This week I met with Tony Anscombe, senior security evangelist at AVG, to discuss the company's recent research into education and trends around the "Digital Coming of Age".

Published in April, the survey took in 4,400 parents of 14- to 17-year-olds in 11 countries. It found that around half of UK parents were friends with their children on Facebook, a fifth had seen explicit or abusive messages on social networks, and the same number suspected their children of accessing online pornography.

Only 30 per cent of UK parents were concerned about the effect that their children's social media use might have on their job prospects; 59 per cent believed that schools were effective in teaching their teens to responsibly navigate the internet.

Anscombe said education around online safety is a challenge for parents as there is some misunderstanding about whether they, or the school, should be responsible – cyber bullying, he said, was an example of something that happens both in and outside of school.

He said: “Sixty per cent of parents admitted to snooping on their [children's] web history, so are they in denial about what their children are doing? Also, how many parents do not get it? Do they understand that what goes online could affect [a child's] prospects? The private sector is now searching on people's names. People need to understand that what goes online stays online, and to educate parents is very important.”

Will Gardner, CEO of ChildNet International, said: “We know from our work in schools that children and young people are using a wide range of devices to surf the net and we also hear from many parents who are confused about how their children are getting online and what they are doing online.

“One of our key messages is to encourage parents to talk with their children and young people about what they're doing online, who they're talking to and to find out whether they have any safety concerns. It's great when families can connect online, but offline conversations are also a key part of staying safe online.”

While not strictly a business story, what interested me is that the education factor is getting to be more and more prominent. Who is responsible: parents or the school? Are they even up to speed to be able to teach on these subjects?

These children, after all, are the next generation of executives.

Virtualisation giant VMware recently scrambled to release security patches for an ESX server hypervisor source code leak that was published in April.

The patch repaired critical vulnerabilities that could have enabled an attacker to execute malicious code remotely on the host and leave an end-user's virtualised environment susceptible to a compromising cyber attack.

Among other things, the incident called into question the security of virtualised data and, for some, how the eventual migration to a virtualised network infrastructure would ultimately impact an organisation's security standing.

No doubt the transportable nature of a virtual environment generally adds another layer of complexity in the overall security of the network that can often leave holes if organisations aren't aware of the location of their data or what it takes to secure it.

But whether virtual data is more or less secure largely depends on the calibre of organisations' security posture, experts say, and opinions on how to secure a virtual environment are as numerous and diverse as the organisations that house them. There is no single answer, you need to assess what that environment is, what they're trying to do and put the proper pieces in place.

The security of the virtual system will largely depend on the nature of the organisation as well as the type of virtual data and infrastructure needing to be secured. But regardless of how complex or unique the organisation's infrastructure needs, there are some basic security requirements that are necessary throughout all virtual environments.

First, while organisations will progressively virtualise more and more of their infrastructure, they still need to adopt some kind of hybrid environment and create some kind of a balance with both physical and virtual security mechanisms to adequately secure their data because, ultimately, whether secured via a physical or virtual system, data stored via the virtual environment needs to be protected.

Also, physical security is at the core of the network. You need to secure the perimeter of that virtual environment, whether private or public cloud, and you still need to protect those physical assets and links.

Your virtual environment is running on some type of hardware, there are physical servers, there's physical storage, network, etc. Security devices are definitely necessary to protect the perimeter of these environments.

Also, in a multi-tenant or multi-client environment, the providers need to configure segregated security zones just as they would in physical environments. At this point, they will be required to invest in secure virtual appliances to secure these zones from each other so that traffic won't be required to route out of the virtual environment through physical security appliances and routed back into the virtual environment to employ a proper security zone.

The beauty of these virtual machines is that they could be running anywhere in that cloud, but the cloud provider needs to segregate one tenant from another tenant to make sure there's no leak.

There are certain compliance regulations that need to be met, so there is no potential security issues. You need to make sure you have a rock-solid security policy and segregate those aspects in a virtual environment as well. You could have assets that shouldn't be talking to or sitting near other data on the physical servers. You need to secure inter-VM traffic and different workloads on the same physical host. You don't generally have that issue in a physical environment.

In addition, it's essential to have a central management system that can monitor both their physical and virtual security environments via a single pane of glass in order to avoid the efficiency bottlenecks and productivity gaffes created by complicated multi-management servers.

Finally, as with physical data, virtual data is often most vulnerable when it's lost or unaccounted for. However, unlike physical systems, the mobile nature of virtual systems enables workloads to be transported easily from one host or server to another. As such, organisations increasingly are required to have security policies that reflect that development.

It's not something you see in the physical world. That server is never going to move. In a virtualised environment, they've got full load-balancing set up. You could see that workload move, and you need to be able to secure that.

Jason Bandouveres is a senior product specialist at Fortinet

Twitter has said that it wants to work more closely with the UK public sector.

As the micro-blogging site confirmed it now had more than ten million users in the UK, it told BBC News that it wanted to "work closer with government and policy makers in the UK", saying it was a priority to "protect and defend" the voice of those users.

Twitter's UK general manager Tony Wang said it is hiring a public policy manager who would work with "government, various ministries, members of parliament as well as law enforcement".

He claimed that legal issues, such as the naming of people who have taken out super-injunctions and spreading information during last year's riots, were evidence that Twitter needed to work locally and "emphasised the importance of being a global company".

As well as becoming the voice du jour of the media and the place where news is broken first (sometimes whether people like it or not), Twitter has also become one of the key communication channels for personalities, businesses and the public sector.

Quite what Twitter wants to achieve is not clear; Wang said this appointment is to work with people in government and agencies, but could it be more of a PR role in ‘what not to tweet'? Or one that takes guidance on security of the site should it face any security issues (although its move to set all users to HTTPS by default may well be a tick in the security box)?

Wang would not comment to the BBC on the Government's surveillance plans outlined in the Queen's Speech last week, saying only that its views would be "conjecture".

Bear in mind what happened when BlackBerry said it would co-operate fully with the Home Office and police following the London riots…

We have recently looked at some of the accreditation programmes that are available for security professionals, as well as some of the education courses.

Back in January, I attended a presentation by Kevin Jones, the professor of dependability and security of socio-technical systems at City University London. In September, Jones's department will launch an MSc in information security and risk; I caught up with him to learn more about his plans and what the intention of the course is.

Jones told me that the course would create an educational programme that combines the technical capabilities of security and business issues; its location close to the City of London (the University is based in Islington) will draw people to the part-time course, he said.

He added: “With the Masters, we thought about the expertise and what skills people need that are not being satisfied. We will not teach technical things as we are not looking for a unique niche. We get asked a lot about security, but it is not good for the non-security types, so we teach critical business functions.

“A key part of security is to be business-aware, so this is a programme for people who want to be the CISO and talk to the board and be part of the security team. It is not about technologies like encryption or the firewall, it is about managing security and how to communicate issues at an executive level.”

He said professionals often lack the ability to communicate their achievements and projects to the right audience. “[The board] will ask how much money is spent, what is the potential exposure, and a good CISO can answer both,” he said.

“Security needs a full career path… we are putting this together on how to progress. This is not a post-graduate course, it is for those who want to get to the next level.”

This point was raised at the 2011 Gartner security conference by former SAB Miller CISO and 2011 SC Magazine "information security person of the year" Mark Brown, who said that if CISOs do not engage their board, they could lose "chief officer" from their job title within five years and that they needed to become business enablers.

Back in January, Jones spoke at the Infosecurity Europe press conference and said that better knowledge is needed at all levels, with a need to communicate and for people to be trained to present issues to a variety of levels.

He said: “The modern CISO has to be comfortable in the modern space, manage conflicting requirements but be aware of business risk and cost implications, and communicate that properly – too much risk and the company fails. The CISO needs to communicate all things to all levels, which is a difficult role as they have to speak geek and business fluently. We have a cultural gap that we need to fill.”

Jones said an undergraduate programme may be added in September 2013. The MSc launching this September is a two-year part-time course, with two modules per ten-week term and a project to be completed.

Jones said: “There will be no exams, it will be marked on professional reports. For the application process, each entrant will be degree-educated with four to five years' experience; it will be a small group so we can evaluate on a case-by-case basis.

“For the first year, we are expecting six to ten people and we will ramp that up as we polish the course; this is not off-the-shelf and it will be much more interactive. There will be two members of staff committed to this and we will get guest speakers in.”

What City is offering is certainly different from other courses in that it is teaching business, rather than technical, skills, but with a sprinkling of the former not unexpected. As Jones said, this is the first year of a freshly created course – and put a group of techies together and they will likely talk shop. Doing that to the board is what this course will aim to achieve.

Tomorrow will mark 75 days until the start of the London Olympic Games and the debate is likely either raging or completely uncovered on how to deal with the impact.

A few weeks ago we looked at the challenges and some possible solutions to the various business challenges that the Olympics and Paralympics will pose, and 24 days on, I hope that it was of some use. Certainly the attitude was one of ‘allow staff to work remotely' and use VPN connections, have strong authentication methods and consider the strength and security of personal connections and devices.

Talking recently with F5, it had a different attitude – deny everything. Everything, I asked. Yes, everything, said Nathan Pearce, EMEA product manager at the vendor.

To rewind a little, he said that when it comes to remote working, the main challenge is dealing with untrusted things entering the data centre.

He said: “It is easy to manage and run an SSL outside a network, but with 50,000 employees you have to have a lot of trust. So you treat your building as leased office space, as an internet space and a hot-desk suite and think about the architecture you have inside and outside the office.”

So I asked Pearce if what he meant was to ensure nothing from outside the perimeter enters the network and/or data centre? He said "definitely", as "that is where it becomes a problem".

“There are issues on security, of denial-of-service, so it is not about trusting the user, it is about the integrity of the data,” he said.

“This is the smart way of doing things. This will help people, and those going on about the death of the corporate LAN will know that consumer WiFi is not secure. People know not to connect to different WiFi networks; for those who go down that line, there is only one way.”

Agree or disagree? Some may say that this view is paramount to locking a network down, and that denying all is playing the ‘Doctor No' role of not allowing employee freedom. Or is that simply the best tactic?

The announcement on Wednesday of the Draft Communications Bill demonstrates the gulf between the pro-privacy camp in Europe (and their respect for Article 8 of the European Convention on Human Rights) and our increasingly 'Big Brother' government.

The bill allows government agencies to access internet service providers' (ISPs) logs to see who is contacting whom and who is looking at what online.

It is ironic that while Europe is currently discussing the expansion of individuals' rights to protect their data, the UK government seems set on removing protections for our private lives – we wonder how the European Commissioner will react to these new proposals.

The proposals make it easier for the Government to access ISP logs of websites and applications visited, and when and where and for how long phonecalls were made (including those made over the internet), without the need for cumbersome authorisation.

One can see that there might be an argument for removing the burden to obtain prior authorisation to look at this information, where the national security interest is genuine and timing does not permit the following of normal process. However, this should be the exception, not the rule, and certainly not a blithe sanction of a wholescale snoop on our private lives.

Whether or not the proposals will infringe upon our EU data protection laws depends on these restrictions, and the devil will be in the detail. In order not to infringe upon our EU laws, the snooping must be fair, justified and proportionate to the objective.

Ideally, privacy-impact assessments would be undertaken before such data-sharing takes place to ensure the snooping meets these criteria, and the Information Commissioner would have the right to audit this ‘right to snoop'. The Government has promised it will strengthen independent oversight and allow a complaints tribunal.

However, the burning question on everybody's lips is in what circumstances the right itself can be exercised, and that remains to be seen. This is also currently only at the bill stage, and with the popularity of the Government on the wane, it is likely to face fierce opposition during its discussions by Parliament.

Sarah Needham is a data protection specialist at law firm Taylor Wessing

When it comes to government and cyber security, there is a definite case of the good, the bad and the ugly.

The good has been in work such as the Cyber Security Strategy, launched last November to propose a single reporting hub for information exchange and a cyber crime unit within the National Crime Agency. While not all is great about that proposal, and ISPs and former Home Secretary John Reid were among those who were critical, it did show some initiative and forward thinking by government into this sector.

If there were a bad, well then there could be plenty of evidence. Take the government's continued use of Internet Explorer 6 (as reported in 2010) or the more recent proposals on voice, email and internet monitoring that came under huge criticism from the public and world wide web inventor Sir Tim Berners-Lee.

Finally, there has to be an ugly, and for me this came last week. I read about Francis Maude's comments in a typically short story in Metro and found the basis of it via the Press Association. I was hoping that the man who created a panic around petrol had been misquoted, but having read the story, it seems that the Metro writers picked the finest comments from Maude.

Maude, who is the Minister for the Cabinet Office and Paymaster General, said that as UK government computer networks are "regularly targeted" by foreign intelligence agencies and groups working on their behalf, the London Olympics "will not be immune to cyber attacks by those who would seek to disrupt the Games".

We know this could be the biggest challenge businesses face this decade, hence why preparation is key and it is right for those in positions not to cause unnecessary panic with statements using scare tactics.

I have no doubt that with all eyes on London for more than a month as the Olympics and Paralympics dominate the summer sporting calendar, not to mention an overlap into the start of the English Premier League (best in the world, don't you know), cyber criminals will use this as a base for online phishing and malware attacks.

As for attacks on infrastructure and government networks, yes it could happen, but spreading FUD (fear, uncertainty and doubt) will achieve nothing, and I anticipate more will have read the reports, considered them and moved on to the next page. A threat and a possible solution, combined with a 'keep calm and carry on, we've got it covered' message, is a much more ethical way of speaking to the public on cyber security.

Among the new companies I met at last week's Infosecurity Europe show was one that described its offering as "security intelligence and analytics" – or "what the SIEM does not see or what the firewall doesn't have a signature for".

Although not a start-up – it was established five years ago – this was a first move into the UK for Solera Networks.

President and CEO Steve Shillingford and CTO Joe Levy told me that its technology was about offering the extended visibility that log management and security incident and event management (SIEM) failed to achieve.

Levy said it is creating events as the impact is often not detailed, and what evades detection is what users are concerned about. He said: “This complements the SIEM and log management as there may be an instance where something has never been seen before in an attack or there is no idea what the file was.

“It is about masses of information, companies are handling terabytes of data and correlating it is hard. It is not there to block, it is just about working in real time.

“Customers want historical retrospection, when you have a security event you want to go back and see it, to go into the network and see what happened on the network. There is also better sense overall on how log data is used, and with deep packet inspection and software analytics, they are the core of our technology.”

Shillingford said it is about collecting information from layers two to seven and being able to protect that data – but said that has ended with data being held by third parties. In terms of the foundation of the company, he said that influence was drawn from what Novell had done in the early 90s; in this instance, though, it was about converting packet data into readable files to define policy.

A file is then reverse-engineered or sandboxed for deep packet inspection so that all files can be seen. “Look at the evolution of network security, the packet flows to the file level,” he said.

He added that it is a platform with a high-speed database and outer platform for analytics, and visualisation is done on the cloud and also on the box.

Last week the company launched a new version of its DeepSee platform, which it said provided the ability to "un-box" the power of security intelligence and big data analytics technology. Shillingford said this was about decoupling software from the appliance and to the virtual machine so that it can be installed onto any server.

He admitted that there had been some barriers to adoption, particularly as the rate of technology can often mean that it is out of date in two years, so the intention was to take barriers out and make software installation possible.

“There is some standalone technology, so we say run our software without our box and refresh the cycle. We are delivering this in an easy-to-deploy, software-based solution, which means that any enterprise can have full visibility, situational awareness and intelligent incident response,” he said.

Joining the company in the past 12 months as vice-president of marketing was John Vecchi, who I last met when he was in a similar position at Check Point. I asked him to summarise Solera's offering; he said other vendors are "all doing the same thing with preventative technology that is based on known signatures".

He said: “This company is doing something different, others won't say what to do when you are breached and still be secure. If you have not been breached then it will happen, so this is the next emerging market and we are now bringing technology to after the event to know what was taken from the network and if it was still there.

“It is very interesting, for me it is like the genesis of the intrusion prevention market, but now everything is next generation and this will be the next mainstream technology.”

Ahead of the Infosecurity Europe show last week, I caught up with AEP Networks, a developer of highest-grade security technologies that was acquired by a military contractor last September.

In the $75m (£48m) acquisition, the defence and aerospace company acquired AEP for its links to the UK government's national technical authority for secure electronic communications.

The company has rebranded as Ultra Electronics AEP Networks, and talking to SC Magazine last week, CTO Mark Darvill said that the offer from Ultra Electronics came when it wanted to complete its cyber security portfolio. A UK-based company with contracts to governments, Darvill said that this has allowed AEP to become UK-centric, but the acquisition was far from the first move into cyber security by Ultra.

He said: “They've got a number of other companies in the cyber security space. Probably the major one is 3TI in the US who do security cyber systems and also encrypted wireless LAN. There are about five or six in the UK and US that do everything from top-secret cryptos through to voice analysis and all sorts of things.

“This is additive to their current portfolio. I guess one of the big differences between a Lockheed Martin approach and Ultra Electronics is Ultra's view is that when they acquire companies of a certain size, they stay as standalone entities.

“So, from my point of view, post-acquisition, although we have a different reporting line now and things like that, the company is primarily running on the same business plan that it developed pre-acquisition.”

Last week the company announced two product launches. The first is an addition to its Keyper range, the Ultra Safe Keyper Plus, an FIPS 140-3 level 4 ready hardware security module (HSM).

Darvill said that this is a new variant and is the most secure HSM available, and is aimed at a new NSA standard by including FIPS 140-3 encryption and including new elliptic technologies for the physical encryption of the data and the key material itself.

He said that the ‘elliptic curve' has been demanded more and it is used in this product around the mathematics of the delivery and encryption of key material. He also said that this has advanced tamper-proofing, which means that if it is tampered with, the key material it holds within it is destroyed.

“It's the only device in the world that does that. The FIPS 140 level 4 standard is the one that defines this tampering and we're the only people that make this type of device in the world,” he said.

“If you can imagine the key material that some of our customers put into this; it could be a government root key, for instance, or a DNS root key – and if they lose that key or have it stolen then, effectively, either their network or their data or whatever it is they're trying to secure with that could be compromised.”

He also claimed that this is separate to a server as it sits on the network and responds to people who need something signed; Darvill said this is safer than putting it onto a server because no matter how secure the server may be, the operating system is always open to vulnerabilities and to being attacked, and it's sometimes quite difficult to see whether it has been attacked.

Also launched last week was Ultra Protect 7.4, a mobile application that enables secure access to work applications on the move and BYOD policies with virtual access to the office via mobile devices.

The company claimed that Ultra Protect 7.4 helps to safeguard data by not allowing information to be stored or saved on the device and providing full encryption between the device and server, so if a device is lost, stolen or transferred, corporate information is always protected.

Darvill said: “The Ultra Protect is basically a secure application access gateway to provide extremely secure access for users, irrespective of the endpoint device that's being used. Basically, the user authenticates via this device using two-factor authentication and then will gain access to WebTop, which is like a single webpage and is the only thing that they can see and has icons on that represent which applications they are allowed to gain access to.

“Based on the individual user or the group that the user is in, they will see a range of applications and potentially data as well. So, with 7.4, we've made the solution even more secure as it uses key material to encrypt the sessions between the end-user and the servers that they're trying to gain access to.

“From the user's point of view, the big thing that we've incorporated much more solidly into the product is the mobility access through the smartphone and tablet access, it is really centred on bring your own device. This solution now is very much focused to allow them to gain access to applications and data while ensuring the integrity and security of the data at the core.

“Effectively, we're now implementing three-factor authentication.”

I asked Darvill if this was BYOD but aimed at large enterprises, critical national infrastructure companies, governments and the defence community. “It is for where people want to give people access to information and to applications and data on the move but do want that stringent level of security that goes with it,” he said.

We finished by moving back to the acquisition; I asked Darvill if the added capabilities of Ultra Electronics had influenced these launches. He said they had been in development pre-acquisition and AEP's raison d'être and core values had not changed.

“What you will see coming out over the next couple of years is more innovation. So we're doing more around some very advanced areas and including, in a year or two, areas like quantum encryption. We've got to take a fairly long-term view on some of the really new stuff,” he said.

Last week I met with vendor Bit9, who after starting out in the whitelisting sector have repositioned themselves as a protector against advanced persistent threats (APTs).

Talking to president and CEO Patrick Morley, he said that the move from application whitelisting, where only allowed applications and software are permitted to execute, came from the Aurora attack on Google in early 2010.

“Aurora changed our perspective and our view on the posture so now we offer application whitelisting as part of the solution but it is now about APT protection,” he said.

“We watch everything and IT make decisions on what to allow, they set up a policy and decide on whether things are allowed in or not. Our customers are very ‘IP heavy' and the people who buy our technology are anyone who is targeted.

“People buy security information and event management (SIEM) and deep packet inspection technologies, and then us, so that they have protection on the network and on the host side, laptop and on the server in the data centre.”

He said that the combination of whitelisting and APT protection can help prevent emails with malicious attachments, such as the one that hit RSA last year, so that the attachment is not permitted to run and is not trusted.

He said: “You cannot try and figure out where the bad stuff is, so you allow what is trusted to run. In trusted computing, the only way to protect is to flip it and say if it is trusted or not.”

Morley said that the trusted model was the way forward as, while technology is needed, it is "hard to protect people from themselves". He compared the business to being like the filtering around the Apple App store as it vets files to give the IT team a test rating on what is running. “You add a policy to determine what comes in, rather than tell you what is running,” he said.

The company formed eight years ago, with Morley, who was previously president and CEO of Imprivata, joining in 2008. Research by Bit9, released today, found that 54 per cent of UK businesses expect a cyber attack in the next six months, with it expected to be perpetrated by hacktivists (59 per cent) or disgruntled employees (31 per cent).

The survey of 1,020 IT managers found that corporate competitors were seen by 35 per cent as a greater threat than cyber criminals (23 per cent). Morley said: “It is quite different from in the US, where they see the nation state hacker first and in-house IT as last.

“We are seeing the biggest transfer of intellectual property that the world has ever seen. It's not just traditional cyber criminals who are looking to steal financial information, but there is a steady rise in the number of organised groups such as hacktivists and nation states who are intent on breaching company security to gain access to customer information or intellectual property.”

On what was seen as being at risk, 60 per cent said personal customer information, 50 per cent customer financial information, while only 29 per cent said intellectual property.

With every threat or trend, a vendor finds its niche that customers are looking for. The concept of trust in security is critical – whether it is to do with access, whitelisting or computing, if you can put a seal of approval on what is entering your enterprise, you are adding security. What Bit9 offers makes sense as it can add this seal, and in times when you want to prevent more than malicious payloads, this could make sense to many users.

SSL technology has become pretty ubiquitous in recent years following its roll-out by major websites and the need to protect data flow.

One area I was not so familiar with was Secure Shell (SSH), effectively the secure communication between machines rather than machine and man. I recently spoke with Matthew McKenna, head of sales and marketing at inventor SSH Communications Security, who told me that it is one of the three most widely used security protocols (along with SSL and IP Sec).

