marketing agencies to prepare marketing materials in advance of public launch. These companies are typically small and may not have resources to invest into the same level of security controls.

If the risk assessment discovers that your partners increase the risk of the IP leakage then the risk treatment could mean either finding another partner or investing time and resources to advance the security controls in the entire process, i.e. including partner’s controls.

 Talk to the companies in question, help them improve security policy, awareness, or even invest into the same security technologies that your are using.

You will find that small investment in time and money goes a long way in protecting your valuable IP.

A closing point: Use this exercise as a way to learn your business inside out. Working with managers that deal with external partners is an excellent way to show off your inter personal skills, drive to make positive change and shrug off that negative perception some business managers have towards security professionals.

Wednesday, 14 August 2013

Prism is dangerous for everyone


The revelation of the Prism programme run by the US National Security Agency (NSA), and shared with the world by fugitive Edward Snowden has been shocking, but somewhat expected.

My personal view is that any government, democratic or totalitarian, likes power and information these days directly translates to the power. 

However, what has been even more shocking is the lax approach by US politicians who clearly lost their grip on the NSA and other three letter agencies – all in the name of “national security”.  

The shockwaves will tremor the Atlantic pond between the US and Europe for months to come and some changes in the snooping programme might be expected. 

However, the question that has not been answered is: Does the Prism programme pose danger to the US government? 

I believe it does on several fronts:

  • First, the data that the government collects is a treasure trove that other countries or large organisations including underground ones, would like to get their hands on. Can we believe that the NSA, FBI and CIA, with approximately 100,000 authorised users can keep the data safe? Certainly, the leakages of the government secrets so far show that such an objective is beyond reach and is most likely just wishful thinking.
  • Second, there is going be retaliation towards the US and other nations that are perceived to have breached the “moral” code of the internet. We have all seen what a determined group of highly-skilled cyber hackers/vigilantes can do. These attacks are most likely to embarrass US government, rather than cause real damage though; unless the US national critical infrastructure is still connected to the internet. I bet this is the question that committees in Congress are asking. We can only speculate on the answers.
  • Finally, we all know that the world’s governments and large enterprises are spying on their enemies, competitors, and allies. That has been happening for centuries, and the internet simply made these activities much easier. However, snooping on everyone on this planet who is connected to the internet, with the presumption that “you have nothing to hide if innocent”, is calling for an urgent review of these practices.

History shows that information is power and that is easily abused. This comes from someone who grew up in the communist era and has heard that “all these activities are legal” too many times.

This article originally appeared in Computer Weekly published at

Wednesday, 29 May 2013

Snooping law = criminals 1 : public 0

The unfortunate event in Woolwich last week has opened a debate about police powers to monitor citizens' communications.
It has been proposed that ISPs are obliged to record "envelopes" of messages and website visited. This is not unusual given existing powers related to voice calls and text messages. However, then proposals seems to ignore how Internet works, and advances in open cryptography.

First, many people do not use their ISPs email service, and instead opt for 3rd party email services such as Gmail, Hotmail, Yahoo to name few. The common feature of these services is that the access to emails is performed over and encrypted channel. ISPs have not technology means, short of installing their root Certificate authorities into everyone's computers, to monitor these messages. In other words, the proposals would only allow monitoring of small percentage of citizens, very likely law abiding, who should NOT be in the snooping law focus.

Second, any computer skilled criminal will most likely use bespoke email provider, or end to end encrypted IM messages. There are open protocols, such as OTR, to enable this capability for open source IM services. There is not chance to snoop on the messages at the ISP level. The only viable place to see the messages is an end point computer where the IM message is sent or received.

Make no mistake, accepting taking our liberties for freedom and privacy of communication in the name of catching criminals will be used against us in non criminals procedures in the future. Let's make it clear this is not acceptable and the arguments for snooping are ill conceived.

Wednesday, 15 May 2013

Security Think Tank: context-aware security is business-aware security

This article first appeared in Computer Weekly in March. The original link is here:

The static security policy decisions are over. Is your firewall still only a dumb IP based firewall that allows or blocks access based on IP addresses? What about contextual information such as: identity, location, data transferred and behaviour of the traffic?