He said: “It is about secure file transfer and possibility for secure remote access to tunnel into remote servers for Unix administrators. This is used for servers with financial data, for example in financial services and retail.”

According to McKenna, one of the main issues around this technology is key management and, over the years, millions of SSH key ‘pairs' have been created, but with many undeleted or unaccounted for.

He said that the pairing of a private and public key approves access to the server but the challenge is knowing who has access to which key and, therefore, which server.

“You can create a new key, but a user may take it and share it and there is no way of seeing it, so it is a huge risk as you are still accessing critical data,” he said.

“Also, when people leave an organisation, do human resources tell IT? No, the keys stay with them and organisations are not focused on key removal and reclassification. You have to remove and rotate the keys and replace them, so that when people leave the organisation you have to resolve it.

“A customer is supposed to rotate keys every two years, but that is not possible so, as no one is investing in this area, you approve access through Active Directory.”

Launched at this year's RSA Conference in San Francisco is the User Key Management Tool from SSH, which it claims will address these headaches by automating the process of identifying, organising and managing the abundance of private and public SSH keys in circulation within an organisation.

It said that this is an extension of its SSH Information Integrity Platform, and will serve to provide enterprises with the ability to identify, organise and maintain trust relationships of applications, user and service accounts to their respective target SSH servers through the management of public and private keys.

Tatu Ylönen, CEO of SSH Communications Security and inventor of SSH-1, said: “Enterprises' most critical data and applications are often transported and housed on SSH and OpenSSH servers.

“Those enterprises using public key authentication to manage access to those servers are faced with a significant challenge today in terms of knowing who and what may access those servers. This is not only a major security and compliance risk, it is also a cost issue, but many organisations manage this function manually with little or no oversight.”

McKenna said this is a logical extension of where the company has come from and user feedback has been positive to both the problem and the resolution. “We talk to everybody and we know that everyone is having this problem,” he said.

“We offer three options for the key management tool: via a software deployment; a virtual appliance; or a hardware appliance. We have a central database with a file repository, we do not touch the private keys and the front end can manage the automation process.”

The conversation on SSH reminded me a lot about the conversations on encryption and key management, and the need to be sure of who has what and where it is. This harks back to the basics of data security, and could be a solution to the greatest challenge.

No matter how immune you think your systems and security processes are, these days data breaches are unavoidable.

Historically, a data breach was impossible as systems and networks were standalone and inaccessible. Nowadays, everything is in the cloud or on the internet. Not only that, but the overall increase in processing power means that the ability to operate sophisticated attacks has also increased, and all we can do is accept it.

Yes, you will incur data breaches. Yes, your data can be accessed, and yes, despite that, you can protect it. 

The amount of data that organisations are creating today continues to grow (borne out by the amount of storage required). The Symantec 2011 Annual Study: The UK Cost of Data found that the cost per capita has risen to £79 from £71 in the previous study.

It is this increase in per capita exposure that suggests that attacks are homing in on information that is desirable, rather than large amounts of information that may bear something useful.

Most businesses are likely to come across one of three types of attackers. The traditional hackers will try to find vulnerabilities with your software and systems and provide feedback on where faults are.

Crackers are a different breed: they try to find holes that they can exploit; they'll take your data, use it and sell it.

The script kiddies are the chancers of the bunch and the most dangerous. They hit Google, find script and chance an attack. This can be anything from an ex-girlfriend's Facebook account to your customer's bank details. They are the most dangerous because they have no concept of what it is they are trying to do.

Today, it is generally held that no organisation is breach-proof, rather that breaches are going to occur. It is perhaps this laissez-faire attitude to information security that is accounting for an apparent reduction in the breadth of security breaches. 

For information security managers, the goal now is to make sure that the information that is accessed during a breach is utterly worthless to the attacker. A good example of this is where obfuscation is used, for instance only displaying the last four digits of credit card numbers unless the user has the correct privilege to unlock the rest of the details, or encrypting information that is safe in the hands of the owner.

This means that a company can accept that data may be accessed during a breach, but that it is utterly worthless to the attacker and it doesn't matter whether you use cloud computing or locally host your data.

A useful benefit of using keys to secure data is that in order to securely ‘delete' the data, all that actually needs to be destroyed is the key. Once the key is destroyed, so is the data.

Si Kellow is security consultant and chief security officer at Proact

We all know that there is a minefield of governance, risk and compliance (GRC) regulations that companies must adhere to.

From the payment card industry data security standard (PCI-DSS), ISO 27000 series and COBIT, to the Financial Services Authority (FSA) and European Union data protection laws – the list goes on. All these rules are there to keep a check on situations such as data breaches, mergers and acquisitions and insider trading and so forth.

These regulations have brought high-level attention over recent years, and while they have led to new challenges for adequately securing an organisation, they have also been a driver for the advancement of business information security.

There are numerous contributory factors that can derail a company's efforts to stay compliant and lead it to become compliance-complacent. The most common factors boil down to a lack of understanding of: how to rationalise the different regulation requirements; the true cost of compliance (that is, as opposed to non-compliance); and the benefits of compliance beyond just avoiding fines and penalties.

On the subject of cost of compliance vs. non-compliance, either way it can quickly become expensive. The Ponemon Institute released the results of an interesting survey on ‘The True Cost of Compliance' where they interviewed more than 160 leaders in major corporations to understand the exact costs of their compliance efforts, or the costs they faced for non-compliance.

The research captured information about direct and indirect costs associated with compliance activities during a 12 month period. The results were compelling, as the average cost of compliance was £2.2m, the average cost per employee was £140 and the area of greatest compliance cost were data protection and enforcement.

Further results from the study show that when you consider that the average company must comply with 45 different regulations, and heavy fines can be imposed depending on the severity of the misconduct, the average cost for non-compliance was £6m, or £520 per employee. It said the cost for non-compliance was 2.65 times the cost of compliance for these organisations.

If we just take a look at one of the main regulations, Sarbanes-Oxley: approximately half of mid-sized companies spend from £63,000 to £315,000 per year on this, with 70 per cent spending up to £630,000. It is perhaps not surprising that there is a tendency to be reticence about compliance.

However, it is not simply a case of calculating that paying a fine is cheaper than the process of compliance. Organisations need to think of compliance as an insurance policy – one that eliminates unforeseen costs while protecting business value.

Stock-market value reduction, the detriment to a company's brand reputation and potential loss of customers and intellectual property are all costly factors that can be eliminated if complacency is avoided.

So what does complacency mean from a security perspective? Globally, many companies have experienced a data breach of some kind and, of those breached, a high percentage lost revenues and customers as a result. Security is essential to the protection of a business's critical systems and information from unauthorised access and use as well as data leakage. It is an organisation's fundamental responsibility to take a more strategic approach to compliance.

The most effective way of reducing the compliance burden is to introduce risk assessment (that is, give higher priority to the compliance requirements that will mitigate the highest risk in your business) and rationalisation of controls for multiple regulations (rather than treating each regulation in isolation).

To enforce and automate these controls, turnkey solutions are available that will help an organisation to protect and monitor their critical digital assets and to understand who is using them and how.

This could be from understanding what is the role of an employee in your organisation and what information he/she is entitled to access and how they are be able to use it, through to analysing the behaviour of your users and evaluating the risk of their actions, and reporting processes on potential compliance risks and breaches. Can you really afford to be complacent?

Top ten tips on compliance:

1 - Assign who will lead you compliance efforts. Either use resources from inside your business or, if you don't have in-house expertise, then bring in a consultancy to help.

2 - Identify the various regulations that your business is governed by and understand the essential compliance requirements that make up these regulations. For organisations with international presence, you need to consider that each country might have its own local requirements. Concurrently, you need to work with the risk management team to find out your business risks and their priorities.

3 - Rationalise the compliance requirements of all your regulations as well as your internal policies and boil them down to a single set. Also identify any risks that are not sufficiently addressed and define the necessary compliance requirements to tackle the gaps; and highlight which compliance requirements will mitigate the highest risks in your business, and give special attention to addressing them.

4 - Figure out the policies and controls that need to be enforced to meet your compliance requirements; you'll find that it's an iterative process. Give special attention to the requirements linked to your highest risks.

5 - Understand the deadlines/timelines to compliance issues. Ensure that you plan and scope for phased projects that deliver, from a risk perspective, quick and measurable results in each phase.

6 - Invest in policy-based technologies that help you with automating your compliance controls and processes and monitoring their effectiveness – particularly the audit process, as it provides quick and high return on investment.

7 - Ensure information security awareness through educating and training your employees. You need to remember that hackers today use social engineering to compromise defences.

8 - Some compliance requirements are behavioural, not technological. Data-loss prevention technologies are ideal for educating users and driving their behaviour on how to best protect data while using it.

9 - Budget accordingly to ensure you achieve your objectives and do not run out of funding before demonstrating value. Also ensure board-level buy-in and maintain their attention by demonstrating ongoing value.

10 – Remember that compliance is an ongoing process, not a one-off effort.

Shirief Nossier is EMEA product marketing director for security management solutions at CA Technologies

Last month I published an article regarding the Information Commissioner's spate of fines against local councils and government.

Titled ‘So what has the Information Commissioner got against local councils?', it asked technology vendors and an IT manager at a local council why they felt that the epidemic of data loss had entered local government.

This week I spoke with information commissioner Christopher Graham about why he felt there had been such a rise in the number of incidents. He said that one reason is that staff are dealing with personal information, and often that is sensitive; he said these staff have to be made aware that they are dealing with people and not just numbers.

“Along with the managers of the NHS and Sir Bob Kerslake [permanent secretary at the Department for Communities and Local Government], I talk to the managers and make them aware that security is very real and this is an issue that they need to wake up to, and need to be aware that the ICO has got the power to fine them up to £500,000,” he said.

“The real impact is in reputation though; if they get branded as incompetently managed, their customers will not want to deal with them. The NHS is big and its technologies are less likely to go wrong, in local government there is a way to go.”

Two years ago, it was NHS trusts that had a major problem with data loss, leading to the Information Commissioner's Office (ICO) saying it was "highly concerned" about the amount of losses and "there are far too many within the NHS".

He advised that local government needs to focus on security and realise that it is dealing with vulnerable people; in the case of the Cheshire East Council data loss, where data was forwarded to 100 people after an employee used their personal webmail rather than the council's secure system, Graham said three simple solutions would be: training; understanding of what staff are dealing with; and awareness of the sensitivity of it.

Finally I asked Graham about the process of calculating fines which, since their introduction two years ago, have now seen more than £1m collected by the ICO from 14 enforcement actions.

He said: “When assessing a breach we have to take into consideration how serious it is or whether this was a result of negligence, and we take into account mitigation factors; if we are dealing with an organisation with no policy in place, then they are in a worse state if a mistake has been made, so it is not so black and white.”   

It may be hard to realise this from the headlines you read and I write, but the ICO is about more than data loss enforcement; its supervision of the Data Protection Act has now led to this being taken very seriously by business and is why fines for breaches make headlines.

The fact that ‘sectors' are affected at the same time is more unfortunate coincidence than there being some kind of vendetta, but as Graham said, with some simple steps any business can resolve challenging issues.

In the last week there have been two instances of websites taking miscreants to court for apparent abuse of their services.

The most recent was Twitter's announcement that it has "filed a suit in a federal court in San Francisco against five of the most aggressive tool providers and spammers". The micro-blogging site has had a huge problem with spam – it said its engineers "continue to combat spammers' efforts to circumvent our safeguards" – and its latest weapon is the law.

A blog posted last week said: “One challenge in battling spam is bad actors who build tools designed to distribute spam on Twitter (and the web) by making it easier for other spammers to engage in this annoying and potentially malicious activity.

“With this suit, we're going straight to the source. By shutting down tool providers, we will prevent other spammers from having these services at their disposal. Further, we hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter.”

Calling the move "an important step forward", it said its engineering team is continuing to implement robust technical solutions that will help it proactively reduce spam, following on from scans within its link shortener as well as relying on users to report spammers.

The civil action is against defendants who are accused of distributing software tools "designed to facilitate abuse of the Twitter platform, [are] marketed to dupe consumers into violating Twitter's user agreements, or operate large numbers of automated Twitter accounts through which they attempt to trick Twitter users into clicking on links to illegitimate websites".

According to Paul Ducklin, Sophos's head of technology for Asia Pacific, one of the most prevalent tools is TweetAttacks, which was described by MoneyMakerGroup as "the ultimate Twitter auto follower, auto unfollower, tweet scraper, reply generator, auto retweeter, tweet spinner and tweet scheduler". Other sites explicitly mentioned in the lawsuit are TweetAdder and TweetBuddy.

Also last week, Pastebin announced plans to hire more staff to better police what was being posted to the site. With the website used by hacktivists for mission statements and data dumps, Pastebin currently relies on an abuse report system to alert it to material that might need to be removed, and asks its members not to post password lists, source code or personal information.

Talking to BBC News, Pastebin owner Jeroen Vader said he received an average of 1,200 abuse reports a day, and while it did not allow people to post email lists and other personal information that does not belong to them, trying to automatically filter out such pastes would be near impossible.

The announcement was not met with approval from Anonymous, who said "all aboard the censor ship" as a response.

Fortinet's Stefanie Hoffman said: “Pastebin may be cracking the whip on hackers who use the site for public data dumps. Over the years, Pastebin has become the publication tool of choice for global hacker collectives looking to publicly expose classified or otherwise sensitive information they acquire from various targeted organisations.

“Subsequently, the site has served as the dumping ground for illicitly swiped information from the FBI, the CIA, NATO, Sony, police agencies and various state and national governments, among other high-profile organisations.

“Currently, the site relies on an abuse report system that flags classified or illegal material that violates the site's terms and conditions, requiring that users refrain from posting passwords, stolen source code or other personal information. Pastebin states that anyone who fails to comply could have their IP address banned from the website and their information turned over to authorities.”

These moves are a huge step forward for the two sites. For Twitter, spam is a major problem which, it appears, is hard to iron out. Research by Barracuda Networks revealed how divulged the social network is, while any mention of popular keywords such as ‘Apple' and ‘iPad' will draw in automated spammers, often with a picture of a scantily clad woman claiming to be the person behind the account.

As for Pastebin, resources are always a challenge for any business; it has become the resource du jour for hacktivists to dump their treasure and spread their message, and its owners do not want to be associated with this. Ask any popular message-board monitor about the challenge of keeping up to date with posts, and then consider what Vader is up against.

The hiring of more people to deal with the issue is probably the best course for now, but surely automated monitoring and detection software could deal with the problem? Twitter's actions are also excellent, but I get the feeling that if "five of the most aggressive tool providers and spammers" go away, others will replace them.

I recently spoke with a US-based not for profit trade association whom I had been introduced to previously as it rolled out a new certification in IT security.

As with technology, other certifications are available, but the security arena seems to be a new one for Comptia. R&D and sales director Rick Bauer said it offered training in IT across many skills, but its move into security was a first with "a new level of complexity".

He said it was gratifying to get security practitioners to collaborate and create an industry-wide credential.

“This is a wonderful opportunity to improve those skills, we are working with the storage industry to create ‘Storage +' as people want to learn how to get from being a server admin to a storage admin. We talk to people and are trying to create certificates,” he said.

“You cannot simply go back to university, a professional cannot do that to make the next move to a larger environment and a better job opportunity.”

As well as the mastery certificate, Bauer also said that a programme called ‘Security +' is offered, while more modules, including one for mobile app development, are being developed.

Speaking specifically on the mastery level in security, Bauer told me that Comptia has had 450 professionals apply for it so far. He said: “There is a gap in the middle with guys who have ten years' experience in delivering cyber security with their eyes set on a CISO career, but who are missing the key skills.

“The US government approached us to do something for security at the network and do enterprise-level research and development across borders. There is a skills gap, most people do not realise that 85 per cent of federal government networks are managed by contractors.

“We are now all digital so can be managed more effectively, but now, in some cases, it is about exposure to the global internet, and this is increasingly a worry for the Department of Homeland Security – how do you get people at school level to think about cyber security?”

Bauer said the key area of the mastery certificate is that it is specifically for individuals with five to seven years' experience in security, and it can be completed offline or in a week intensively.

The exam covers security skills and techniques in enterprise security; risk management; research and analysis; and integration of computing, communications and business disciplines.

When we spoke, the second winner of the Cyber Security Challenge UK had just been announced as 19-year-old Cambridge University computer science student Jonathan Millican. I asked Bauer what he felt of this system with its more social view to entry and keen interest in participation from the entrants.

He said: “I think it is wonderful, the US Cyber Challenge is sponsored by universities and corporates and we sponsor the Cyber Olympics. We realise people have gaming ability, so we say why not take it into security.

“We will see a sea change in IT skills, the new way is to make decisions based on how to do it and why. One of the more innovative points of the exam is we have simulators and the student has to go in and operate the simulator, so we have to try and figure out how to score their performance.”

Bauer said Comptia plans to look more at security in the future, and its Open University-style approach to learning is likely to win fans on both sides of the Atlantic.

Last week there came new announcements from the European Commission (EC) on dealing with cyber attacks.

Proposed law from the EC would make possessing or distributing hacking software and tools an offence, while cyber attacks on IT systems would become a criminal offence, punishable by at least two years in prison.

Once announced, it was approved by 50 votes in favour, one against and three abstentions; illegal access, interference or interception of data would be treated as a criminal offence.

In terms of punishment, the maximum penalty to be imposed by a member state for such offences would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed for large-scale (such as botnet) attacks, or for attacks that cause considerable damage (by disrupting system service), financial costs or loss of financial data.

Also, using another person's electronic identity, for example by spoofing their IP address to commit an attack and cause prejudice to the rightful identity owner, would also be an aggravating circumstance. MEPs say that member states must set a maximum penalty for this of at least three years in jail.

A company that sponsors a hacker for offences committed for their benefit, whether deliberately or through a lack of supervision, would also face penalties such as exclusion from entitlement to public benefits or a judicial winding-up order.

Finally, the proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber attacks, or which find a computer password by which an information system can be accessed, would constitute a criminal offence.

Rik Ferguson, director of security research and communication at Trend Micro, said: “In typical EU style, the document is convoluted; 33 proposals, 13 of them new and the rest amendments, but all in all it is a rational, well-thought-out document.

“It calls for harmonisation of penalties for cyber crime throughout the union and for the harmonisation of the definition of what exactly constitutes a crime. It introduces Europol as a central intelligence hub for national law enforcement agencies and promotes the sharing of best practices.

“It also recognises the importance of critical national infrastructure and places legal obligations on nations of ‘adequate standards' of protection of information systems. It also states that the more risk inherent in the compromise of a system, the higher should be the budget spent on protecting it. The document also introduces the very democratic concept that if access to a system is illegally withheld, then entering that system without authorisation will not constitute a crime.”

In regard to custodial sentences, Ferguson said that a jail term should not be directly proportionate to the ‘means' of committing a crime, but rather the outcome of the criminal actions, and these proposals fall somewhere in between.

“As for the proposals related to hacking tools, the legislation actually does a very good job of amending and clarifying the terms of the earlier document in this regard. This new proposal enshrines the concept of ‘intent' at the heart of any clauses relating to hacking tools and recognises very clearly the dual-purpose nature of many of these tools,” he said.

“For example, the simple ‘possession' of these tools is no longer in the scope of the document (amendment 22) despite what the press release from the European Parliament says; and the terms 'purpose' and 'intent' have been amended to read 'clear purpose' and 'clear intent'. It is certainly possible to legislate for the misuse of any tool with criminal intent, and whether that tool is physical or digital shouldn't make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.”

Andrew Miller, chief operating officer at Corero Network Security, said the proposed legislation was a positive step in the international effort to rein in cyber criminals.

He agreed that standardising what constitutes a data breach or hack and harmonising the penalties will put cyber attackers on notice. “Hackers no longer will be able to count on poor international co-operation to escape accountability,” he said.

“However, a point of concern is the provision against the creation and distribution of hacking tools. In an effort to combat cyber attacks, security researchers and ethical hackers are continuously seeking these tools to demonstrate weaknesses within an organisation's network and as a way to reverse-engineer solutions to combat hacks. The spotlight should be on the crimes committed with the hacking tools rather than the tools themselves.”

In a similar announcement, the EC proposed simpler and more effective rules to close the loopholes that criminals exploit. It claimed that by strengthening existing laws on seizing assets gained from serious or organised crime, this will be an effective way of fighting crime and acting as a deterrent.

This week I met a vendor offering a technology that I dare to say is rather unique.

Parveen Jain, president and CEO of Redseal Networks (and previously chief marketing officer at McAfee after his company, IntruVert Networks, was acquired in 2003), said he came out of retirement to lead Redseal, which he called "a CT or MRI scan for networks".

He said: “It will tell you what needs to be done. A lot of people put in place technologies that tell you what is happening on the network, but what we offer can help measure defences as it is built into the intrusion detection and prevention and data-loss prevention, so you can be assured of the level of security in the network.

“This is not a stress test, we are not penetration testers. This will look at your network and provide proactive security intelligence. It will look at your network infrastructure and within that there will be functional zones, so you will isolate them and provide security for them. You will assume that there is a firewall for that and it may have layer three or a thousand firewalls, but if they are mis-configured you are in trouble.

“The software will look at the code and say which device is mis-configured and tell you what could happen as a result. This will identify which line is mis-coded and isolate it. Once you have this information, that will help prioritise what to fix.”

Established in the US, the company is now targeting Europe with a healthy presence in retail, financial services and government agencies, and partnerships formed with Cisco, McAfee and ArcSight. The partnerships with these and the likes of Rapid7, Tenable and Qualys allows the software to correlate both sets of data.

The company calls its technology "proactive security intelligence" and says it is similar to security incident and event management (SIEM) solutions, but different as it is continuously monitoring and always on-premise.

Rob Pollard, general manager EMEA at Redseal, said the challenge for businesses is to find time to deal with change.

“The problem is the CISO meets the CEO and is asked how secure the network is, so how do they measure it? You cannot manage what you cannot measure, and if you cannot measure, you cannot change it,” he said.

“What is needed is a metric for security, to tell you how secure you are and the level of exposure. We offer a continuous dashboard for the measurement of security, what has expired and what is the compliance position.”

As well as the continuous monitoring, Jain also said that it allows for software testing to be done before installation. “Security guys are not lazy, they are high-quality professionals, but networks are convoluted and they are too busy to check the rules, and if they want to test software, do they check it or run it anyway?” he said.

Pollard added: “Also, every time a change is made, it will check that nothing has happened to impact the security or situation.”

Redseal offers one product which Jain told me has been enhanced over time, with capability added for legacy systems; "You cannot ignore them as they may be the culprit and you have to be prepared for those types of things."

I was asked what I thought of the product based on this discussion, and what struck me was that this seemed rather unique. There are the likes of Splunk, BDNA and Red Lambda that offer network mapping, while security vulnerabilities are discovered by the aforementioned Qualys, Rapid7, and Secunia. As for continuous monitoring, well, there is no end of vendors offering that capability.

I am sure that there will be many who will tell me that they are/have been doing something similar to Redseal for years and have more users/customers/partners, but this seems a particularly useful piece of technology that could benefit many. Yes, with each piece of software comes more vulnerabilities, but better to begin to eliminate those that are already there, right?

On the face of it, you might be tempted to say that the public sector gets more than its fair share of data breaches, and following the spate of fines from the Information Commissioner's Office (ICO) this month, there is clearly an issue here.

Public sector organisations frequently employ large numbers of people carrying out a large number of diverse roles. Naturally, the more people that an organisation has, the trickier it becomes to manage the IT systems for all employees.

It quickly becomes a complex web of files, applications, access rights and communications tools; the juggling act that IT departments and CIOs in the public sector face are no doubt huge.

However, the news from Cheshire East in particular highlights the risk that human intervention can bring to data security and the need for organisations to ensure that employees have the right tools for the job.

To recap: rather than sending a sensitive email through the council's secure system, an employee sent it using her own webmail account. The email contained information on an individual the police had concerns about. Due to it being sent over an unsecured system, the email was seen by a further 100 recipients where it would otherwise have been blocked.

Tellingly, the employee claims that the reason she sent it in this way was because the intended legitimate recipient did not have an appropriate email account to receive the information, and that using the council's secure email system would have prevented the information from being sent as intended.

Being able to transfer data from one place to another is essential to the running of any modern organisation; and with many organisations spread over large areas and increasingly taking up remote working, it would be unfeasible to work without quick and efficient data transfer.

However, there is no reason for it to be insecure. Cheshire East clearly had an email system that was secure, but the problem was that it was obstructive to the performance of day-to-day tasks.

It is absolutely vital that employees are empowered and able to follow data-protection policies. It is utterly self-defeating to have an excellent data-security policy if it is combined with technology and software that interfere with following it.

For example, an organisation's requirement for all files to go through its encrypted email servers becomes completely redundant when the files being transferred are too large to be transmitted or can't be received by the recipient.

This kind of technical deficiency is exactly what frustrates employees and leads them to use insecure channels to carry out their jobs, as was the case in Cheshire East. An email security system that interfaces into the organisation's default email client (for example, Outlook) with a comprehensive policy enforcement engine would enable large files to be transmitted securely, while security policies and procedures are automatically adhered to.

Protecting valuable data is paramount to any organisation and the real challenge is being able to manage this data effectively. In order for an organisation to gain real value from its data, secure systems need to be implemented to not only manage but provide a holistic view of the data so that it can be used for competitive advantage.

A sad fact of life for network and security managers is that despite their efforts to create systems that are perfectly designed and executed, people are still capable of making mistakes. Almost inevitably, data loss is most likely to be caused by human error – whether through ignorance or negligence.

This means it is especially important that employees working with sensitive and valuable data are not only properly educated about their role and responsibility with regard to the Data Protection Act, but are suitably equipped with the technology and tools that can help to prevent human error from leading to serious data breaches.

Denis Sennechael is vice-president of EMEA sales and operations at Axway

Last week I met with Fortinet, which announced that its intrusion prevention system (IPS) had been certified as the fastest and with having the leading catch rate in the industry.

FortiGate-3950B was tested using BreakingPoint security-testing products and NSS Labs test-criteria methodology.

It said that two level-four and level-seven tests were conducted, one with IPS optimisation enabled and the other without. The traffic setup was unidirectional and a large number of IP addresses were used on both the client and server sides to provide the most realistic network conditions.

FortiGate-3950B provided a throughput of 16.9Gbps, which Fortinet said is "necessary to deliver the advanced IPS services required to detect and block incoming threats without affecting network performance".

I spoke with Fortinet's Mark Hyland about this and the UTM market, which had been boosted by Dell's acquisition of SonicWALL previously in the week.

He said: “Our partners look at the SME as a window of opportunity. The FortiGate is for mid-market and offers functionality such as a WiFi controller, a VPN and two-factor authentication, but some users don't know about this.

“All of our technology is built in-house. As for the next-generation firewall, we were doing that years ago with our first unified threat management (UTM) system. We have got the fastest firewall in the world and we believe that if you can do fast, you can do more. It comes down to architecture and technology.”

Hyland said its next step is to enhance the capabilities of its firewall for classification of packet data; after all, if it can do things quickly, then it will want to be able to do so capably.

I asked Hyland if he felt that faster meant less secure. He said that with one of the biggest service providers in the world as a customer, he was confident, but the priority was security.

“It is intelligence built into a network, you have got to embed it not just at the core but push it out to the network edge for mobile devices and laptops,” he said.

Many vendors will tell me (and probably you too) that their solution is the fastest, most capable and most secure with the most functions.

Whether you believe them is up to you, but what Fortinet said does make sense. If the throughput is faster, you can analyse more in the same space of time. But the challenge comes if you decide that a 'proper' job takes longer.

Recent hits on adult websites such as YouPorn and Digital Playground have shown that hacking of personal details has no chance of stopping and more sensitive sites are just as fallible.

The YouPorn breach saw the credentials of more than a million registered users openly accessible on the chat page, while Digital Playground was hacked with 40,000 plain-text credit-card numbers, names, CCV numbers and expiration dates stolen, along with the personal information of 72,000 users.

Despite these occurences, it has long been assumed that adult sites are among those to be the most suspicious, along with online gambling and social networking, due to the likelihood of malicious content. Well, the truth is that the genuine sites are likely to be as secure as the rest and best of the internet; I did try to talk to some leading adult websites but sadly got no response.

The problem is ‘sex' and ‘pornography' are among the most searched-for terms, and cyber criminals are quick to pounce on that, creating websites that promise to host all sorts of sought-out activities. Catch the ‘distracted' surfer and you can install malware, grab their personal details or even their credit-card details, depending on how keen they are to view the content.

Research by BitDefender found that 63 per cent of users attempting to find adult content on their computers compromised their security on multiple occasions. Of 2,017 surveyed (of which 78 per cent were men), more than 72 per cent admitted to having searched for and accessed adult content sites; of content downloaded, 91 per cent was videos that can be downloaded from different sources including torrents, websites and hubs.

Cyber criminals have also buried their way into legitimate websites and added indecent images to them, such as with the instance where the Sesame Street YouTube channel was intercepted.

Research by G Data from 2011 found that pornography sites are fooling UK web users; a survey of almost 16,000 web users in 11 countries found that 37 per cent assumed that porn sites were more likely than hobby/leisure websites to contain malware.

It said that in reality these recreational websites are, in many cases, easier to attack than professionally run pornography sites.  

Eddy Willems, security evangelist at G Data, said: “There is a natural assumption among internet users that pornography sites are more dangerous than other leisure sites. This is a myth. Amateur hobby/leisure sites are often not professionally run like many pornography sites, making them much easier prey for hackers.

“In the past, malware was written by developers who wanted to show off their technical skills, meaning it was visible to infected users. Now cyber criminals design, sell and make use of malware that enables them to take control of PCs' computing powers in such a way that users do not notice the infection. Internet users must correct their misconceptions in order to stay safe online.”

I spoke with writer Patchen Barss, author of The Erotic Engine, a book about the adult industry and technology. I asked him if he believed that adult websites were leading the way in security technology as they are invariably behind a paywall and it could be deemed that they have more to lose.

Barss said: “It makes sense that adult companies lead the way with technological security solutions – they were pioneers in selling content online, which meant they were the first to learn how to protect their product. There are many examples: Playboy was a pioneer in the simple but effective ‘digital watermark system', which allows online content providers to prove copyright infringement in a court of law.

“A company called Takedown Piracy claims to have removed more than three million copyright infringements on behalf of the adult industry. The bottom line is that adult companies continue to be some of the only ones making money selling content online, which means that, by necessity, they must also be leaders in technological solutions to protect their content.”

Talking to him about the G Data research, I asked Barss if he felt people were compromised because the ‘bad guys' knew where they were going, rather than this being an overall problem?

He said: “People can, of course, be hacked anywhere, but there's no doubt that the adult industry is marginalised from the mainstream, and that it naturally attracts more than its share of dirty dealers.

“It makes intuitive sense that, if you are going to try to attack someone's computer – whether it's for identity theft, sheer maliciousness or some other motivation – you would hit people when they are seeking or consuming adult content, if for no other reason than victims would be less likely to seek redress for fear of having to reveal publicly what they were doing on their computer when they were compromised.”

I don't doubt that the leading adult websites are as secure as the major shopping sites, or any other sites that require subscriptions, but as incidents have illustrated, nothing is safe.

As research has shown, the number of web application vulnerabilities are rising, and with adult websites relying on video content, it may not be that complicated to install an exploit.

Most Londoners will have seen by now that the Tube is due for an upgrade prior to the Olympic Games this summer.

This upgrade will also add a WiFi network for passengers waiting at platforms to enable them to surf the web, access emails and do their shopping online. WiFi will be accessible to staff and passengers and, consequently, may also carry communications between employees on the platform and those in the control room.

In the aftermath of the 7/7 bombings, the need for a more advanced communications system was identified and, as a result, Transport for London (TfL) put in place the £2bn Connect digital radio system. The WiFi upgrade will add another layer of sophistication on top of this, providing another advanced communications channel to staff.

With most underground platforms in the region of 140 metres long, range is no problem for a couple of WiFi access points on each platform: the effective range of WiFi is usually between 30m and 95m, depending on the power, number of antennae and the wireless standard used.

Although the eastbound platform at Hornchurch (at 231 metres) may cause a few headaches, there should be few issues providing an effective connection. Indeed, most consumers using smartphones and tablets on the move will be used to 3G speeds (on average, around 2.7Mbps in London), meaning that internet access underground may actually be quicker than that experienced above ground.

Furthermore, because the service is restricted to platforms, maintenance will be much easier than if access points were located in the tunnels and WiFi were granted to passengers on trains. However, with staff and the general public sharing WiFi access, there are a few obvious security and technical concerns.

The two main implications for staff and consumers sharing WiFi are security and availability. It is absolutely imperative that staff can continue to communicate and access both internal and external resources (such as intranet or website content) however crowded the station platform and however many consumers are using the WiFi.

While many of the conversations and data exchanges between staff will be reasonably mundane, a number will also be confidential, so these WiFi streams must not only be available, but also separate and secure.

There are a number of ways to accomplish this, but the simplest is to take a two-tier approach. TfL could segment the available bandwidth from the routers between staff and the general public, using a policy to define these amounts, based on availability.

There should also be the provision for overriding these limits in the event of an emergency and platform staff needing high bandwidth for high-resolution repair manuals or engineering diagrams.

On security, while the public should enjoy reasonably open WiFi access, staff should connect via SSL VPNs, whereby all traffic is encrypted and each user has their own secure tunnel.

Mobile users will be used to roaming between masts, but this is not typically common with VPNs over WiFi. Many do feature automatic reconnection so that data and downloads are not lost, but with staff connecting on platforms and WiFi range generally extending for most of this distance, this should not cause problems and roaming/automatic reconnection may not even be necessary.

SSL VPNs that use encryption and tunneling protocols to keep data secure should safeguard private information, and in an extreme case should not be intercepted by vandals or other parties. Consequently the security standards will need to be revisited periodically, so it should not be a challenging issue. 

The WiFi system will need a degree of application awareness: emergency phone calls made by staff should be given absolute priority, whereas web browsing is much less important (in most cases); but these policies will need to be set by TfL, or by individual stations according to their needs.

There are a small number of other security concerns that TfL should bear in mind, one of which is that of rogue access points. Although it is unlikely, it is possible that someone could set up a WiFi hotspot concealed in a station, connect it to an authentic access point and configure it to look identical and intercept all of the network traffic and private data.

This is reasonably simple to avoid by configuring an extra access point at each station to monitor for any changes to WiFi configuration and alerting the relevant staff. However, given the physical geography of the average underground station, this would be quite difficult to do undetected.

There is little doubt in most people's minds that WiFi on the London Underground will be a huge asset to the city before, during and after the Olympics. While there are a number of concerns, TfL will undoubtedly have done its due diligence and both secured and separated WiFi data streams for passengers and staff. As long as a few straightforward steps are followed, it should enhance the lives of both commuters and tourists significantly.

Nathan Pearce is EMEA product manager at F5 Networks

This week I met with Imprivata CEO Omar Hussain, head of a company that has nailed its colours well and truly to the mast of healthcare security.

Hussain said the company is focused on healthcare and rather than doing standard "fortress protection" technology such as intrusion prevention and anti-virus, it prioritised security around accessing information to offer a standardised solution to accelerate and enable productivity.

He said: “Prior to three years ago, we made a conscious decision to move away from password management and identity and access management (IAM) to focus on healthcare. We make technology that makes it easier to access information that makes it easy for everyone to use to save time and money and enabling healthcare security.

“We are now playing a big role in healthcare and patient privacy as everybody is afraid that they don't want medical details to become public knowledge as it cannot be taken back once it is out.”

Hussain said existing solutions have made it harder for clinical staff, as they have not been specifically designed for healthcare environments, while it has decided to deliver "a better product that makes access easier".

“If it can save five clicks it can add up to a ton of money and time saved,” he said. “The customer tells me that after the electronic medical record (EMR), this is the most critical solution.”

Last year the company announced a deployment of its single sign-on technology across 97 hospitals and 1,300 GP practices by NHS Scotland. This week it announced that 91 English trusts and three in Northern Ireland are using its OneSign product.

Hussain said: “NHS organisations face two inherently conflicting goals: improve efficiency and tighten security practices around patient health information. Imprivata has worked closely with care providers to ensure that data security is unobtrusively into day-to-day tasks, promoting efficiency rather than hindering it.”

Among the new products and features introduced is CorText, a secure texting service for clinicians, which enables them to instantly and securely collaborate with each other by sending images of clinical exam findings, EKGs and radiological studies.

Hussain said: “Texting is not used in healthcare as information is exposed and there is no backup or archive. We have added location services, status updates and notifications – so if you send data you know that the recipient has got it and looked at it.”

The company also announced a developer programme that will enable third-party vendors to embed its No Click Access capabilities, single sign-on and authentication management technology into their software and hardware devices.

I asked Hussain if he was responding to customer requests with the launches, or going by trends. He said: “I don't think that customers know what they need, but they know what their problems are. We get a board of customers together twice a year and talk about what they are dealing with.

“The CEO will say to me we don't have a texting problem as the nurses are not carrying phones, but the CIO will say that their number-one problem is that they cannot control devices. Look at trends, people want mobility and want to use technology as the IT side is boring but productivity is improved for machinery.

“Look at the evolution of healthcare, it is an industry that embraces technology, but one of the biggest hindrances is security restrictions on patient privacy.”

He said that rather than embracing consumerisation of IT, healthcare was fighting it as there was too much risk with sensitive medical information being stored on a personal device.

He said: “People ask if security and patient privacy are a big concern. I say if you are taking medicine for something sensitive like an sexually transmitted disease or alcohol abuse, then if the answer is no, it is not a big problem. If the answer is yes, then it is a huge issue.

“This is why it will become more and more important as patient privacy will become a critical component. Even if it is in a file in a clerk's office, once it is available anyone can get it.”

Looking at the IAM sector, I asked Hussain how he saw it now that it was well into the healthcare-specific area. He said IAM is a "huge gamut" of technologies and vendors who do different things, or "stack vendors", and the challenge for end-users was to decide whether to buy the stack or best of breed.

“This is not a business we are in, with pure single sign-on we will win a deal and that is why we got out of IAM,” he said.

Hussain concluded by saying that Imprivata do not attend the Infosecurity Europe show any more. Is this because the company is now so focused on healthcare that information security is not a concern? Of course not, its decision to allow other vendors to use its technology proves that it still has one foot in security.

However, the company's decision to focus on healthcare will likely lead it to develop solutions for customer needs on strict data protection: something that becomes ever more challenging as regulation changes.

It has been suggested that you could define modern security with four words beginning with C: cloud, consumerisation, collaboration and cyber crime.

After all, they do summarise the main talking points for most people I encounter, though thankfully only one at a time. But could you pick a different letter? A recent report from Thales, which aimed to be a practical guide for companies to assess their cyber-security strategy, suggested that it could be the letter S – and no, we are not talking about sun, sea, sand and surfing.

OK, I am cheating to create a trend because Thales's S denotes ‘secure' – its guide suggested that to help audit their cyber-security risk, businesses should secure: information; people; communications; and infrastructure.

Thales said that these four are the main areas of cyber security addressed by best-practice organisations. It advised organisations, which wish to mitigate the risk posed by increasingly large-scale, sophisticated cyber attacks, to ensure that they are allocating their investment in cyber security appropriately and not over-protecting non-sensitive data or under-protecting business-critical data.

On securing information, it recommended conducting an information audit to categorise information by value, reviewing the governance of information security and considering the impact of the organisation's culture on information security.

To secure people, it claimed that organisations often focus on providing staff with procedures and guidelines on their responsibilities to keep the organisation secure. It encouraged businesses to ensure that they are well-versed on the relevant legislative conditions that they should operate within, roll out identity-based access to information to ensure that people only access data they are authorised to view, and audit how personal IT is regulated in the workplace; and, for home workers, to ensure that staff and the organisation are protected.

For communications, Thales recommended this be underpinned by policy and procedures, by communicating the cyber-security strategy and information audit in a secure manner and investing in enterprise encryption to mitigate the risk of IP theft and data loss.

Finally, for a secure infrastructure, it recommended conducting an audit of service providers and measuring their security, reviewing service-level agreements, monitoring critical networks and reviewing information storage security.

Ross Parsell, director of cyber strategy at Thales UK, said: “Our report identifies what CIOs and security professionals should be thinking about when assessing the sophistication and effectiveness of their organisation's cyber-security strategy.

“We have developed this guide in response to the very sizeable and tangible cyber-crime threat facing businesses in 2012. We hope those with the heavy burden of developing and executing cyber-security strategies will be able to use this framework to stress-test cyber security measures which may already be in place across the business.”

If only life was as easy to be pigeonholed into four areas. Well, it isn't, but sometimes it takes a breakdown such as this to realise that the challenges are more contained than they seem.

One of the key themes of our look forward to 2012 also became a key talking point of last week's RSA Conference.

A recent survey by LogLogic found knowledge of Big Data – what it actually is – to be restricted, and going by some of the comments made last week, it is hard to determine whether there is a genuine understanding of the challenge, let alone its resolutions.

Security commentator Bruce Schneier said "the rise of Big Data is a threat we need to take seriously" in his presentation, while RSA executive president Art Coviello said in his keynote that Big Data refers to the gathering of security-relevant data sets in unprecedented scale and in numerous formats, which must be gathered from every part of an infrastructure and beyond, and correlated using high-speed analytics to produce actionable information.

Coviello said: “The age of Big Data has arrived in security management, enabled by advances in data storage systems, computing power and analytical tools that, when combined, eliminate the old trade-off between the cost to collect and store data on the one hand and the cost and time required to analyse the data on the other.

“With this Big Data capability, security teams can stop wasting money on obsolete controls and time-tracking those meaningless individual events. They'll have what they really need to be most effective in their jobs, ready answers to the most difficult questions about advanced threats, compliance, fraud and other risks.

“Security teams will have the power to recognise the enemy within quickly, isolate compromised elements of infrastructure, protect information assets and render attacks harmless. In essence, Big Data gives you the power to shrink your window of vulnerability.”

So is this an extension of how security information and event management (SIEM) technology should be used? Richard Bejtlich, chief security officer at Mandiant, said on Twitter that his take on Big Data was that it is "detection = collection + analysis and response = escalation + resolution", and that "too many declare victory after collection".

I recently spoke with Chris Boorman, chief marketing officer at Informatica, about the sensation of Big Data and whether he felt it was just a marketing term to facilitate the sale of data-crunching technology.

He said: “This is something that is happening now, and vendors are jumping on the Big Data bandwagon. I have never seen this happen before, where a company has no idea where data is, and I have never seen such a change. Every organisation is now looking at their environment.

“It is about how you evolve the cloud and use applications and data. If it is now beyond the firewall, it is now hitting the enterprise. Everyone is now reeling under the impact and this is an opportunity of all sorts for new types of data, to understand what it means and how to use it.”

In a recent Forrester blog, James Kobielus asked if Big Data was "marketecture", or referred to "a set of approaches that are converging toward a common architecture that might evolve into a well-defined data analytics market segment".

He said: “When, if ever, will data scientists and others be able to lay their hands on truly integrated tools that speed development of the full range of Big Data applications on the full range of Big Data platforms?

“Perhaps that question is also a bit overbroad. Here's even greater specificity: when will one-stop-shop data analytic tool vendors emerge to field integrated development environments (IDEs) for all or most of the following advanced analytics capabilities at the heart of Big Data?”

He said he doubted that a technology – which would need to include data architecture, data integration, data governance, master data management, metadata management, business rules management, business process management, online analytical processing, dashboarding, advanced visualisation and other key infrastructure components – would emerge any time soon.

“The only vendors whose current product portfolios span most of this functional range are SAS Institute, IBM and Oracle. I haven't seen any push by any of them to coalesce what they each have into unified Big Data tools,” he said.

Another analyst report by Matthew Aslett from the 451 Group said "the biggest problem with Big Data… is that the term has not been – and arguably cannot be – defined in any measurable way" – because the size of the Big Data market cannot be determined. “You may as well ask ‘how long is a piece of string?',” he added.

I put these thoughts to Boorman. He said that the challenge of Big Data has come about because of the transition from the desktop to the mobile device, with this enabling different ways of processing data and new technologies.

He said: “Big Data is a confluence of traditional data and Big Data processing, and organisations will want to know how to do this. More data needs to be integrated and turned into value.

“In terms of it being a marketing term that is in vogue, Big Data is about data being broken down and put into compartments so it can be used better. It is not just about moving and copying data, new data is being created: from GPS off a phone; via social networking sites; it is genomic data from pharmaceutical devices; or smart metering data – all types are affecting enterprises.”

You could call Big Data a marketing term, but in the same vein you could call governance, risk and compliance (GRC), or ‘infosec', terms that have been created by marketing and thought leaders.

Regardless of the label, Big Data has now become such a key factor of IT and information security that it has gained its own name, and while managing large amounts of data has to be taken seriously, managing Big Data has never been so important, complicated, and vital to business security.

Last week brought more password-related news, as it was announced that the usernames, email addresses and passwords of members of a leading porn site were publicly available.

Anders Nilsson, CTO and security specialist at Eurosecure, said the credentials of more than a million registered users were openly accessible on the chat page of YouPorn, until the server was taken down. Apart from the embarrassment for those whose details were exposed and those amused that 'they'll go blind for looking at it', this led to more analysis of passwords.

Analysis of the passwords used on YouPorn by passwordproject.com found that two per cent (124,095 of members) used the password ‘123456', while 26 per cent (1.2 million) used a password that was six characters long. More than a thousand had a password that was 32 characters long.

According to cloud identity security solutions provider Ping Identity, a survey of 2,000 UK consumers found that 60 per cent of them need to remember more than three different passwords daily, while 21.6 per cent need to remember more than eight passwords. Not surprisingly, 61 per cent admit writing down their passwords.

John Fontana, identity evangelist at Ping Identity, said: “The more passwords we're forced to remember, the more we're likely to forget or write down in an effort to ensure we always have access to the accounts that matter. Not only does this leave individuals open to fraudulent activity and exposes the businesses they work for, but it also highlights the value we place on different passwords.”

As we analysed at the start of January, with the data from the Stratfor attack and breach – where passwords such as 123456, 11111111 and 123123 were common among customers – it is less a story about the randomness of the password and more about where and how frequently it is used.

After all, you could have a 32-character password, but if you use it for multiple logins, the security you have created is undone. We will probably see this story emerge again and again until a credible solution is presented to prevent password re-use, sharing and writing down.

It is not like this is a new phenomenon though – just look at this clip from the 1987 film Spaceballs: http://www.youtube.com/watch?v=_JNGI1dI-e8&list=WLF656F8DB37DB6686&index=2&feature=plpp_video

Late last year, Information Commissioner Christopher Graham commented on his blog that data protection is under threat from the continuing recession.

He suggested that businesses under pressure may be tempted to cut corners and push boundaries when it comes to protecting corporate information. He highlighted a common problem that a lot of UK organisations are increasingly facing as the downturn continues to linger.

As budgets continue to be cut, security and data protection are some of the first things that get neglected, particularly as such functions have traditionally been perceived as costly. In reality, this perception is in fact caused by inefficiency – through manual tasks and over-centralisation.

In these times of austerity, security can be achieved without large capital investment; IT departments just need to take a number of sensible precautions to ensure security of information and access governance. Organisations certainly can't afford to be lax when it comes to security.

Very recently, the European Commission proposed new rules stating that serious data breaches will need to be reported to the national supervisory authority and affected citizens within 24 hours. Whilst this is undoubtedly going to be a struggle for many organisations, the aggressive proposal is unquestionably a result of the sharp increase in public data breaches over the past year.

In my view, this will force many businesses to shake up the way information is stored and shared, inside and outside of the organisation. Yet for many organisations, managing efficient identity and access management systems, and ensuring that activity is fully tracked, audited and compliant, are also a big struggle.

Our own research has shown that over 51 per cent of IT professionals are concerned about insider threats to network security in their company's current infrastructure, and 90 per cent agree that companies need to do more to manage and protect users' electronic identities.

In addition to such threats, we are seeing professionals regularly compromise business or personal information by using insecure and risky shortcuts, not out of malice, but to make their lives easier in the workplace.

For instance, with many professionals tasked to remember more than five work-related passwords, 42 per cent of employees prefer to keep password details written down and within easy grasp to prevent halting workflow, which can leave them open to potential theft.

A more effective way of cutting costs is to look carefully at the processes that can be automated, such as identity and access management (IAM), which can increase efficiency, reduce costs, whilst maintaining the integrity of your data. With over a quarter of employee queries made to IT helpdesks being access related, IAM can also remove some of the burden placed on the helpdesk, making their lives much easier.

Implementing a single, integrated system that provides end-to-end management of employee identities and retires orphaned or unneeded identities at the appropriate time is the key to simplifying the management of IAM systems.

The recent warnings from the ICO and the European Commission's recent proposals are timely reminders of the type of risks that businesses can impose on themselves and their customers if the right precautions to protect information are not followed, and the mess companies can get into if measures to detect such breaches are lax.

Similar to a game of football, a ‘red card' violation such as a data breach can be extremely damaging to the reputation of any organisation, and with the European Commission proposing fines of up to two per cent of annual global turnover, such data breaches can be controversial and even crippling.

Without the right security systems in place, organisations risk compromising sensitive information, revenue and their reputation.

Phil Allen is director of identity and access management (EMEA) at Quest Software

The latest example of the consumerisation of IT is iPads for MPs, and it has been widely reported in many of the national newspapers.

While the angle has been along the lines of an expensive toy for MPs at taxpayers' expense, many commentators are in favour of MPs adopting more technology. The scheme to issue every MP with an iPad should save money, as information can be shared electronically rather than using paper. Moving into the digital age, improving productivity and saving money have to be applauded.

However, in an age where cyber security is at the top of every government agenda, it must surely be considered whether the iPad is really the best choice. There is no doubt that it is a highly desirable consumer device that is great to use, but is it the best business tool for the job?

If all MPs wish to do is access (non-classified) emails, surf the web, share data and give presentations, then the iPad is probably as good as any Windows or Android tablet, albeit more expensive. However, as anyone who has used a tablet will know, the more you use these devices, the more you want to use them, and therein lies part of the problem.

The iPad doesn't support many of the applications that are needed in everyday business life, so their use is limited. Nor do they have the level of security required for MPs to access and store sensitive or classified data. This means that there will be certain emails that they can't access on their iPads, and a lot of sensitive data (either citizen data or data that could affect national security were it to fall into the wrong hands) that they can't access either.

At some point, they will have to stop using the iPad in favour of a device that meets government security standards. This is where the 'best value' argument comes in.

Windows and Android tablets do provide business applications and, being more open platforms, can be encrypted and protected to meet stringent government requirements, meaning that they could empower MPs to do away with at least one of their standard-issue laptops.

If they are lost on a train or left in the back of a taxi, as we read about all too often, government-grade security and encryption means that the data held can't be accessed even using specialist tools.

National security and citizen data is protected, and MPs really can move into the digital age with a device that supports true business requirements, all at a lower cost. What's not to like? If the recommendation to use iPads rather than other, more suitable tablet devices is ratified later this month, it could be a huge missed opportunity to exploit this new device form factor to its full potential.

Keith Ricketts is vice-president of marketing at Becrypt

Last week I met with a company that introduced itself as a vendor in the 'change management' space.

Figuring that change management was a new term for me, I spoke with UK and Ireland country manager of NetWrix, Aidan Simister, who said that despite only being at the company for five months, he was "passionate about the technology".

Explaining that change management was a stripped-down version of security information and event management (SIEM), Simister said there was a need for IT managers to understand what was going on inside the organisation.

“What we offer is not an SIEM package, it is software, so not a box which tells you what has been changed and to what technology in the IT infrastructure. If it looks like Active Directory then that is all the information you need; you print a report for the auditors, but it will not do intrusion detection or automated actions,” he said.

“What people want to know is what was changed, where and how. There are no boxes, so you can put this where you like; we want to keep this simple and give them what they want to know.”

The SIEM space has moved on in huge leaps over recent years, with NitroSecurity now part of McAfee (and therefore Intel), Q1 acquired by IBM and, perhaps most notably, ArcSight acquired by HP. Add in the introduction of business products from open-source favourite AlienVault, and you could argue that there is little middle ground in the space.

Simister told me that change management and auditing is "about doing it right" and there had been "a lot of hype over the last 18 months". He said: “SIEM is to prove that you know what is going on, and organisations are trying to bill themselves as doing that, but you can do it with a simple solution.”

He said that due to pricing, it had proved popular with the public sector, and he was personally keen on the channel. Currently NetWrix employs 70 people globally and has been established since 2006; and with this being the first move into the UK market, it comes with a strong message that should appeal to many.

After all, if major acquisitions and complex technology have frozen buyers out, then a back-to-basics solution may be what the sector needs.

Smart grids are the most significant change in the electrical grid in 100 years.

These digitally enabled networks show how much electricity a household or business has used in any given time using a smart meter, and can help prompt energy saving among users while improving operational efficiencies for utilities.

Yet they also present one of the biggest new challenges facing the UK's critical infrastructure, as with every smart meter connected to the internet, a potential new point of compromise is created. In the next five to ten years, 100 billion devices and sensors will be added globally, so serious planning now is vital to avoid future issues.

Given the sheer scale of these grids and because they are IP-enabled, there are a number of issues that need to be addressed. Firstly, it is vital to have layers of security built in from the outset. With the threat landscape having evolved to include exploits such as Stuxnet and Duqu worms, vulnerabilities can be exploited to send malicious code into smart grids without the proper defences.

These defences need to be capable of protecting against highly sophisticated, targeted and well-planned attacks born of political pressures or industrial espionage. If not, elements of a country's critical infrastructure could end up in the control of a third party.

In terms of the smart meter itself, it is vital that utilities can ensure only authenticated meters are on their system. This will protect against data or device compromise. Measures need to be taken to remove unauthenticated or tampered meters from the grid while being able to take steps to get meters back up and running quickly.

From a privacy point of view, IP-enabled smart meters generate vast amounts of personal data for utilities to manage. They may send everything from electricity use to billing information and other personal data over the internet, and this personal data needs to be effectively protected by the utility to ensure no vulnerabilities exist which could be compromised for financial or malicious purposes.

Back-end system design to limit when personal data is transmitted is also key. The loss of trust resulting from such a privacy breach could potentially terminate a smart grid project and, more importantly, damage the brand integrity of a utility or its service providers.

In addition to ensuring security, authentication and privacy, the data created by the meters must be efficiently managed. A typical smart grid comprises ten million smart meter endpoints for a single utility, handling in the region of 28 petabytes. All this has to be backed up while ensuring that auditing and compliance demands are met.

This is further complicated by the fact that many utilities work on a multi-national basis. Each government will have different laws and compliance regulations, meaning each grid needs to meet the demands of multiple legislation.

It's clear that the challenges facing utility companies are considerable, but they are not insurmountable. The key is that any utility embarking on a smart grid project needs to develop a security strategy from the outset to minimise risk. This means that every part of the chain has security built in.

Content such as billing information needs to encrypted; infrastructure such as servers and gateways need to be secured; the network should have security built in; and embedded devices such as communications hubs and meters themselves need to be protected.

But in building a secure system, it is also vital that it remains open and scalable. With utility companies merging or changing ownership, it is important that grids can operate on common standards and best practices to allow easy integration.

The best advice to utilities is to look to others for advice and support. See what non-competitive businesses are doing worldwide and how they are building their smart grids, encourage information sharing to understand best practices and work out the best way to build a system that complies with the best international standards.

Only by taking these steps will utilities be capable of reaping the benefits of smart grids without jeopardising the integrity of their critical infrastructure, their customer relationships, their brand reputation or their revenue.

Michelle Lewis is a smart grid specialist at Symantec

It was former Spice Girl Melanie C who offered us the wise words: “I couldn't live without my phone, but you don't even have a home.”

Now if Sporty Spice couldn't live without the smartphone, how would the rest of us? Some research I came across this week suggested that this could potentially be a 'life or death' situation for some people. According to research from McAfee and the Ponemon Institute among 439 organisations, 142,708 smartphones were reported missing in one year.

The research found that approximately 62 per cent of these were company-owned devices assigned to employees for business use, while 38 per cent were personally owned and used for business. Of the phones reported missing, only seven per cent were recovered.

The survey found that 13 per cent of the missing smartphones were lost in the workplace, 29 per cent while traveling and 47 per cent while employees were working away from the office. Employees were unsure where the remaining 11 per cent were lost.

Another survey of 1,000 people by SecurEnvoy found that 77 per cent of 18- to 24-year-olds were 'nomophobic' – the fear of being without one's phone. It found that 68 per cent of the 25-34 age group felt this way, while the third most nomophobic were those aged 55 and over.

Andy Kemshall, CTO and co-founder of SecurEnvoy, said: “The first study into nomophobia, conducted four years ago, revealed that 53 per cent of people suffered from the condition, and our study reveals this has now risen to 66 per cent in the UK.”

The research also found that nearly half of those surveyed do not use any protection on their phone; 41 per cent use a four-pin access code, and ten per cent encrypt their device. A security-conscious three per cent use two-factor authentication.

“With 58 per cent of the respondents using at least one device for business use, this lack of security is a worrying trend that needs addressing,” Kemshall said.

The McAfee research also found that 60 per cent of the missing smartphones contained sensitive and confidential information, yet 57 per cent were not protected with available security features.

So what do you want, do you really really want? Firstly your phone, secondly to secure the information on it and, thirdly, well, best to get some authentication on it.

A statement appeared this week from the Anonymous group claiming that it had plans to take the internet completely offline for a day at the end of March.

According a statement that appeared on Pastebin, "on March 31st, Anonymous will shut the internet down" in protest at the US's Stop Online Piracy Act (SOPA). It said: “In order to shut the internet down, one thing is to be done. Down the 13 root DNS servers of the internet. By cutting these off the internet, nobody will be able to perform a domain name lookup, thus disabling the HTTP internet, which is after all, the most widely used function of the web.

“Remember, this is a protest, we are not trying to 'kill' the internet, we are only temporarily shutting it down where it hurts the most.”

It further detailed how it would carry out the attack, and concluded that it will use static IP addresses and not rely on name server resolution, thus enabling Anonymous to maintain the attack while the internet is down.

“The very fact that nobody will be able to make new requests to use the internet will slow down those who will try to stop the attack. It may only last one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known,” it said.

This led me to think: could you go a day without the internet? Is it considered a basic human right now? In the cases of the arrests of Jake Davis and Ryan Cleary, they were denied internet access and some would suggest that was taking away a human right.

Data from the Office of National Statistics released this week revealed that almost 42 million adults in the UK had used the internet, while 8.2 million had never used it: the latter represents 16 per cent of the adult population.

So for those eight million, would no internet really affect them? Did the recent website blackout, so publicly supported by the likes of Wikipedia, impact those who were not online daily?

For the rest of the population who are online, best keep that Saturday free for the gardening, as no one will be surfing if the hacktivists get their way.

The problem of lost USB sticks has been back in the news recently with data losses moving from laptops to the storage devices.

In January, the Information Commissioner's Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man jointly criticised Praxis Care after an unencrypted memory stick was lost last year. It contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland.

Last week, the details of more than 1,000 school pupils were lost when a USB stick was misplaced by a member of East Lothian Council.

It was at the end of 2009 that I looked back at ‘a tricky 12 months for the USB stick' when it was blamed for data loss and Conficker. While the problem has not been eradicated completely, it does seem to be slipping back somewhat.

I recently spoke with a new company offering what it calls the ‘Fort Knox' of USB memory sticks: I know what you are thinking, heard it all before. Well what caught my attention was that this was less a memory stick and more a tracking device, with GPS and GSM modules to track where it is and deliver this information securely to a management console hosted securely on Fujitsu's Global Cloud Platform.

It also features remote wipe capabilities of any data on the device, whether it's plugged in to a USB socket or not.

Named Security Guardian, creator ExactTrak said that its inbuilt software is linked to an online monitoring platform that protects against the biggest problem with mobile data security: human error.

Managing director Norman Shaw told SC Magazine that Security Guardian is been adopted by users due to it being encryption technology-agnostic and available with either 16 or 32GB storage.

He said: “We applied intelligent elements to communicate with the device and we can turn the device on or off and delete the memory. We can know where it is geographically.

“We met with the ICO and they said that it is all very well having encryption but 50 per cent of people share passwords. One of the technologies on this is that if you share a password, you can remotely remove or turn data off. A problem is that data losses are often not reported for months; we say this can overcome the stigma of losing data by saying ‘we lost the device but we deleted the contents of it'.”

Shaw said that this is sold not as a product but as a service, and a recent partnership with Fujitsu saw its Global Cloud Platform selected to host the back-end infrastructure.

The heart of the Security Guardian solution is the management console which provides remote access to the devices and maintains a verifiable audit trail detailing when and where data was accessed. ExactTrak said it needed a partner that could host the management console while providing the utmost levels of security, scalability and availability, and it selected Fujitsu's Global Cloud Platform as a secure portal and because it could offer "global scalability almost instantly".

Shaw said: “Once data is on the device it is encrypted. We have Trusted Client technology from Becrypt and the cloud capability from Fujitsu and it is all dynamic data on the device, so what is on there is secure.”

In my recent conversation with Thales, it was suggested that technology should make encryption transparent, and "if you know you are using it then it has gone wrong". I asked Shaw if he felt there was a problem with encrypted data and that people were not using it.

He said: “Some people realise the problem of encryption, so how do you prove that it was turned on? You say that a laptop was encrypted, but then it appears on eBay and it turns out that it wasn't encrypted at all.

“With our solution you can say that the data was turned on or off on the management console with a verifiable audit trail and the ICO can say the matter is closed.”

There are solutions out there to prevent data loss and most of them offer different levels of security and capability, and what ExactTrak offers is certainly different – the capability to react after the incident.

As to whether this will prevent further data loss, I doubt it, as the ICO is now fining organisations for human error in the case of lost details.

Merchants have enough difficulty manoeuvring through today's ‘topsy-turvy' economic times.

When your merchant processor calls to inform you that the card associations have flagged your company as falling within their criteria for a fraudulent operation, the threat of having to close your doors for the very last time can take on awesome proportions. Is this scenario a real possibility, and what can you do to prevent it from ever happening to you?

Seasoned risk management professionals will tell you that payment fraud today is very sophisticated and well organised. Where there is money involved, the criminal element of our society has focused their efforts on various schemes that will conveniently and easily transfer its value to their coffers.

Their primary objective, as if directed from some planning division, is to create a steady flow of income beneath the radar screen of detectability. For this reason, one can never eliminate fraud completely, but you must manage it down to an acceptable and predictable ‘cost-of-doing-business' level.

This frightful call situation happens more frequently than we would like, even under today's highly electronic and terminal-driven payment environment. Card payment fraud can come from many sources, but one prevalent method is to force a number of fraudulent transactions through a single merchant portal, fence the goods and then disappear.

It may take days for consumers to object, but investigators quickly assemble data and look for a common point of purchase (CPP), in card payment parlance. A call follows to notify you that your merchant system has been breached.

How can you prevent this call from ever taking place in your situation? Unfortunately, systems today are extremely complex. Even highly sophisticated and large merchants with ample resources devoted to fraud prevention have suffered from breaches in their networks.

In response, the card associations came together as one to fight crime by developing the Payment Card Industry Data Security Standards (PCI-DSS) that has been an ongoing effort for the past five years.

The world of merchant account payment options can be very daunting, especially for smaller merchants, but processors have typically developed a cadre of experts to assist merchants in their respective compliance activities.

Navigating through these turbulent waters requires experience on a daily level with the variety of attacks that can transpire between the point of sale and the eventual posting of a transaction to a consumer account. If your processor does not provide support of this nature, then it may be a good time to switch your allegiances.

After a breach has occurred, the first step is to secure with the assistance of your processor, who should be a capable PCI forensic investigator. This individual will determine where and how your system was breached and recommend changes to prevent any further data compromises from happening down the road.

The changes may be as simple as upgrading your operating software to the next release, or may require a major overhaul of your entire method of doing business. Either way, it is a costly procedure.

To avoid larger costs in the future, the prudent way to go is to review your merchant account payment options and determine where the weaknesses in your present system of controls exist. PCI standards are very specific, especially in their encryption requirements of personal consumer and card data during every step in your internal processing regimen.

Due to its inherent complexity, your processor may require an outside auditor to confirm your PCI compliance before accepting larger volumes of transactions from your merchant network. Compliance levels do vary according to size so you need to be aware of when critical levels are on the horizon.

The card associations continually update merchant processors on their level of PCI compliance and issue fines when the facts warrant. If the processor can justify his position and find fault with your PCI status, he will most likely deduct the fines from your daily deposit stream. The time to act is before the breach, not after.

Shannon Martin is editor of merchantseek.com

Last week the PCI council announced its new chairperson among plans for a new certification.

Alongside these announcements, the PCI Security Standards Council (PCI SSC) confirmed its key aims for 2012 as:

• Engaging the PCI community with new opportunities for participation and a dedicated period for collecting and sharing feedback

• Delivering guidance on ecommerce security, cloud computing and risk assessment through PCI SSC Special Interest Groups (SIGs)

• A continued focus on technologies that offer PCI-DSS scope reduction for merchants, including point-to-point encryption and tokenisation

• Expanding the current PCI SSC training programme to continue to increase payment card security expertise globally.

Perhaps a priority for the council should be to promote version two of its requirements. Initially announced in August 2010, the requirements became apparent in January 2012, and as research proved, some respondents were completely unaware of the changes even then.

I spoke with Anthony Hall, IT manager of Move With Us, who was talking to SC Magazine along with security vendor Quarri Technologies, a provider of secure session software that prevents data being copied or printed from a browser and clears the cache at the end of a session.

In this instance, Hall said that credit card payments are taken and entered on the screen, so the solution secures the data and stops the employee printing the screen. “We opened our eyes to the risk of loss and while using Quarri, you can open another tab, so we have rolled it out to 45 of our 350 staff,” he said.

“From a personal point of view, compliance is something that we have got to be better at and, with regard to Quarri, we can say using it ticks boxes, but we do not replace anything with manual checks. By deploying Quarri, we have made a massive step towards achieving it.”

Laurie Coffin, vice-president of marketing at Quarri Technologies, described Quarri as security software that enforces a session on the browser and, with customers mainly in financial services, it prevents the employee from replicating the data as they cannot capture any details.

She said: “On some applications an employee can print a replication of the data but this is a secure browser layer that deletes the cache at the end of the session. The data is entered into the browser and you can see the data, by using us it will empty the cache at the end of the session. I think that it is difficult to achieve compliance as the guidelines are not specific, they are designed to figure out what to do and can be used to be compliant.”

I asked Hall if he felt that it was possible to be compliant, and he said that without paying for it, it is very much about protecting data. He said: “Often compliance guidelines are not put across, you get something to tick a box but there is an impression of guidance on how to secure, there is a real feeling that the responsibility is placed upon the end-user.”

Compliance is never going to be easy, but guidelines are there to be followed and determined by businesses, and the reason it is difficult is to make it a challenge to achieve. Perhaps more communication from those determining the guidelines will clear the blurry lines a little.

Thankfully I am rarely ill and, because of that, don't often get the chance to 'enjoy' daytime TV.

In previous lives, I have had a chance to enjoy the likes of Countdown and Deal or No Deal, but these have been undone by the low-standard programming pumped out by terrestrial channels and adverts for no-win, no-fee legal services.

Among these productions is Heir Hunters, not a Discovery channel special on Nazi hunters, but a BBC programme "following the work of probate detectives looking for distant relatives of people who have died without making a will".

Now proof has emerged that the elderly, unemployed and undergraduates are not the only ones watching such shows, as phishing emails claiming to be messages from the producers have been detected.

The scammer says they came across the recipient "while searching through [a] genealogy database" and asks them to respond with their contact details to ensure that it corresponds with the information "we have [in] our database in order to enable us to carry out necessary verification processes and to get your claim across to you without any delay".

According to Sophos, the emails even include a link to an online episode of the TV show via the BBC's iPlayer in an attempt to make the message seem more legitimate. This has led to the BBC putting a message on its website which says "beware of emails claiming to be from Heir Hunters".

It warns: “We have been informed that someone has been sending out emails purporting to come from the Heir Hunters programme and referring to this website. Please be aware that these emails have no connection with the BBC or Flame Television, the makers of Heir Hunters, and you should ignore them.

“You should not reply to them and if you believe that persons are attempting to deceive you with a view to monetary gain, then you should contact the police.”

Sophos's senior technology consultant, Graham Cluley, says the BBC's advice is sensible. “If you believe you could be the beneficiary of the assets of a deceased person who didn't make a will, or died with no known heirs, then you could do a lot worse than visit the Government's Bona Vacantia website,” he advises.

If you think about this, it is a mean but clever tactic. The spammer is hitting a potentially vulnerable target who are likely to respond to the opportunity as they are familiar with the brand and are unlikely to question a tactic as niche as this.

That said, being aware of spelling mistakes and the validity of the sender is no bad thing, because the BBC prides itself on not making spelling or grammatical mistakes. Now, where did I put my Homes Under The Hammer box set?

One of the first meetings I did in this job was with nCipher, where the concept of encryption was explained to me.

Now you could argue that I should have just sat down and read the Whitfield/Diffie paper or talked to the founders of RSA, but a lot has changed in the three years since then. Not just to me either; nCipher was subsequently acquired by global defence company Thales and, following other acquisitions, Thales is now one of the primary encryption firms.

The main function of nCipher was SSL technology with databases with built-in encryption and support offered for cryptography. Sitting with Thales's director of product management Mark Knight, and strategy manager Steve Brunswick, both from the Information Technology Security division, I asked them if encryption had changed since 1976.

Knight said that one of the challenges for businesses is how to retro-fit end-to-end encryption and how to improve security without affecting the user so it is as transparent as possible.

“Technology is making encryption transparent. If you know you are using it then it has gone wrong,” said Knight.

One area where encryption has evolved is with mobile payments. Brunswick explained that a credit card chip has moved into the phone SIM card. “In the past, a factory would create a card with data from a tape from the provider, but with cryptographic details added to the account it is then added to the card. With the Global Standards platform, the cryptographic element is not in factory but over the air,” he said.

“With our hardware security module (HSM), within the SIM there is security but the domain is owned by the mobile network operator so you can use traditional push commands to set up a secure channel, and send a message that the application can run on the ‘card'. The bank has the server and an HSM attached, so the contact comes from the HSM and secures the message so the bank doesn't need to know anything about how the message gets to the phone.”

Knight commented that with end-to-end encryption, the bank has the data, but everyone should be hiding opaque information – although fitting this sort of technology is proving to be difficult.

Brunswick said: “Protecting a password with encryption is done everywhere. PCI-DSS says you need to protect data but does not say how to.”

A key area for chip-based security is in the US; Knight said this is a major case for retro-fitting, with a move to issuing and accepting chip cards getting closer.

Knight said: “A step to mobile payments is not about making payment cards more secure, contactless mobile card payments use the same standards. In the phone, the SIM connects to the near-field communication (NFC) chip via a single wire protocol to make the SIM look like a contactless card, so you can make a payment.

“We have got to see a communal relationship between the bank and retailers as the technology is ahead of the market.”

A Forrester report commissioned by PayPal last year said that by 2016, UK mobile retail sales will reach £2.5bn, and consumers will be able to leave their cash at home and use their mobile "as the 21st century digital wallet".

Brunswick said this capability is not one of technology as it is already there – 2011 saw industry groups created and the first real mobile payment applications – but now people are now investing more in security for the big push towards this reality.

“With mobile payments, the operator doesn't want a cut of the transaction, they want the data of users' shopping habits so they can give them offers. This is all aligned in a single application,” he said.

The president of martial arts body the Ultimate Fighting Championship (UFC) almost ‘did an HB Gary' last week when he called Anonymous "cowards".

Initially, president Dana White wrote a tweet to the Anonymous news feed ‘YourAnonNews' that accused the group of hiding "behind a screen name".

The hacktivists responded by breaching the UFC's official website and defacing it; White responded in turn by telling reporters at USA Today that the group should "keep hacking our site" and encouraged them to "do it again. Do it tonight".

He said: “You know what's happening? These guys look like terrorists now, and a bill that was about to die is about to come back. I'm not afraid of the internet. I love the Internet. It's fun to get on there and cruise around and stuff. I'm not afraid of you. You want to keep hacking our site, go for it. Watch what happens. You're hurting yourself.”

UFC parent Zuffa is a supporter of the US's proposed Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA)

According to USA Today, the attack redirected the UFC.com domain to other sites multiple times, although servers that hold the company's data were not penetrated.

In a statement, the UFC said: “The UFC.com website was redirected by a criminal hacker to another website. The UFC website was quickly restored to the control of the UFC and there is no evidence suggesting that any confidential information belonging to the company or its customers was compromised.

“UFC representatives are continuing to investigate the matter and are working with law enforcement agents to prosecute those involved.”

Anonymous has also released personal information on White, including his social security number. Softpedia reported that S3rver.exe, who breached Sony Pictures, was one of those responsible for the defacement of UFC.com and UFC.tv.

The hacktivists told Softpedia that one of the two sites had at least 60 vulnerabilities, and that UFC.tv had XSS, BlindSQL Injection and other vulnerabilities. When asked about the reasons for hacking UFC, S3rver.exe cited Zuffa's president calling them terrorists. He said: "Standing up to those you deem to be weak may be at UFC's heart, and I am sure that there is little that scares their fighting machines. However in a cyber war, it is the keyboard, rather than the fist, that strikes the hardest blow and UFC can count themselves lucky for the moment, that no worse has been done."

Radical changes in the way business stores its data are looming, with massive implications for data security.

New Forrester research shows that 66 per cent of businesses are moving their desktops, servers and data into the relatively uncharted territory of the hybrid cloud. Recent events have made it clear that moving sensitive data into the cloud is not a silver bullet and will require a new awareness of the threats that need to be addressed before implementing a cloud storage strategy.

When a disgruntled employee recently succeeded in wiping out an entire season of a major US TV show, we saw how outsourcing sensitive data can render a business vulnerable to the security models of the service provider, while Amazon's notorious data-loss incident illustrated the inherent risks associated with keeping masses of vital information in a single repository.

With Microsoft's recent warning to the EU that the Patriot Act now renders its citizens' personal data vulnerable to seizure, we saw the potentially troubling implications of moving data outside national jurisdictions.

At its best, the public cloud is the epicentre of personal empowerment and the globalised information age; a vast, instantly accessible, global pay-as-you-go pool of corporate consciousness, which can be shrunk or expanded, accessed or updated on demand from any location.

With information set to become ‘the oil of the 21^st century' and mobile multi-national workforces spreading endpoints far and wide, it is clear that there can be no return to the days of fixed-endpoint data repositories.

Businesses now want to adopt a ‘pick and mix' approach, utilising the complementary benefits of different cloud models. The cost-saving benefits of the shared cloud-space, in terms of cheaper apps and limitless scaleable storage space, can be combined with the legal benefits of local clouds and the security benefits of private clouds, enveloping sensitive data in an on-site cocoon.

The hybrid enables cloud models to be moulded to the needs of differing industries and businesses, from companies trading information that require instant data recovery to ensure business continuity in the event of a disaster, to regulated industries that require some information to be stored within their own premises, and businesses requiring data space that can be rapidly scaled up or down in sync with fluctuating demand.

With private clouds increasingly being adopted in tandem with public-cloud models, virtual-machine sales were already outstripping sales of physical servers by 2009. A Microtrend 2011 survey found many businesses were using all three cloud models almost equally.

The next generation of hybrid clouds and the rapidly multiplying array of user endpoints are spawning a deadly new generation of security threats. The expanding cluster of mobile devices and cloud models is leading to an increasing fragmentation of corporate data across multiple clouds and devices with different types of data protection, placing corporate data at the mercy of vastly different security models.

A third (33 per cent) of businesses already support mobile operating systems, and many businesses already make corporate information available through tablets, yet 66 per cent of businesses polled by the Ponemon Institute had recorded mobile device losses in the past year alone.

The modern ecosystem of mobile devices interconnected with multiple cloud models creates an interdependency between cloud providers, businesses and end-users with alarming implications. Imagine a scenario where an employee using mobile device support could have both the corporate data and personal data stored on their phone accessed by anyone who hacked into the cloud provider.

Conversely, if the employee later misplaced their tablet, it could provide root-level access to sensitive business data stored in private or public clouds and available through easy-to-use apps. Also, employers are at risk of prosecution if they wipe personal data stored on employees' tablets when attempting to remove corporate data.

With 40 per cent of businesses planning to manage hybrid clouds through in-house teams, the implementation of data-security policies across different cloud models, devices and tiers of data could become an admin nightmare for corporate IT staff.

Businesses need solutions which can safeguard fragmented corporate data across multiple devices and clouds in line with corporate policy. Yet companies are currently adopting only patchwork solutions, which fail to take into account the abundant array of security threats.

Datacastle's RED software automates the process of integrating all business data-security policies through a central policy framework, by combining remote deletion, remote port-locking, automatic encryption, device trace, automatic backup and data restore through a single agent, tailored to the policy needs of the organisation and designed for a hybrid-cloud model.

A unified cloud-computing infrastructure will only help business get the best out of cloud technology if it can be protected under the umbrella of a unified security framework.

Gary Sumner is CTO and founder of Datacastle

In a presentation last week, Barclaycard head of payment security Neira Jones said "every time someone says APT, an angel dies in heaven".

Aside from the unseasonal Clarence-isms, is it the case that people are tired of hearing buzzwords, abbreviations and acronyms without any real clear explanation as to what they actually mean?

Talking last week to Graham Nash from Fortinet, he used the more PC term of 'targeted attacks', but said that often people have their own definition of what an APT actually is. He claimed that what was seen in 2011 was not a revolution, apart from the new term and concepts; rather it is the availability that has changed in the past 12 months.

He said: “Look at the key components and challenges; there is the attacking engine and crimeware-as-a-service that enables more and more people to be able to do this. In 2012 I see mobile becoming a factor too.”

Nash said the APT was often carried out following a "long gestation period" and attackers will "always find a victim", with phishing or spam messages often just precursors that deliver some malware or get an endpoint to be part of a botnet, in order to figure out a weak link in the chain.

I asked Nash if he felt then that the APT, or targeted attack, was a tool in cyber warfare. He said: “Look at the key components and motives on cyber attacks: money; geo-politics; companies; and hacktivism.

“Attacks can be high-risk and low-cost with denial-of-service or ransomware, so from an eco-politics point of view, a website can be taken down and, at worst, that is a branding problem. However, using ransomware is a risky way of doing things from the attacker's perspective, as there is no easy way to extract money and the attacker needs a method of protection for them and their assets as they do need to cover their tracks, identity and location.”

Looking forward to the rest of 2012, I asked Nash if he felt that there would be any changes from a hacker's point of view. He believed that there would be attacks on new versions of Flash or Windows and new vulnerabilities, as well as more activity as part of the evolution of threat versus mitigation.

“Also, 2011 showed that no one knew what an APT was and did not understand it. 2012 will be when companies do something about it,” he said.

“Cyber crime is costing the UK economy £27bn a year, and the key thing is at enterprise level, about what companies are doing and how they are incorporating the threat and cyber crime into their overall risk management and security controls. That will have a major impact on how much APT is taken seriously.”

So it does still remain a buzz-phrase, but APT (or targeted attack) is something to consider when assessing your risk profile, as Nash said. Yet it has the abbreviation status that can put some people off, and it may be time for researchers and writers to be a bit more serious on this subject.

Through 2011, trust in a number of technological protocols, devices and companies came under attack.

We saw hacking collectives shout about their exploits on Twitter, high-profile companies suffer severe data thefts and entire governments come under attack from hackers. Clearly none of these security threats were new in themselves, but public awareness of them reached an all-time high, and the trust and confidence of users became increasingly fragile commodities.

2012 looks set to continue to test trust – and companies are going to have to work very hard to rebuild and retain the user confidence that is crucial for them to function.

For both individuals trusting the sites they visit to be genuine and organisations trusting the reliability of their certificate issuers, trust in the security and authenticity of the internet is paramount.

This trust came under particular attack in 2011, with the secure sockets layer (SSL) protocol demonstrated as badly implemented, and the website certification industry hit repeatedly.

Both DigiNotar and Comodo were hit by malicious hackers, KPN Corporate Market discovered a security breach that may go back four years, and Microsoft revoked trust in DigiCert Sdn. Bhd on the basis of poor security practices. This shows that the system is already untenable.

Quite rightly, authorities are already looking for stricter governance of this system, with the CA/Browser Forum approving baseline requirements for SSL/TLS certificates. Subjects including verification of identity, certificate content and profiles, certificate authority (CA) security, liability, privacy and confidentiality will be subject to best practice baselines, with a July deadline for implementation.

But the intractable issue is that there is no organisation sitting above the reams of CAs that are, ultimately, dealing in trust and confidence. There are more than 1,500 of them, it's complicated and convoluted and there's no overriding standard of security or quality.

Ultimately, it's far too easy for an organisation to become a CA. So what value is being placed on trust? Far greater transparency and clarity is required, with the security standards that CAs attain made public. If providers want to be trusted they not only need to unite, agreeing standards of security and scrutiny, but also undertake rigorous external audits and publicise the results.

Greater clarity also needs to be provided for the end-users who run the risk of their data being silently decrypted via earlier versions of TLS, or accidentally using websites that have been issued with false certificates. If diversity online is to be maintained, the confidence of those end-users is crucial.

What certificate authorities, websites and mobile device manufacturers have in common is that for most businesses they are third-party suppliers, companies whose goods or services have a direct connection on other organisations, but whose security procedures are out of reach.

It is not sufficient for organisations to strengthen their own security procedures and policies. If they do not also validate the security of those suppliers that may provide easy access to contact details or sensitive data, then a back door is being left open.

It is the fragility of third-party security that, ultimately, means that generating and sustaining trust is going to be vital in 2012. Whether manufacturers or service providers, businesses or governments, all organisations must not merely be secure, but be seen to be secure.

Rob Cotton is CEO of NCC Group

Think all security information and event management (SIEM) vendors are owned by big businesses?

This week I met with a new vendor in the SIEM space that has undergone a major expansion with the recruitment of some seasoned security professionals. Founded in Spain in 2002 and now based in California, AlienVault began with an open-source technology, with a commercial version following a few years later.

Executive vice-president James Yares said this commercial version was created to handle capacity and volume. “The value of the company is to be democratic and make it available to everyone, its roots are in open-source SIEM and to support and enhance that, and we continue to work with the open-source SIEM,” he said.

Rather than speaking as the old head corporate head, Yares was in his fourth week at the company, while senior vice-president of international sales Richard Kirk was in his third week. Both men were previously at Fortify, and moved on following the acquisition in 2010.

Also joining them are former Fortify chief products officer Barmak Meftah as president and chief executive officer and Fortify founder Roger Thornton, who assumes the same position as chief technology officer.

John Richardson, formerly vice-president of finance at HP Fortify, will serve as vice-president of finance and administration. Jack Marshall, formerly vice-president of customer success at HP Fortify, will become vice-president of customer success, while Gail Boddy, former vice-president of human resources at HP ArcSight, will have the same role at AlienVault.

AlienVault will continue to be led by co-founders Julio Casal and Dominique Karg, who will be general manager of the new MSSP business unit and lead of the open-source SIEM community as chief hacking officer respectively.

Yares told me that AlienVault enables users to deploy and operate cost-effective unified security management solutions for better threat management and easier PCI/SOX compliance, while its solutions come integrated with sophisticated open-source security tools such as Snort, OSSEC, OpenVAS, ntop, Nagios and NetFlow.

The past 18 months saw most SIEM vendors swallowed by IT powerhouses, with NitroSecurity now part of McAfee (therefore Intel), Q1 acquired by IBM and, perhaps most notably, ArcSight acquired by HP.

Yares said the SIEM market is "well-established and growing quickly", and while other vendors have been bought up and it was a "ton of fun" to be acquired, it was now their job to grow a new company and make it valuable.

He said: “What we always hear from CISOs is that there is value in SIEM systems and they have stuck with the AlienVault design and what comes with it. They like how it is engineered and how its sensors make use of the open-source computing and the fast time to deployment.

“It is deep technology that others do not do and an example is its reporting capabilities. Some users have said that they put it in to see what is in the network. With this there is an opportunity to grow rapidly.

“We have had 160,000 downloads of the OSSIEM; we find that people download enough to get going and enable security teams to learn about SIEM to use it.

Kirk said: “This was built for open source so we have had to make it so it works from the ground running, but we will continue to take advantage of our open-source roots.”

AlienVault later confirmed financing of £5 million from Trident Capital with participation from existing investors Adara Venture Partners and Neotec. Trident Capital has a track record of building successful cyber security companies including: AirTight Networks, BlueCat Networks, HyTrust, Qualys, Solera Networks, Voltage Security and Sygate.

Trident managing director J. Alberto Yepez is appointed as chairman of the AlienVault board, while Trident principal Michael Biggee also joins the AlienVault board of directors.

AlienVault said that the funding will be used to accelerate research and development and aggressively expand sales and marketing to meet increasing demand for unified security management from around the world.

The company has already staked its case in 2012 with research on attacks, and if you can overlook the brands that are now part of a portfolio, there is a space ready for AlienVault.

Yesterday marked ten years to the day since Microsoft founder Bill Gates sent an internal memo that led to the foundation of its Trustworthy Computing division.

The original memo is available here, but to summarise, Gates called Trustworthy Computing "the highest priority for all the work we are doing" and said "we must lead the industry to a whole new level of Trustworthiness in computing".

The concept was about more than trust and simple security, it was about capability; and, as Gates said, the 9/11 attacks and disruptive malware "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure".

With foresight of which HG Wells would have been proud, Gates said: “Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”

He also said that "eventually our software should be so fundamentally secure that customers never even worry about it". Well, we would like to think that it is, but has that actually been achieved? Of the key aims of the Trustworthy Computing project, Gates said it should include: availability; privacy; and security.

With regard to the latter, he said: “The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.”

He also claimed that "our products should emphasise security right out of the box and we must constantly refine and improve that security as threats evolve"; he referenced changes in Outlook to avoid email-borne viruses, with any possible privacy compromise issues resolved first, as well as intention to better protect important data and minimise downtime.

“These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global web services,” said Gates in 2002.

According to Threatpost, Microsoft held a small conference in Redmond on what it then called "trusted computing" ahead of the memo being sent, where software security experts discussed the principles and concepts that were the foundation of building more secure software. In the months following the memo, Microsoft began internal changes designed to refocus its developers on the idea of building secure software.

Yes, this led to some products being slower to market, but Microsoft saw the importance of building secure products – look at the long wait for Windows 8. Trustworthy Computing now focuses primarily on its monthly bulletins released on Patch Tuesday, identity and access management and the development of IT concepts, to name just a few.

My last direct dealing with Microsoft Trustworthy Computing was when I met with its general manager of communications, Adrienne Hall, at RSA Conference Europe, where she was evangelising on the future of the cloud.

It was not a great call to arms or a directive for all of Microsoft's staff to down tools and be more secure, but more about Gates's vision on the future of secure software and how his brand had to be a leader.

Warnings have been made about Quick Response codes as they begin to be impacted by cyber criminals.

A QR code is a two-dimensional matrix barcode and, when scanned by a camera phone, will link the user directly to the mobile web, usually a social media site, online video or promotional page.

Websense said its ThreatSeeker Network has begun to spot spam emails leading to URLs that use embedded QR codes. In the cases spotted, a spam email arrives with a URL; if clicked on, a QR code appears and, if a user scans it, it leads them to pharmaceutical spam.

Elad Sharf, security researcher at Websense Security Labs, said: “We've been looking at QR codes as a potential malware/spam route for a while now. Inherent in the design is a level of trust and novelty that can be abused.

“In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technology.”

Paul Vlissidis, technical director at NGS Secure, an NCC Group company, said the concern with QR codes is that control is taken out of users' hands and there is no indication on the code of the URL you are being transferred to, so there is no way of checking in advance whether it is genuine.

“Even more worrying, while a computer will warn you if you have clicked on a link to an unverified site, a smartphone will take you there directly. QR codes on billboards are surprisingly easy to manipulate, all it takes is for a fraudster to place a sticker over the existing code, and unsuspecting users can be directed anywhere. Malicious sites can start downloading malware to a device without buttons being pressed or files opened,” he said.

One notable attack via QR code took place in Russia in 2011, where a Trojan disguised as a mobile app called ‘Jimm' was installed and started to send a series of expensive text messages that cost users £4 each. Paul Henry, security and forensic analyst at Lumension, said QR codes take URL obfuscation to the next level, particularly at a difficult time when malicious URLs continue to be a problem.

The problems with shortened URLs has been well documented, but could this be a new tactic that industry is falling behind? James Lyne, director of technology strategy at Sophos, said "convenience consumer technologies" are opening up new vectors of fraud; QR codes manipulated simply with a sticker over a corner of a legitimate code will direct the user to a spam site or worse.

Claus Villumsen, CTO at BullGuard, said: “While these are primarily used as a marketing tool for advertisers so customers can get more information on products or services, cyber criminals know that services that pique interest or offer ‘special deals' are often prime targets for spreading malware, stealing identities and phishing for personal information.

“In other words, QR codes make things run faster and easier, but they can also pose a threat to your mobile security.”

BullGuard recommended using a mobile QR code-scanning app that previews URLs and to avoid scanning suspicious codes and links that do not match the adverts they are incorporated into.

This is going to be a tricky one for security vendors to mitigate – it is being driven by marketing departments keen to embrace a clever new techhnology, and public adoption is hard to control. Perhaps this just needs better application development as BullGuard suggests, before it gets out of hand.

As many organisations rush to adopt technologies that enable their workforce to be more mobile and satiate user demand that IT support mobile devices, security often becomes an afterthought.

In this bring your own device (BYOD) environment, enterprises are struggling to lock down an ever-growing number of endpoints. So how can you give users the flexibility they want while maintaining the utmost security? These are the three basic steps that you need to take into account:

Adopt mobile management solutions that provide tiered functionality Provide yourself with the capability to quickly lock down any and all devices that are assigned to a user. The first level of capability should be immediate blocking of specific devices from corporate data, if they pose a threat.

Additionally, remote wiping capabilities should be a level-one capability for devices that are out-of-policy, non-compliant, include active threats or are lost or stolen.

Emphasise broad platform support and policy configuration Rather than viewing support at a device level (there is no way you can support every gadget out there), focus on supporting far-reaching platforms (i.e. Android encompasses a number of phones and tablets; iOS includes iPod Touch, iPad and iPhone). Also, leverage policy-based functions that allow you to set a precedent for which devices/operating systems are allowed in the network and what they are able to access.

In many instances, these policies can be implemented via technologies you already have in place to manage PCs. This way you don't have to invest in separate consoles, infrastructures and, in some cases, teams.

Adopt mobile management solutions that don't require active alerts by the user community Accept the fact that some users will inappropriately bring new devices into your corporate environment, as well as expose current devices to unsecured networks.

In this case, you will need solutions that employ agentless discovery capabilities. This will enable you to proactively intercept all devices and take defined actions concerning access and control between those devices and the rest of your infrastructure.

Devin Anderson is product line manager for LANDesk security suite

I recently came across a report by Signal Magazine on the Armed Forces Communications and Electronics Association (AFCEA) TechNet International 2011 conference that gave further attention to the reality of cyber space and crime.

As we saw with the National Security Strategy from 2010 and the recent government Cyber Security Strategy, cyber crime is now being taken seriously at that level. This article claimed that the advantages offered by cyber warfare (low cost, widespread applicability and ease of operation) mean "it is likely to be the weapon of choice for future aggressors menacing NATO and its allies".

The theme of the AFCEA conference was ‘Supporting NATO in the Next Decade' and was held in the German town of Heidelberg last October. Present were members of NATO, due to it being held in conjunction with the NATO Consultation, Command and Control Agency (NC3A) annual industry conference.

Major general Jaap Willemse, assistant chief of staff of Command, Control, Communications, Computers and Intelligence (ACOS C⁴I), claimed that "the ways of classical warfare cannot be applied to cyber war", yet most military and political leaders are still dealing with information technology as if it were just another minor technology that could be added easily to existing systems.

He said: “The first priority is an international definition of the term cyber war and what successful cyber defence - or even an adequate reply to a cyber attack - could look like.

“In classical engagements there has always been some code of conduct, but not in cyberspace. As military, we need to define what our role in cyber space is in order to take the right actions when NATO allies or our own countries are attacked.”

Also speaking was Lt. general Walter E. Gaskin, deputy chairman of the NATO Military Committee, who agreed that information superiority, and therefore information technology, will play a main part in future conflicts. “Cyber attacks are and will be a serious problem,” he said.

“The main problem with cyber attacks is that they are not costly to undertake. The hardware is inexpensive and can be purchased easily, although software needs some intelligent, skilled people. A cyber attack therefore is much less expensive than the classic types of warfare that consume a lot of money, starting with fuel for combat aircraft and ending with missiles used during attacks.

“NATO nations and organisations already are frequently facing attacks. We need to develop further capabilities on cyber defence and we need to enhance the cooperation between the NATO nations in the field of cyber security.”

The US government has made significant strides with its annual cyber awareness month, and the UK government's move was mostly welcomed too. However, with an international collective such as NATO, there is the real consideration of cyber warfare and defence against it.

As Willemse said, "the ways of classical warfare cannot be applied to cyber war", and governments, infrastructure and industry are all too aware of the extent to which the enemy is unknown and cannot be underestimated.

So will this NATO-led approval for cyber security make any impact? Since this is three months old now and only just came to my attention this week, it is sad to say that it probably will not. However, if 2011 was the year when high-level attacks became mainstream, perhaps 2012 will be the year when attention reaches the highest global awareness and defence is applied.

On a slightly lighter note, also discussed was the challenge of cloud computing. NC3A general manager Georges D'hollander compared the concept of moving data to the cloud to valet parking, as "it only works if you trust that the person can (a) drive and (b) won't steal your car". I have a feeling that we will see that analogy used again.

Usage of Internet Explorer 6 (IE6) has dropped below one per cent in the US.

Announced by Microsoft this week, when the software giant baked a cake to mark the drop in usage of the out-dated browser, Roger Capriotti, director of Internet Explorer marketing said: “As we kick off 2012, we call on the rest of the world: make it your New Year's resolution to end IE6 and move to a modern browser like IE8 or IE9.”

Microsoft launched the IE6 countdown website in March to encourage users to drop the browser, which was released in August 2001, by detailing how much the browser was used around the world. It is still prominent in China, which takes a 25 per cent share of global usage, while the UK accounts for 1.4 per cent.

Capriotti said he was thrilled that usage in the US had joined Austria, Poland, Sweden, Denmark, Finland, Norway, the Czech Republic, Mexico, Ukraine, Portugal and the Philippines in falling below one per cent, calling these countries "the Champions' Circle".

“We hope this means more developers and IT pros can consider IE 6 a low priority at this point and stop spending their time having to support such an outdated browser," he said.

A vulnerability in IE6 was pinpointed as the reason for the Aurora attacks two years ago; Microsoft said at the time that the vulnerability was an invalid pointer reference within IE and, under certain conditions, it was possible for the invalid pointer to be accessed after an object was deleted.

Since then Microsoft has tried to educate internet users on IE6's effective obsolesence by likening using it to drinking out-of-date milk and promoting the countdown website.

However, in August 2010, it was revealed that the UK government was persisting with IE6 - it said there was "no evidence that upgrading web browsers will make users more secure". However, two weeks later the Department of Communities and Local Government said it was looking into upgrading to the latest version of IE.

Microsoft has pledged to officially scrap support for IE6 in April 2014, when it will also end support for Windows XP. A number of sites, including YouTube, are no longer compatible with the IE6 browser.

Over the past few years that I have been working on SC Magazine, the Christmas and New Year holiday period has been traditionally quiet.

However, 2011 proved to be the exception. After an incredibly busy year in information security news, the holiday period saw some major technology stories break. In terms of impact, the one that created the most significance was when the Anonymous group posted 200GB of information on the customers of US security think tank Stratfor. The data was harvested from a hack earlier in the week from the company's website.

In a statement posted on Pastebin, the group posted the 75,000 names, addresses and passwords of every customer that has ever paid Stratfor for services, as well as the personal information of 860,000 people who registered with the company that specialises in "strategic intelligence on global business, economic, security and geopolitical affairs".

According to the statement, the goal was to pilfer funds from individuals' accounts to give away as Christmas donations, an operation that had been hinted at in a previous statement. It also claimed that 50,000 of these email addresses were .mil and .gov.

Anonymous said: “We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havoc upon the systems and personal email accounts of these rich and powerful oppressors. Kill, kitties, kill and burn them down... peacefully.”

It also claimed that there would be "noise demonstrations" on New Year's Eve in front of jails and prisons all over the world to show solidarity with those incarcerated. “On this date, we will be launching our contributions to project mayhem by attacking multiple law enforcement targets from coast to coast,” it said.

However, a day later, on 25 December, another statement appeared on Pastebin denying any Anonymous involvement with the Stratfor attack. This said: “Stratfor has been purposefully misrepresented by these so-called Anons and portrayed in false light as a company which engages in activity similar to HBGary.

“Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs. As a media source, Stratfor's work is protected by the freedom of press, a principle which Anonymous values greatly. This hack is most definitely not the work of Anonymous.”

Yet just to aid confusion, a statement released on 26 December addressed the ‘denial' message, calling it "ridiculous" and saying that it "undermined our work while also making baseless accusations that we frequently see perpetrated by agent provocateurs".

It said: “Whether this is the work of malicious counter-intelligence, some butthurt pacifists or Stratfor employees themselves is unknown. Unfortunately, some main stream news agencies have picked up on this statement, looking for any reason to highlight and exploit any potential ‘inner divisions' within Anonymous.

“However, there has been no such squabble or infighting regarding the Stratfor target, or any other LulzXmas target for that matter. Anyone can claim to be Anonymous, but because of the inherent decentralised nature of Anonymous, without central top-down leadership, no individual is in a place to speak to the legitimacy of another individual or group's operation.

“Furthermore, our history of owning high profile targets as Anonymous has been well documented at the antisec embassy and is well known and respected within all Anon communities. Case closed.”

Fred Burton, Stratfor's vice-president of intelligence, said the company had reported the intrusion to law enforcement and was working with them on the investigation. He also said Stratfor has protections in place to prevent such attacks.

On the Stratfor Facebook page, the company said: “An unauthorised party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

“We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events.”

Anonymous poked fun at Stratfor hiring two outside consultants to resolve the situation. “Top identity theft protection? Professional security consultant? We'll see how that works out for you, if you ever dare to put your servers back online again. Until then, we'll be watching and waiting. And laughing, of course,” it said.

Another statement claimed that the next target would be SpecialForces.com, whose customer base is comprised primarily of military- and law-enforcement-affiliated individuals. The statement said the customers "have for too long enjoyed purchasing tactical combat equipment from their slick and professional looking website".

It said: “To be fair, at least SpecialForces.com did store their customers' credit card information using blowfish encryption (unlike the global intelligence and security industry ‘professionals' at Stratfor, who apparently remain confused as to whether their customers' information was even encrypted or not).

“Nevertheless, our voodoo prevailed and we were quickly able to break back into the military supplier's server and steal their encryption keys. We then wrote a few simple functions to recover the cleartext passwords, credit card numbers and expiration dates to all their customers' cards. That's how we roll.

“In reality, for the past few months, we have been in possession of approximately 14,000 passwords and 8000 credit cards from SpecialForces.com. Unfortunately a former comrade leaked the password list early, and the full story on this owning will be told in our upcoming zine. Until then, feast upon one hell of a juicy text file.”

It concluded this statement with a demand that US soldier Bradley Manning be released immediately. He was also referenced in other statements over the holiday period.

While nobody expected Anonymous, or any other hacktivist group for that matter, to be quiet over the Christmas period, the size of this data dump achieved many headlines for the operation.

The comments relating the actions to Bradley Manning, whose trial was also a major news story in the days leading up to Christmas, also demonstrated how serious this should be taken, but whether the unlikely release of the soldier would have prevented the actions is anyone's guess.

Either way, Anonymous has proved that its actions are not ending any time soon, and I suspect they will continue into and throughout 2012.

The holiday season is here again and many people will be giving and receiving new technologies this year, including mobile phones, laptops and tablets.

While this is good news for the consumer, come January all these new toys will present a headache to IT managers everywhere who will want to make sure they can keep company data secure.

Increasing numbers of workers today are bringing their personal devices to the company IT department to enable access to email and other productivity apps on devices such as iPads, iPhones and Androids. According to a recent Forrester report, three-quarters of US information workers pick the smartphone they want rather than accept IT's choice, and more than half of them pay for their smartphone and monthly plans.

According to our recent survey, increasing numbers of companies across all industries are supporting a bring-your-own-device (BYOD) model, and in more than half of those instances, employees shoulder the cost of their device and service plan.

So now employees can use their favourite devices for work, but what does it mean for the company? It means that companies must now support more platforms and deliver business apps such as email, chat and portals on iPads, iPhones, and Android and Windows phones.

That means data and apps will be used from any location over any network and can endanger sensitive company information, potentially getting workers or their employers into trouble.

To keep confidential data stored on personal mobile devices and stop it from falling into the wrong hands, many IT departments turn to third-party solutions to better secure, monitor, manage and support the variety of mobile devices used by employees. Using one of these solutions, IT organisations can implement security controls such as passwords and remote wipe and lock, which allows IT to erase corporate data from a mobile device if it is lost or stolen.

The challenge is that most employees don't want to enter a complex password every time they need to make a phone call, send a text message or update their Facebook status. Plus, when employees use their personal phones for work, a remote wipe could erase personal apps and data in addition to corporate data and applications.

Fortunately, companies such as Good Technology take a different approach to these BYOD security challenges and keep the best interest of both employees and employer in mind.

To keep your information secure this holiday season, Good Technology is offering some tips on what employees can do to help protect both personal and company information:

• Don't use cloud programs on your mobile device to share corporate files and data.
• Beware of email fraud. Don't send email to anyone you don't already know, or respond to emails that appear to be from known sources without first verifying that they are legitimate.
• Secure your device settings and have it automatically lock after five minutes.
• Don't forward emails from your corporate address to private email accounts, especially emails with attachments.
• Don't use check-in apps everywhere.
• Turn location settings off when not using apps that require it.
• Be careful of Beta programs/apps: they can be dangerous, as in many cases the developers haven't sorted out security yet.

Andy Jacques is EMEA vice-president and general manager at Good Technology

Most of September's news was dominated by the hacking and issuing of rogue certificates from DigiNotar.

After it admitted to an initial compromise, it was given a vote of no confidence by Google, Microsoft and Mozilla, and later Apple.

The hacker said he had access to four other certificate authorities (CA), putting fellow CA GlobalSign on alert, although it later said nothing had been compromised. In an email to SC Magazine, the hacker said his intention was to embarrass DigiNotar.

DigiNotar was later declared bankrupt and this proved to be one of the main cases of a cyber attack leading to the closure of a business.

Elsewhere a CD was lost by a primary care trust that contained the personal details of 1.6 million individuals, the University Hospital of South Manchester NHS Foundation Trust lost the personal information of 87 patients following the loss of an unencrypted memory stick, while the Scottish Children's Reporter Administration breached the Data Protection Act twice.

The Information Commissioner Christopher Graham called for custodial sentences after former Barclays cashier Sarah Langridge pleaded guilty to illegally accessing the account details of a customer, against whom her husband had been jailed for a sex attack.

A major DNS hack led to the websites of Vodafone, Betfair, Acer, National Geographic, the Daily Telegraph and the Register to be replaced with an image and a message that read: “h4ck1n9 is not a cr1m34. Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u.” Also, further arrests were made in connection to the LulzSec attacks, with two people arrested in the UK and Ireland and another in Arizona.

Research by Trend Micro uncovered a series of targeted attacks that compromised 1,465 computers in more than 60 countries, while the most notable acquisition of 2010, the purchase of McAfee by Intel, saw the DeepSafe technology launched.

In September I attended the Gartner security conference in London, and among the highlights were meeting the director of consumerisation from Trend Micro, proving how far the trend has come, and SABMiller CISO Mark Brown saying that CISOs "have to become business enablers and talk at board level if they want to retain their status".

At the end of September, SC Magazine exclusively revealed that businesses would face a 'mandatory data breach disclosure' law as part of the new Data Protection Directive, the legislation on which the Data Protection Act is based.

While the law will go through a process of consultation over the next 12 months, this is expected it to become law in the UK by early 2013. Just how ready will businesses be? Probably about as prepared as they are for the cookies law; still, there is no fighting the regulator.

In another botnet takedown, Microsoft confirmed the end of the Kelihos botnet, which primarily sent out the MacDefender virus, while it faced a false positive nightmare as it flagged an update for Google Chrome as the Zeus Trojan.

In acquisition news, it was all about security incident and event management (SIEM) as McAfee grabbed NitroSecurity and IBM snapped up Q1 Labs. The news on 6 October was dominated by the passing of Apple founder Steve Jobs, with tributes paid from around the world by people involved in technology and government.

Also in early October, I attended the Symantec Vision conference in Barcelona. New announcements were led by its launch of a data loss prevention (DLP) solution for the Apple iPad and its declaration that "reputation-based protection is the future of anti-virus". I was also given my first demonstration at this show of the capability to Trojanise mobile applications, a trend that may grow in dark popularity.

The following week was dominated by the RSA Conference Europe, which opened with an apology and executive chairman Art Coviello quoting Nietzsche's epigram, "what does not kill you makes you stronger".

Coviello also said the attack on his organisation was done by two groups, with one definitely from a nation state, and he later said that security technology should be advanced so that it is risk-based, agile and has a contextual capability; he added: "While we may try, we will never keep up with individual attacks, but we can create a system to withstand certain attacks."

At the show I met with HB Gary CEO and co-founder Greg Hoglund, who detailed how the company was stronger following its attack, while Sony confirmed that it detected attempts on the Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE) services to test a massive set of identities and passwords against its network database, possibly impacting 93,000 accounts.

The RSA Conference Europe was closed by internet godfather Tim Berners-Lee, who expressed his dismay at a lack of user control over data, calling it "disfunctional". Also in October, the research paper ‘BEAST', which detailed a method of defeating SSL, was praised for being "technically clever but over-sold" by SSL inventor Taher Elgamal.

Into November and the US stuck its neck out and dared to name China and Russia as key cyber threats in a report, while sportswear giant Adidas was forced to take down its websites after suffering a "sophisticated, criminal cyber attack".

Another incident at a certificate authority (CA) caused KPN Corporate Market to stop issuing SSL certificates after it discovered a security breach that allowed hackers to store tools for denial-of-service attacks on its servers. Microsoft also said it would revoke trust in Malaysian intermediate CA 'DigiCert Sdn. Bhd' after the CA had issued 22 certificates with weak 512-bit keys, and issued certificates without the appropriate usage extensions or revocation information.

In less of an acquisition, more of a save, Cryptocard acquired GrIDsure after the latter went into liquidation, while Southwark Council was told off by the ICO after it left a computer and papers containing the personal information of 7,200 people in a skip

Also in this period, Prolexic reported the largest packet-per-second distributed denial-of-service (DDoS) attack of the year, while seven people were charged with using malware to manipulate online advertising and infect more than four million computers in more than 100 countries in ‘Operation Ghost Click'.

It had been more than a year since the Stuxnet worm impacted SCADA systems, but attacks on water systems in Illinois and Texas hinted at fresh attacks. Sourcefire EMEA technical director Dominic Storey said these "would be just the beginning", while the attacker of the Texan system told SC Magazine that the SCADA-based system was controlled by a three-character password.

While North Somerset Council and Worcestershire County Council received ICO fines for "serious email errors", the Government announced its Cyber Security Strategy that will open a new national cyber security ‘hub', a cyber crime unit within the National Crime Agency and a single reporting system to report financially motivated cyber crime.

Generally the strategy was welcomed by the security industry, but some called it too political or reliant on unlikely collaboration. Among those proposing changes were former Home Secretary Jon Reid, who said a lack of investment in innovation would harm industry.

There will be an impact on ISPs, as the strategy said government will work with them to create a voluntary code of conduct to help people identify if their computers have been compromised and advise them on what action to take.

Also in regulatory news, it was announced that new data protection laws will compel European businesses to appoint a data privacy officer, something that could have saved Powys County Council from the largest ICO fine to date, £130,000, after child protection case details were sent out incorrectly in two instances.

At the half-way point of the year's grace on 'cookie compliance', the ICO announced there had been little progress on the issue and encouraged collaboration to understand the road to regulation.

In the world of the CA, another was reportedly hacked, although this did not appear to have affected certificate issuance from Gemnet. At the same time, CA GlobalSign said it had found no evidence of any rogue certificates being issued or any compromise of its CA infrastructure, following rumours in September to the contrary.

Wrapping up the final headlines for December, rumours abounded that a European processor had been breached, but at the time of writing there was no further confirmation.

Microsoft confirmed it will offer ‘silent' updates of Internet Explorer for those who want it, while Google pulled 14,000 malicious applications from its Android market.

What I hope these three 'year in review' articles have proved is what a busy 12 months it has been for all of us in security. Security hit the headlines of the national press around the world many times, with stories and angles that I could never have predicted. So here's to 2012, when I hope there will be some more good news!

I was on holiday when the first announcement was made about the Sony attack. My first reaction was that it would not be as big a deal as the RSA attack, but in fact this would be the more ‘persistent' on the ground that it went on and on.

Sony promised to improve its security by appointing a CISO after the initial hack, as board members publicly apologised for the incident. Sony went on to blame Anonymous for the hack after discovering a file on a server that was named ‘Anonymous' with the words "we are Legion". Also suffering from a loss of data was the US version of the X Factor with popstar hopefuls impacted.

The killing of Osama Bin Laden caused warnings on scams, while Baroness Pauline Neville-Jones stepped down as security minister to be appointed as a special representative to business on cyber security, later playing an important part in the government's cyber security strategy.

Acquisitions continued with Tripwire acquired by investment firm Thoma Bravo, Astaro by Sophos and Shavlik by VMware.

Just when you thought data-loss stories couldn't get more ridiculous, former data controller of ACS:Law Andrew Crossley was fined just £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure. The Information Commissioner's Office (ICO) said the fine could have been £200,000 if the firm was still trading, but the unencrypted document which listed the personal details of more than 5,300 BSkyB Broadband subscribers belonged to a company that had closed down.

The ICO also announced that the details of 82,000 people were accidentally published online when a data file, which had been repaired by Co-operative Life Planning's software support contractor, was hacked.

Yet the ICO's big announcement of this period was in regard to cookies, when it gave companies a year to get consent from visitors to their websites in order to store cookies on their computers. The Chancellor announced at this time that the Treasury faces one email attack every day; just the one, Mr Osborne?

More realistic was the announcement that the Ministry of Defence faced more than 1,000 cyber attacks in 2010.

The rise of advanced malware for mobile and Apple products has been predicted for some time, and in 2011 we had some of the first real examples. Android phones were said to be vulnerable to a third-party snooping flaw, Apple users were warned about using an outdated, vulnerable version of Opera, and the detection of a rogue anti-virus product named ‘MACDefender' made malware for Apple all the more real.

The RSA incident came back to life when US defence contractor Lockheed Martin announced that its network had come under a "significant and tenacious" attack and, according to reports, RSA's SecurID tokens were linked to the access. Later it was suggested that at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply its security tokens following the incident.

RSA executive chairman Art Coviello later admitted that SecurID data was compromised during the attack, and that it had been "used as an element of an attempted broader attack on Lockheed Martin". Lockheed Martin said the attack was thwarted and no sensitive information was intercepted. Is this the last we have heard of this incident, I wonder?

Attacks against Sony continued; an attack of the Sony Pictures website revealed one million passwords which were unencrypted and stored in plain text, as a hacking group named LulzSec (internet slang for laughing at security) emerged as the responsible party. The same group attacked the Sony BMG website and computer entertainment developer network.

LulzSec later intercepted a Nintendo configuration for one of its US servers, but said its focus was on Sony and it was not planning to do anything with the file. Games developer Codemasters was also attacked, but no claim was made by LulzSec; likewise Sega's pass portal was hacked with around 1.3 million user details compromised, but cardholder data was unaffected.

Proving that its attention was not wholly focused on gaming, LulzSec hit the US Senate and the website of the CIA, while long-term Anonymous target PayPal denied that login information had been accessed after LulzSec claimed to have released login information for Facebook, PayPal, dating sites, Xbox Live and Twitter accounts. LulzSec also denied responsibility for hacking UK census data, although the office of National Statistics later said that no data had been compromised.

At the peak of their infamy, on 25 June LulzSec announced it was ending its campaign, with its final act to dump more than half a million user credentials. The end of its operations brought many comments on what it had achieved, and it has mostly stayed true to its retirement, although its members later merged with Anonymous to continue the latter's operations.

In more positive news, IPv6 Day demonstrated the capabilities of the modern protocol, and Google launched a new social networking site named ‘Google +', although its first flaw was found a few days later.

The ICO said the NHS needed to do more to protect user details following a spate of data breaches, yet the private sector was named as being responsible for a third of data breaches. In this period the ICO handed another fine to Surrey County Council.

In malware, the most complex botnet of all time was discovered and named the TDL-4, while LulzSec made a brief return to redirect visitors to the Sun newspaper site, which claimed Rupert Murdoch had committed suicide. The Sun also admitted to a potential data loss because of the attack.

In fact, the shadow of LulzSec remained during July, as arrests were made and LulzSec responded by saying: “Arresting people won't stop us, FBI. We will only cease fire when you all wear shoes on your heads. That's the only way this is ending.”

However, one of the arrests was of an 18-year-old from the Shetland Islands named Jake Davies, who was suspected of being the LulzSec member Topiary. He was later charged with computer offences by the Metropolitan Police.

The police also warned off wannabe hackers, but not before ‘TeaMp0isoN' emerged defacing the BlackBerry blog in response to RIM's announcement that it would co-operate with police following the London riots.

Facebook announced a bug bounty programme, but said flaws in third-party apps would not be rewarded. Microsoft offered $200,000 for the inventor of the ‘next great security technology', although this offer was criticised by research and development firm Subreption, which said "entrants should not sell themselves so cheap".

Anonymous returned to the news once again in August with plans announced that it would 'kill Facebook' on 5 November, while it hit the San Francisco Bay Area Rapid Transport (BART) system following the latter's decision to shut down mobile phone services.

In a good bit of vendor tussling, McAfee launched its ‘Shady RAT' report detailing multiple and lengthy intrusions; Eugene Kaspersky dismissed it, calling it "shoddy rat". McAfee responded to Eugene's claims, saying he had "missed the point".

In other news, Google passed an ICO audit following its Street View cars collecting data from unsecured WiFi transmissions, LinkedIn was forced to change a proposed policy on using members' photos on its 'social ads' following a user backlash; and, to bring things to a full circle, the email that brought down RSA was identified by F-Secure.

The month ended with members of Anonymous leaving the movement and criticising its direction, while Dutch certificate authority DigiNotar admitted to being hacked with rogue certificates issued, to become the next major trend of 2011.

With 2011 proving to be the year that information security hit the national headlines over and over again with some of the biggest stories in years, rather than looking back in one article, I have decided to take an extended view of the past 12 months.

The year began without a major flurry and, following 2010's Aurora attacks, information security news had a lot to live up to a year on. Following a flurry of acquisitions in 2010, this continued at the start of 2011 with Dell's acquisition of SecureWorks and Sourcefire's acquisition of Immunet.

The first of many data losses in 2011 that were reported to the Information Commissioner's Office (ICO) concerned the Scottish Court Service disposing of documents at a local recycling bank. Another major 2010 story, WikiLeaks, was addressed with US government agencies encouraged to create 'insider threat' programmes to find disgruntled workers who could leak state secrets.

One of the major and consistent themes of 2011 was consumerisation, and my first blog of the year focused on this theme and asked if the smartphone was to blame. If your concern was the security of open source software, then Trend Micro chairman Steve Chang agreed with you.

On a wet Friday afternoon in January I was one of a select bunch of journalists invited to meet finalists from the Cyber Security Challenge; it later confirmed the winners, and this experience gave me an insight into what was going on with the next generation of security folk.

Those who thought they were untouchable were arrested on a charge of stealing iPad user data from AT&T's servers; however up to ten million smartphone users may have been impacted after a breach in Trapster's username and password database was revealed.

The end of January also brought an end to Lush's website, after it revealed a four-month-long compromise that caused it to jokingly offer a job to the hacker. Less amusing was the revelation by Imperva that major European and US government websites had been hacked, with access to the sites put on public sale.

As January came to an end, the Arab Spring began with Egyptian ISPs ordered to cut connectivity, and Anonymous sent a warning to the UK government after the arrest of five men.

Into February and the ICO issued its third and fourth fines to Ealing and Hounslow Councils over the loss of unencrypted laptops, Google announced new CEO Larry Page, while Qualys called for the open source development of the web application firewall. The status of this project is now unknown.

McAfee launched the ‘Night Dragon' report that talked of targeted attacks on oil and gas field bids and operations, although comments from Sophos later suggested this did not have enough depth for it to be taken seriously.

Over at the RSA conference in San Francisco, Art Coviello talked about trust in the cloud, demos were given on drive-by downloads and mobile malware, but the organiser's biggest news was to follow later.

Robust attacks hit the headlines again, with controversial Westboro Baptist Church taken down; initially it was suspected that it was the work of Anonymous, but responsibility was later claimed by pro-US hacktivist ‘the Jester'.

If malware is your bag, we saw OddJob in February, Android pulled 21 suspicious apps from its marketplace, while my first encounter with Zeus came courtesy of IronKey at its lab in California.

March saw the release of the iPad 2 from Apple and blog platform WordPress was hit by a huge distributed denial-of-service attack that was ‘multiple Gigabits per second and tens of millions of packets per second'.

In fact, March saw a number of attacks, with the French budget minister, 29 government and other agency websites in South Korea and Broadcast Music (courtesy of Anonymous) all taken down.

On the same day as Wolverhampton City Council was reported to have dumped "confidential personal information in a skip", Twitter introduced a full HTTPS session as an option; it later made this mandatory for all users.

Now you could remember 18 March as the day Microsoft announced the takedown of the Rustock botnet, which otherwise would have been a major headline-grabber, but that news was superseded by RSA's announcement that it was hit by an advanced persistent threat (APT).

Looking back at that story, there is nothing much in it that gives any clue to the impact of the incident, but at the time it was earth-shattering: executive chairman Art Coviello said that a "an extremely sophisticated cyber attack" was detected while in progress, and its investigation revealed that the attack resulted in certain information, specifically related to RSA's SecurID two-factor authentication products, being extracted.

The story would run for days, weeks and months, and remains one of the most referenced of the year. In the following days, Play.com revealed that it had breached data laws, while Trip Advisor also admitted to a breach of user data rules.

The European Commission announced that it was hit by an APT, while a BP employee lost a laptop containing the personal details of 13,000 Louisiana residents who had filed compensation claims after the Gulf of Mexico oil spill. Another bad day for the oil giant.

In possibly one of the most distressing stories of the year – a data leak at an HIV clinic revealed test results for adult actors, while marketing company Epsilon suffered a breach that caused it to inform its customers of the potential breach; in other words, a nightmare for everyone involved. However, it did lead to Twitter users ‘counting' how many notifications they had received: just the one for me.

Further light was shone on the RSA ‘incident' as it was found to be caused by a spear phishing message that took advantage of a vulnerability in Adobe Flash for access to be granted. RSA also acquired the company whose technology helped it detect the attack – NetWitness.

In slightly more positive news, the Jericho Forum introduced one of the first thought leadership pieces of the year, with its guidance on identity management launched in London. We also saw another botnet, Coreflood, taken down as the FTP server turned 40.

April ended with the InfoSecurity Europe show, where a demonstration of how easy it is to run a rogue WiFi point snared 300 visitors, the Information Commissioner denied, and got rather confused about, some Freedom of Information Act findings, and, most importantly, the SC Magazine Europe Award winners were announced.

A very busy four months then, and as the world enjoyed the Easter and Passover holidays and waited for the wedding of Prince William and Kate Middleton, the headlines were not about to relent.

With just over two weeks to go until Christmas, it may be a case of winding down for some while others will fail to see the holidays as a time to take a break.

According to research from SecurEnvoy, 46 per cent of adults so fear losing their job that they will sneak a peek at their emails on 25 December. Only 34 per cent said they will not look at any work emails during the festivities.

The survey of 1,000 people found that while 21 per cent of people say that it isn't necessary or expected of them to be in touch with their company over Christmas, one in five people felt competitively disadvantaged if they didn't keep on top of their emails this Christmas.

The survey also found that security is far from the first thing on the mind, as 46 per cent of respondents also confessed to not using any sort of security on their phones, including a PIN, even though almost half will be looking at their business emails, which could include sensitive information and unencrypted documents.

Another survey, of 3,000 adults in the UK by online backup vendor Mozy found that Brits are becoming increasingly connected to their work as a result of technology, with the average person working an extra three hours a week and 22 per cent never straying more than ten feet away from an internet-enabled device. However, only 32 per cent save data to their corporate networks when working remotely.

Claire Galbois-Alcaix, senior manager of marketing at Mozy, said: “The results of the survey show the lines between work and personal lives increasingly blurring as more and more of us work in our personal time and space as well as carrying out personal tasks in work time and locations.

“Both employers and workers appear to benefit but, if workers are only saving data to their laptops, tablets or smartphones, this leaves businesses at significant risk should they be lost, stolen or broken. In most cases, the consumerisation of IT and workplace flexibility leads to a more ‘switched on' and connected workforce, but UK businesses need to ensure they are able to properly back up data when employees are working outside of the office to protect important information from loss.”

However, the research found that 70 per cent of respondents are more productive when given the flexibility of remote working, while three quarters stated they enjoy working at home more than being in the office.

Eoin Blacklock, managing director of online backup company KeepItSafe, said: “Businesses need to wise up to protecting their mission-critical data over the Christmas period and ensure they are not relying on outdated or insecure technologies and manual processes. It is a period when offices close for long periods of time, employees are in and out at irregular intervals and the weather can also play havoc. This often leads to data backups falling by the wayside, unforeseen downtime and the potential for data loss when a restore fails.”

So whether your unexpected issue over Christmas is one of remote workers accessing email, a data loss by well-meaning employees or simply an act of God, there is no time like the present to make sure preparations are made. Until then, pass the cranberry, not the BlackBerry.

As we enter December, the human factor in information security becomes a continued issue, but with an air of alcohol about it as the office Christmas party season swings into life.

So it is now time to think about strong password deployment, patching of systems, securing external devices and more as usual; while staff shop online, possibly take the foot off the pedal and get stuck into the Cadbury's Celebrations.

It is not all office staff that cause an issue at this time of year though, as according to research by Lieberman Software, 26 per cent of IT security staff will use their privileged login rights to look at confidential information

Its survey of more than 300 IT professionals, exclusively seen by SC Magazine, also found that 42 per cent of respondents said that their IT staff are sharing passwords or access to systems or applications, while 48 per cent of respondents work at companies that are still not changing their privileged passwords within 90 days.

Philip Lieberman, president and chief executive officer of Lieberman Software, said: “Our survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously.

“When someone can admit that they have unsupervised, unaudited and unauthorised access to all their colleague's and superior's bonus details then the IT security of that organisation is seriously flawed.

“These fundamentally careless practices and procedures revealed by the IT departments of the organisations we surveyed could cost them dearly in 2012. In many ways they should be breathing a sigh of relief that they have not been breached yet, but it's just a matter of time.”

So better ensure that staff lay off the eggnog and make sure that they don't attempt to change their grades, view the MD's salary or intercept emails, as it could be a new year full of repentance.

1 - Compliance gets increasingly commercial - With increasing evidence that companies are less likely to be data breach victims if they comply with security standards, such as those promoted by the Payment Card Industry (PCI) council, compliance will become a pre-requisite for good business practice in 2012.

In a difficult economic environment and with increasingly more stringent government regulations, the need for taking full advantage of business opportunities will increase interest in prudent, holistic security approaches.

Companies and governments will change how they interact with their extended network of partners, increasingly choosing to do business with those that can demonstrate a comprehensive multiyear and standards-based approach to security.

2 - The high-IQ network effect - With each new smart device or software application added to a network, all endpoints and devices will become inherently smarter, each benefiting exponentially from additional connections. Whether the connections are people-to-people, machine-to-people or machine-to-machine, new opportunities will be created to solve societal challenges such as employing IT to address the rising cost of health care or deliver smart energy solutions.

However, because of the network's importance, any security threat or interruption of service will have a profound impact. As a result, there will be an even greater demand for carefully designed and well-managed services at the core of the global IP backbone and high-speed wireless networks.

3 - To the enterprise cloud and back - As we begin to move away from the 'is cloud secure' scare-mongering, the enterprise cloud will finally come of age and deliver substantial benefits, dramatically reducing capital expenditures and creating business efficiencies and better economics.

Cloud services will give companies powerful new options to move workloads easily between the corporate data center and the cloud of a company's choice. Whether a public, private or hybrid cloud model, the enterprise cloud will play an essential role in mobilising enterprise apps that enable both workforce mobility and new business paradigms.

4 - The social enterprise - The already web-centric enterprise will become even more social and the ability to tap intelligence at all levels of the organisation will become the new norm. Of course, alongside this, organisations will need to adapt their security procedures to fit this new model but the potential benefits are clear.

With the right tools, such as high-definition video for richer collaboration and intelligent 'crowdsourcing', enterprises can produce, find and convey information with much less effort and greater velocity and efficacy than ever before. This will foster innovation and enhance productivity with exponential benefits.

5 - The consumerisation of IT - Just as personalisation is driving a new approach to customer service, IT departments are increasingly being influenced by their users. Many companies are now trying to improve the user experience and enhance productivity by tailoring their enterprise IT policies to support employees who bring their own devices - such as smartphones and tablets -- to the workplace.

Companies are now looking to experts to help equip today's mobile worker with cloud-based applications that work just as securely and reliably on portable devices and are integrated with traditional desktop applications.

Gavan Egan is director of security services at Verizon EMEA

This week at the Cyber Security Summit in London, a statement was made by one of the key speakers that caught the attention of delegates, press and other speakers alike.

Major General Jonathan Shaw, head of the defence cyber operations group at the MoD, singled out a Baltic state as a leading light when it comes to cyber readiness and being prepared for "a one-nation response".

His focus was Estonia, a country of just under one and a half million people and which marked 20 years of restored independence in 2011. Its cyber history is well known, with attacks made against it in 2007 when a series of distributed denial-of-service (DDoS) attacks were made over a period of time and government, financial and political party websites taken down.

The blame was placed on Russia, and a Russian Youth group claimed responsibility two years later. However a year after the attacks, seven NATO countries agreed to fund a centre of excellence in Estonia. It was built that year and is one of 15 accredited Centres of Excellence (COEs) for training on technically sophisticated aspects of NATO operations. It conducts research and training on cyber security.

Shaw said: “Estonia represents a country that is in a post-attack mode, not like UK which is in a pre-attack mode. We need a national response with GCHQ as the pillar.”

This led me to think that with so many looking at the MoD or the US Department of Homeland Security, you would assume that one of those would be the pillar of global cyber defence for others to follow. After all, despite its 20 years of independence, there may be some who would view Estonia as somewhat suspicious because of its Soviet heritage, or even because of the arrest and charge of Estonian nationals in cyber-crime-related activities.

I turned to some Estonian government agencies to see what they felt about such high praise. The MoD in Estonia told SC Magazine that its 'cyber leader' role stems from its highly developed information society where the Estonian public and private sector have a long tradition of providing online services, which include e-voting, e-prescriptions, e-schooling and some of the highest adoption rates for online banking and payments in the world.

A statement said: “It naturally follows that we put effort into ensuring the safety and security of our information society. This was already the case prior to cyber attacks against Estonia in 2007. Cyber defence is not merely a military affair, but requires the participation of all sectors of government and society.”

It also claimed that Estonia's approach emphasises that every owner and user of a network is responsible for its security, to include critical service providers particularly in the private sector, but also individual users.

“Citizens should be knowledgeable about cyber security issues from their first contact with networked devices. We currently include basic cyber security training in our elementary school curriculum, though our National Cyber Security Strategy also foresees expanding this to preschool,” it said.

“All IT-related university curricula include a module on cyber security. Two of Estonia's leading universities also jointly offer one of the world's first masters-level programmes in cyber security.”

So cyber security is taught in schools in Estonia and rules on responsibility are well detailed; some in the UK would argue that such an established method is something of a pipe dream here.

I also spoke to the Estonian Information Systems Authority, which helps state, and private and public sector organisations, maintain the security of their information systems.

A spokesperson said: “Being seen as a leader (by any country) has a double effect: first, if attack vectors are being tested, it is reasonable to test them with the strongest opponent you can find. So, the reputation of the leader results in the heavier workload for our cyber security specialists.

“On the other hand, being the 'Test Site Estonia' brings the newest trends in the cyber security field right to us - our experts see the latest.”

It called Shaw's compliments "exceptional", but said that the reason it takes so much interest in cyber security lies within the structure of Estonian society. “As we have 1.4 million inhabitants, the only way to stay effective is to make our society digital. In November 2011, 99.6 per cent of all bank transactions were performed electronically. This spring, 94 per cent of tax declarations were filed electronically; it takes only 15 minutes to establish a company electronically, etc. For Estonia, cyber security is unavoidable to keep our vital services running and maintain our way of life,” it said.

So if Estonia is the key leader in cyber security as a nation state, what advice would it pass on to public and private sector companies when it comes to protecting against an attack?

In short, it said "co-operation and awareness raising". The spokesperson added: “One of the Estonian risk managers once said 'only the strong ones can afford talking about their weaknesses'. There have been large (politically motivated) cyber attacks before 2007 and after, but one reason many know about Estonia is the amount of information.

“We talked about everything we knew: about the assumed motivation, the methods used, the timelines and mitigation. We shared graphs and gave data to be analysed by specialists in other countries. After 2007, people in Estonia were really interested in cyber security, we responded with awareness raising campaigns and activities.

“As the 'weakest link' of cyber security is often seen between the chair and the monitor, the attitude and behaviour of computer users is very important aspect for us.”

The reason Estonia is perceived as a cyber leader by Shaw is that it experienced an attack, dealt with it, learned from it and moved on with this knowledge and education. I am not suggesting that the best way to become stronger is to be a victim of an attack, but Sony, RSA and others will stand stronger in the future due to their experiences in 2011.

Estonia also faces different challenges to the UK and US due to its population size and 'age' as a nation, but to see how to survive and be praised by the MoD, the future may be to go east.

If you believe its critics, Android is about the worst thing to hit the mobile space since the emergence of the smartphone.

It has been criticised for the ability to Trojanise applications; its apps are apparently not filtered as stringently as Apple's, and it is open source so inherently unsafe. However, be prepared, as this could mark 2012's mobile wave.

Stephen Midgley, vice-president of global marketing at Absolute Software, says Android and the forthcoming Windows Phone will be taken up by users who have held off on buying Apple devices.

“Many developers are concerned about the open nature of Android, but the reality is that people develop in-house apps,” he says.

So if the development and filtering process of Android apps is a much easier process, could it become easier to build in-house apps for Android, therefore making Android the smartphone device of choice for next year?

This week saw new mobile management software launched by two security vendors.

MobileIron launched version 4.5 of its device management software to offer security on a wide set of Android devices.

With support now added for Android 4.0 (Ice Cream Sandwich) and technology partnerships with Android leaders Samsung and Cisco, MobileIron gives enterprise IT departments the most complete Android security platform.

Features of MobileIron 4.5 include encryption enforcement for data at rest on Samsung GALAXY devices, as well as those devices running Android 3.0 and above, secure SSL VPN connectivity for data in motion via an integration with Cisco AnyConnect, and the ability to disable camera, WiFi and Bluetooth functions in high-security environments.

Ojas Rege, V-P of products at MobileIron, agrees that 2012 will see a massive influx of Android devices into the enterprise, and companies want to know they can count on enterprise-grade security across those devices.

Talking to SC Magazine, Rege said: “In 2012 there will be a main trend that will rapidly increase the take-up of Android: bring your own device (BYOD) policies. Companies are talking about it and users have Android devices so the mix at work looks like the mix at home. Users do not want to learn about the different ‘flavours' of Android, they want to get mobile device management and figure out what it is capable of.”

Also released this week was a mobile security product from Bitdefender, its first security product for the Android market.

According to the company, Bitdefender Mobile Security combines in-the-cloud technology with the company's threat database, with the result including features such as an Application Audit that keeps an eye on the permissions of installed applications, Anti-Theft, which allows users to track down a lost or stolen device, and Web Security, which alerts Android users to lurking threats such as phishing or malware on web pages.

Alexandru Balan, senior product manager at Bitdefender, said that following beta testing by 120,000 users, it is a product that lightens the load on both the device's battery and operating system.

“Security can be iron-clad and feather-light at the same time – Bitdefender Mobile Security proves it,” he said.

“The security is guaranteed by Bitdefender's years of experience on the front lines of the war against e-threats. At the same time, our in-the-cloud technology prevents battery strain, updates continuously and takes it easy on the operating system. Mobile security is, finally, truly mobile. Android device users can now be secure without having to constantly carry around their phone chargers.”

In a few weeks we will take a more concise look at what the security industry predicts to be major trends for 2012, and I expect Android to be one of the key pillars of the year. You can't say you weren't warned.

Of all of the proposals in last week's Cyber Security Strategy, most seemed to be government or public sector led with little direct immediate impact on UK plc.

Apart from one section, where the government said it would ‘work with internet service providers (ISPs) to create a new voluntary code of conduct' that will ‘help people identify if their computers have been compromised and what they can do about it'.

As the first and only point of call for connectivity, the ISP is a good place to start for guidance to consumers; after all, is the end-user going to start calling the Paymaster General for advice on how to get rid of a virus? Then again, is the ISP in a position to be able to advise an end-user on security issues, thereby lending no benefit to the ongoing ‘need for education'?

One recent instance of an ISP helping its users with online security was when Virgin Media wrote to around 1,500 customers, warning them that they had been infected with the SpyEye Trojan. It offered advice on how to clean their computers after they were found to be part of a botnet by the Serious Organised Crime Agency (SOCA). 

I asked Virgin Media what it felt about the new proposals for ISPs; a spokesperson said it takes a proactive stance against malware, providing all its customers with free security software, as well as support and guidance on how to  stay safe online.

"Virgin Media has an active partnership with leading security organisations such as SOCA, to help advise customers of particularly nasty malware infections and how to resolve them. We look forward to working with the Cabinet Office and industry more broadly to share our learnings and experience in this area to help create a safer environment for consumers across the UK,” the spokesperson said.

I asked Ross Parsell, director of cyber strategy at Thales, if he felt that this focus on the ‘middleman' will help users. He said: “The strategy does call for industry to draw on its own factors, and the outline from Virgin is a good example, but it needs to be endorsed by government – but they are shying away from setting a standard. It needs to be recognised and entered into something to abide by.”

Rik Ferguson, director of security research and communication EMEA at Trend Micro, said it was "heartening" to see that there will be a review of legislation.

He said: “Security companies have been saying for some time now that ISPs have a greater role to play in informing and assisting their customers who have fallen victim to cyber crime, and this report promises to explore that capability although without a concrete timeline.”

Most would say that any efforts for user education should be welcomed, and starting with the ISP, which can help  users, is positive. How long this takes to begin and whether all play ball will be the next challenges.

Small business disaster can strike at any moment, from a computer virus to a flood, fire or theft.

For any type of business, no matter how large or small, a man-made or natural disaster can be highly disruptive to business continuity. Inventory and accounts, physical office space, and the computers that hold a business's records and files can all be destroyed in a matter of seconds.

The risk of losing a company's most valuable asset – its business data – is real, and losing data can set the wheels of a business's downfall into motion.

Few small businesses have plans in place to protect against data loss, instead concentrating efforts on protecting physical assets such as buildings and equipment. This is reflected in research from Carbonite, which suggests that while small businesses do recognise the negative impact data loss will have on their business, more than half (57 per cent) still do not have disaster plans for business data.

Eighty-one per cent of small businesses consider data to be their organisation's most valuable asset, according to a Carbonite study, which surveyed small business owners in the US.

The permanent loss of data ranked as the number-one challenge in maintaining normal business operations in the event of a disaster. This was considered to be more devastating than the loss of company products, materials required for production and even the physical premises of the company. Simply put, loss of business data jeopardises a small business's viability as an ongoing enterprise.

Customer and financial records, marketing databases, email and personnel files represent just a few examples of business-critical data that businesses use every day to drive continued success. If this data is lost, it may be gone forever.

Even if the business is lucky enough to retrieve their data lost in a disaster, downtime is highly detrimental to the company's performance. A business may lose sales, or be unable to manage day-to-day accounting.

In the wake of a business disaster, immediate access to business data will reduce downtime and allow businesses to reestablish operations quickly and function again post-disaster, even if physical infrastructure is compromised.

So why are small businesses inadequately prepared for a data disaster despite their recognition of the need to do so? The Carbonite study revealed several reasons the majority of small businesses have neglected to develop a disaster plan, including: they simply haven't thought about it; the belief that a data disaster could not happen to them; the belief that their business can withstand disaster without financial loss; and the perception that disaster plans are too costly to implement.

Data backup technology will help a business survive a disaster. Small businesses simply need to find the right solution that meets both their backup requirements and their budget.

It is worth noting that the most expensive options are likely not the best fit for small businesses, as these are often repurposed enterprise-level solutions that offer more features than a SME will ever need, and at a sky-high price tag. The right backup solution should offer reliable, easy-to-use options, with affordable and predictable pricing.

Online backup offers precisely that – easy to use, affordable, real-time and continuous backup, with no management of physical devices required. With online backup, business data is backed up securely offsite, far removed from any disaster that might impact physical office space, making that important data accessible 24/7 via the click of a mouse and remotely.

Plan and take action to protect valuable business data to ensure the business survives and thrives, even in the event of a disaster.

Pete Lamson is senior vice-president and general manager of the small business group at Carbonite

I recently spoke with Imation, which was announcing the roll-out of its range of ‘mobile security' following several acquisitions.

Except this is not mobile security as we know it; vice-president for EMEA and APAC Nicholas Banks told me that the launch of Imation Mobile Security relates to its range of data storage and security products.

This includes solutions acquired from IronKey, MXI and Encryptx in 2011, with the brands carrying certifications such as FIPS, CAPS (with additional DIPCOG approval), AIVD and NATO. It also offers its own range of secure hardware and software management products named ‘Defender'.

Speaking to SC Magazine, Banks said: “This is a strategic decision to become involved with security and provide organisations with a number of solutions for the modern workplace. What we are providing is a range of products that are easy to use, deploy and manage.”

According to the company, it provides ‘best of breed' solutions to protect ever-increasing amounts of data against loss, theft or security breaches.

Imation Mobile Security general manager Lawrence Reusing said: “Our commitment and investment in new product development is so that we can bring the best possible solutions to market, enabling both Imation and our partners to take advantage of the rapidly expanding high-security USB device market by providing world-class solutions for the mobile data and mobile workspaces.”

I asked Banks about the decision to name the division of the company ‘mobile security' when it does not offer that specifically; he said ‘mobile' means the mobile workforce.

“You can use the technology in the working environment for what you need it for, you can run a fingerprint over the USB with the technology that comes from MXI,” he said.

Imation's background is in data storage. It launched Defender in 2010, acquired encryption and removable software security solutions vendor Encryptx In March 2011, and acquired MXI Security in June, adding technologies and solutions for device security, including the Stealth Zone platform for secure computing environments.

The acquisition in October of IronKey's secure hardware business has put it in a strong position as 2012 bears down. Banks said that 2011 has been a successful year for the company, but challenges such as consumerisation and 'bring your own device' (BYOD) is leading more and more companies to realise the potential of being more mobile.

He said: “More companies are realising that they cannot have information lying around; they need a secure environment where information needs to be encrypted and made safe while it is in the business. We will look to grow our reseller and channel partners for 2012.”

The remote storage device space does not have a huge amount of vendors, but the problems of data being stored on unsecured media have been well documented. Imation Mobile Security will find a market ready and waiting for such needs.

Highly publicised data security breaches serve as important reminders that data access governance must be an ongoing corporate imperative.

Too often, however, the process of controlling access to vital information assets is inefficient, ineffective and lacks the agility to adapt easily to dynamic growth and change. According to a Gartner report on security and risk management, data access decisions should be based on an assessment of the risks and benefits of a given level of data sharing, as well as an assessment of the process, people and technology that can securely enable that sharing.

Quest Software uses a six-step process for guiding assessments and improving data access controls:

1.      Discover users and resources: the first step involves an infrastructure inventory of important data (or access points to that data), which can and often does reside on multiple platforms, network-attached storage (NAS) devices, SharePoint sites, Active Directory group memberships, mobile computing devices, etc. In particular, it's important to identify the resources of unstructured or orphaned data.

2.      Classify data and assign rights: data must be classified in terms of confidentiality, correlation to regulations (eg credit card numbers), overall relevance and archive requirements. Appropriate owners of business data should be reviewed and assessed to ensure they are in accordance with security policies.

3.      Assign data owners and approvers: assign appropriate business owners based on roles, locations and other attributes. Separation of duties must be taken into consideration to ensure compliance and security.

4.      Audit and report on access: schedule and perform continuous business-level attestation of access to ensure accuracy, compliance and security.

5.      Automate access requests and problem remediation: automating access fulfilment workflows based on access rights and the requestor's role in the organisation is ideal for security purposes. Automated responses that remediate deviations can proactively prevent potential threats or breaches.

6.      Prevent unauthorised changes: lock down certain data, groups or access rights that should never be altered. All changes should be logged in a secure depository that cannot be manipulated to ensure a high level of forensic analysis.

Automated, multi-platform data access governance can remove the barriers to satisfying compliance requirements, while preventing unauthorised access to sensitive data residing on physical and virtual file servers, NAS devices, SharePoint sites, Windows file servers and more.

Improved access control is a key driver in reducing security threats, as well as preventing them in the first place. Finally comprehensive, 360-degree visibility of company-wide user access gives IT, business managers and data owners the insight needed to enforce policies and comply with regulations without creating an adverse impact on operations.

Nick Nikols is vice-president and general manager of identity, security and Windows management at Quest Software

In research last week, Prolexic revealed that distributed denial-of-service (DDoS) attacks were increasingly being targeted at the technology designed to mitigate them.

The company claimed that DDoS mitigation equipment was being targeted as most technologies "do not have the capacity to process the high packet per second attacks that are being used".

Ahead of this research, I had been thinking that with the DDoS attack being so prevalent, was it really possible to divert the excessive traffic and page requests? It is almost a year since the Anonymous group began its campaign of DDoS attacks in support of WikiLeaks founder Julian Assange, and since then it has become the attack du jour.

Prolexic's report was, not surprisingly, followed by a service announcement: the roll-out of its security engineering and response team (PLXSERT), which provides pre- and post-attack data to clients as a subscription service. It said that with intelligence gleaned from monitoring threats, it is possible to identify botnet characteristics without any DDoS traffic having been received.

Prolexic is far from the only company offering DDoS mitigation technology. Products and services have been launched by Tata Communications and Imperva, while Adversor has unveiled its True Dynamic Mitigation service.

Adversor said its technology uses continuous monitoring of network traffic, early threat detection and a combination of filtering and mitigation techniques. It said it is able to blocks DDoS attacks close to the source and implements more than 30 techniques to protect against the largest and most sophisticated attacks.

Speaking to SC Magazine, Rob Rachwald, director of security strategy at Imperva, said mitigation is the best alternative to going onsite and physically stopping hackers.

Asked if there was any way of mitigating and/or 'cleaning' traffic, apart from in the cloud, he said: “Many companies provide technology (network firewalls) that stop DDoS as well. However, this puts the onus on enterprises to manage this themselves.  As more and more companies, especially smaller ones, become targets, a cloud option becomes very appealing due to lower cost while retaining effectiveness.”

Following Symantec's acquisition of the identity and authentication business of VeriSign, the latter has remodelled itself as an enterprise-level DNS and DDoS mitigation service provider. Sean Leach, vice-president of network intelligence at VeriSign, claimed that "enterprises need something and what we are offering is similar to other carriers.

“The DDoS is the number-one threat. Our research found that 66 per cent had experienced an attack, while 13 per cent had more than six attacks. Now they are attacking at the application layer and it is hard to tell the real traffic apart. A 100GB connection cannot provision for it, you can have a massive headache or you can buy the capability.

“It is very difficult to mitigate, but we now offer a service to smaller enterprises. This will 'scrub' the traffic in the cloud and send the genuine traffic back to you.”

Darren Anstee, solutions architect at Arbor Networks, said that while the 'classic' DDoS issues a 'get' for a website, with an attack on the application layer it is hard to tell what a real query looks like.

He said: “Most DDoS attacks are against the application layer, but if the attack is larger than the pipe then there is nothing you can do and, if you are saturated with traffic, then your customers cannot get through. If you get overwhelmed, our Enterprise Edge solution uses cloud signalling to call for help from a 'parent'. A service provider will sell this to a data centre and enterprises.

“There are a lot of operators offering DDoS mitigation; an MSSP will offer DDoS protection and risk services, they will monitor it and divert traffic to cloud cleaning. This is a big growth area as people want protection from a DDoS.”

Leach claimed that the DDoS tool is very sophisticated compared with the brute-force style of earlier attacks, with them now designed to look like real traffic. “They are now attacking the DNS and they are not using all 'members' of the botnet, but just enough to get the job done,” he said.

While the first year since Anonymous took action against the likes of PayPal, Amazon and MasterCard is unlikely to be 'marked', the first action did take online attacks to a whole new avenue. From that point, anyone could be an attacker, and while there have been arrests to warn other wannabe attackers off, the threat to businesses remains.

That said, the solutions that have been launched could solve these problems and mitigate the threats, and attackers may be forced to find another way to bring their targets down.

Recent news reports on City trader Akweku Adoboli, who cost UBS billions of pounds through unauthorised activity, have questioned whether the qualities he was hired for were in fact early warning signs of the rogue trader he would later turn out to be.

Adoboli's competitive nature, level head and financial self-interest have made the headlines, whereas lax identity and access management procedures, and irresponsible risk management systems, which allowed him to temporarily succeed in his undertakings, have come away fairly unscathed.

Without wanting to trivialise the situation, any sports fan will be acutely aware of the dramatic and controversial effects a red card can pose when translated into a business context. Auditing firms are the closest we get to referees in the commercial world, and they hold the red and yellow cards in business.

Organisations that do not heed the warnings of an auditor's yellow card risk slipping very quickly and publicly towards the red. The Adoboli scandal is a timely reminder of the risks employees can impose when technology is not doing its job, particularly as a red card in identity and access management can be extremely damaging to an organisation's reputation and market valuation.

Organisations need to be savvy about the risks posed by IT administrators and the privileged access rights they own. In Adoboli's case, he was reportedly clever enough to log into systems using passwords belonging to others – breaking basic access management etiquette – and getting information he was not privy to.

However, our own research has shown that one in ten employees admits that they still have access to systems from previous jobs, which is a huge threat to any business.

The silent assassin can log into a system using an anonymous privileged account and then cover their tracks by deleting log files associated with the activity. It is therefore not surprising that more than 51 per cent of IT professionals are concerned about insider threats to network security in their company's current infrastructure.

Without good control over privileged user accounts, organisations are at risk of exposing themselves to the loss of intellectual property, fraudulent or insider training, and loss of personal identifiable information on their employees and customers.

Internal risk controls, or ‘yellow cards', are not something that can be ignored either, particularly in highly regulated industries. Real-time transaction monitoring and surveillance are essential in preventing fraudulent activity, particularly in the financial sector when handling large sums of money can evidently lead to some employees questioning their ethics.

Responding to detections of unexplained or unauthorised activity is also a must in order to prevent additional occurrences, contain a situation, and for action to be taken. This is something auditors are increasingly monitoring, particularly in relation to compliance regulations including COBIT, PCI-DSS and SOX.

Without a thorough governance plan, organisations risk losing information and revenue, while increasing expense and damage to corporate reputation. By implementing an access governance plan, you can effectively balance the demands of regulatory compliance and management of access-related risk, while still meeting the demands of the business.

Kevin Norlin is general manager and vice-president (EMEA) at Quest Software

This week I met with a new mobile security start-up, which was making the first efforts to break into the European market.

Established four years ago in San Francisco, Lookout offers a consumer mobile security product with application and link scanning, device discovery and back-up functions.

CTO Kevin Mahaffey said internet security is too often sold on fear, uncertainty and doubt, and this leaves customers frustrated as they often choose a product based on necessity, rather than because they like it.

He said: “People care about their phones, so we launched security software that aims to solve all security problems on a phone. You should have this on there because it makes you happy, not because you are scared.

“Our mission is that we want to solve problems rather than putting anti-virus everywhere. We have to solve real problems that benefit people, and security companies don't always do that.”

The solution, also called Lookout, runs a scan when it is downloaded to look for malware and spyware on the device in three to five minutes. Among its features are a privacy advisor so users are aware of what applications are accessing data; Mahaffey said this feature will tell the user which applications require location data.

Also included is a layer of security to the browser so any URL is scanned, while the back-up solution allows contacts, photos and call history to be stored on a server.

Mahaffey said that one of the most popular functions among users was the ‘missing device' option that will show where a lost device is on a map, and can play a siren upon instruction.

“Our goal is to give people peace of mind with their phone and not make them worry. We do not believe in being annoying, we want to help people use their phone,” he said.

Lookout is powered by the company's mobile threat network, which analyses threat data worldwide, identifying and blocking new threats and automatically delivering the appropriate protection.

Mahaffey said that while Lookout was founded to provide a consumer solution, it has been deployed by 50 per cent of the Fortune 500 in 170 countries. The launch this week added the capability to buy the premium edition in sterling, and Canadian and Australian dollars.

On the threat to mobile operating systems, he said: “I hate to say a year, month or date for when it will happen, but malware has been successful with the desktop and its economic drivers are the cost of infection and how it makes money. There are two levels for infiltration: one is botnets; the other is carrier-specific malware. I believe it will change, but it is all about economics at this point.”

You may deem that a consumer application on a personal device is not in the interest or for the benefit of the organisation, but if it is a security application, that makes things different. After all, is there such a thing as negative security?   

In the day-to-day job as a security manager, one of the biggest challenges is managing people and making sure they don't do things they shouldn't.

However, what if you were the CISO at a major security company, surely all your staff would be well-versed in secure practice with the talent at hand? Also, surely you would never have a product dilemma if you shared a building with the creator?

I met with the CISO of Symantec, David Thomson, to find out what sort of challenges someone in his position faces.

Do you find people are so familiar with what you are doing that there is not a huge problem?

"We train our employees on security, use of our products, and the behaviour to keep themselves secure personally. That is a key attribute that we focus on in our company because our reputation is really key to our future and key to customer confidence, but we are one of the largest attacked companies in the world, so much of our time is spent on looking for the weakest link, and typically that is the well-meaning insider.

"Individuals are trained on what a targeted attack looks like, and we constantly update our emails to employees. If we see a wave or trend internally on our attack analysis, we alert employees; they are exposed to it, we always have our radar up."

Did the RSA incident open your eyes to what could happen to you as a security company?

"Our board of directors did ask me to take a look at our risk profile, which we do on an annual basis, but they asked us to do a fresh look at our operations, our certificate issuing authority and how we operate, and one thing that we did identify was a separation of duties.

"We made sure that infrastructure has the best of our technology, but we are also reviewing our procedures so that we have extreme due diligence to those that access those infrastructures. One thing that you have to be cautious of is that we have third parties that assist Symantec, and we require the same level of diligence with those providers as we do with our own employees, so that is the extra work that is required at Symantec.

"It is a cultural assimilation that has to occur, you have to indoctrinate the employees that come on board through an acquisition; our customers look to us with confidence, and that is a thing we focus on."

When talking about security issues, do people usually understand what you are telling them?

"There are different subsets of users in the company that are more technically-savvy and security-aware, so we have to take extra steps in restricting access for certain roles that maybe are not as skilled as others. We also hold ‘brown bag sessions' between security professionals and our staff, designed so that the administrator can focus on staff who are not as technical or security oriented, and they can come and learn specifics.

"They have been very valuable and we hear from employees who say that had they not attended, they would have probably done something that maybe would have been inappropriate. Our tools help too to catch something before an employee makes a mistake.

"From an IT perspective, we deploy our technologies internally in the alpha and beta stage. The advantage we have in our tools is that we are trained on them and we have full production reference for our clients internally – that is a key role we play from a support perspective. Our customers like it too as they can ask ‘how did you deploy it?'. It is a critical part of our strategy and I like to be part of it."

Tech-savvy employees probably want to add patches and upgrade operating systems immediately. How far in advance do you prepare for this?

"Well we are like any other corporation whose user population is asking for more mobile devices and current technology. What we find is that Apple is no different from Microsoft in that they release a product to the marketplace and in a period of time, typically a week or two, IT needs to evaluate the product and develop the deployment methodology, and in many cases you do not get an early warning with the technology providers.

"If they download iOS5 and we have not approved it, then they could potentially be locked out of our infrastructure. So we have educated our employees so that they are not authorised to use these devices, they need to wait for an all-clear message from IT, and we work quickly to deploy it shortly after it is released. That gives us a chance to update all of our firewalls, all of our signatures, make sure all of our products and technologies work with that operating system, implement it and then employees can download it.

"As Apple gets into more corporations, that will have to change. We would need a week's notice before release, or put large corporations interested in beta in the enterprise, as it allows the big clients to be primed. But you also don't want to slow down innovation; a challenge in any tech firm is that you want to work with your companies as closely as possible and have them involved in the technology, but you also want to be quick to market and meet market demand."

Has the consumerisation of IT been a real problem for you this year?

"We were ahead of this from a company perspective in that we saw early demand from our customers, so as we reflected internally, one of the things we have done is give employees a pretty lengthy list of devices and carriers that they can select from, so there is significant choice.

"However, we do not allow personal devices on our infrastructure, it is against our policy and that allows us to remain focused on our company assets. Long term, I would love to have any device, any time, anywhere, and we are getting closer with our technology to enable that, but fundamentally we have a position that devices should be company-owned."

Day to day, what sort of team are you working with?

"We have a team of 393 IT and security professionals in my group – that does not include the enterprise support functions. We have two major suppliers that provide services to Symantec externally, and those teams are really focused on governance of our suppliers and business requirements, information security and operations. The majority of our team is in Mountain View, California.

"We have a programme called ‘the way we work', where employees who have been authorised to work from home have the technology so that they can connect through a VPN. We have data-loss prevention (DLP) on those connections, so it allows us to protect our intellectual property, protect our customer data, alert the employee that may be outside the bounds of their role and block access to classified information inside the company."

How does it work with you having software engineers in the same building?

"We do meet with our engineering staff and we build an annual deployment roadmap for our products, and if we have a new release coming of the desktop encryption, we will work with engineering to get it as soon as it is in alpha stage to deploy it. We deploy it in IT first, then we deploy it to the remainder of the organisation.

"We put the customer hat on internally, you want to be as much of a customer as possible – just because the engineer is down the hall, doesn't mean we tap into that.

"The feedback we give is genuine from a IT information security perspective, versus an insider view, because I want our team to be a key advocate for our customers. My team is responsible for deployments also, so they can be prepared for any step that a customer might miss; we are prepared for that ahead of time."

Finally, 2011 has been such a busy year for information security news, do you think the job has become more difficult?

"Well, I tell you that more boards of directors have become aware of security and the risk associated with the loss of intellectual property, customer data, the risk to brand and shareholder value, so the conversation has shifted to a much higher level of discussion – so there is more risk management inside a company. It has made the job in many ways more difficult, but it has made the job a bit easier too as the conversation has been about 'if you highlight a risk, you get more attention to that risk'.

"We are just like any large corporation: we have people that operate our infrastructure, we have technology that we leverage and, in the end, frequent training, frequent update to our procedures – constantly reviewing our risks is the key to success."

‘We have ways of making you compliant' – not a secret service threat, but a promise from many providers and third parties.

At the outset it is worth remembering that whoever is used to ensure the company meets its compliance mandate – internal, service provider, or cloud provider – the ultimate responsibility stays with the company. Using a third party does not change the equation of liability and impact to your reputation, so can compliance be outsourced?

Yes. Compliance-as-a-Service is possible, but only if you have the correct mix of logging, patching, scanning (both patch and vulnerability), and device-configuration and build-validation checking. For many mandates, such as PCI-DSS and GPG-13, this means having to focus on all the disciplines above.

How many companies can say they have all these covered and would pass a thorough audit? Our guess is well below 50 per cent.

Compliance should be similar to a trip to the dentist, something that is far less painful if done on a regular and scheduled basis. It's the same old story, relating to chaos theory: all systems if left alone entropy, but if checked and maintained on a regular basis they will perform better and the costs of maintenance will be less.

That's why we say Compliance-as-a-Service delivers positive benefits to any company. Lower costs equals more to spend on other IT projects, and less pain means more resources available internally if activities are performed regularly.

Compliance-as-a-Service contains all the consultative and externally serviced elements that allow the customer to achieve and maintain compliancy. While responsibility undoubtedly still resides with the company, many do need help with the identification of their compliance mandate and the subsequent monitoring and alerting to compliance violations.

A good externally sourced service should begin with a consultative phase that analyses the customer estate and identifies the events that needs to be monitored, ticketed, alerted on and, of course, responded to. While the logging aspect is important, a service should also deliver patch and vulnerability scanning, build-validation and configuration checking are all key to maintaining compliance. 

Maintaining compliance should be seen as security best practice; the two go hand-in-hand. This is highlighted when evaluating intelligent logging of key events in the infrastructure, events that the consultants or internal IT have deemed necessary to maintain compliance.

A compliance event is often a security event, so what happens next is crucial. Compliance-as-a-Service should include customer escalation based on the nature of the event, anything from log- and ticket-only for the auditors, to 'call me within 15 minutes 24/7' if the event is serious and requires immediate attention.

Additionally, compliance mandates such as PCI-DSS require acknowledgements of events within 24 hours, and an externally sourced service should undertake a daily inspection of the logs plus checking for credit card data in the logs.

While it is true that companies are responsible for their compliance adherence, many never inspect their log files, struggle to determine what to monitor and alert on and how to respond when an alert occurs. An external service can provide significant value in this area. 

So, look your service supplier in the eye and ask to see their operation, inspect their processes, ask about their incident management and response process and, if satisfied, sit comfortably and feel the pain ease away as the compliance worries dissipate. 

Martin Dipper is head of managed services at CNS

Not a month seems to go by without a report of a new high-profile data theft. The hacking of The Sun's customer database was followed by a breach in the Sony PlayStation Network, and cosmetics retailer Lush has also slipped on the proverbial bar of soap.

Each and every time a credit card transaction is made, the consumer voluntarily hands over his or her details to a multitude of companies involved in processing, authorising and recording the transaction. The Payment Card Industry Data Security Standard (PCI-DSS) exists to ensure that online retailers and others involved in payment processing meet the specified criteria relating to the handling of this data. It is enforced by credit card issuers and is not a legal mandate.

So as long as it is not a legal requirement, some card data processing organisations will try to find low-cost ways of achieving certification, and smaller retailers may not bother at all and simply hope to remain below the radar. Companies need to view security as an investment rather than a cost, and stronger enforcement of the standard will be needed to make this happen.

Take the case of Lush. In August, it was found to be in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO). The Government data and privacy watchdog investigated hackers' access to customer data, including the payment details of 5,000 customers who had made online purchases from the company.

A spokesperson for the ICO explained: “Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card-payment security. The retailer's methods of recording suspicious activity on its website were also insufficient, which delayed the time it took to identify the security breach.”

Lush was lucky to escape with having to sign an undertaking to ensure that future customer credit card data will be processed in accordance with PCI-DSS. While there was no fine, this would have been a very embarrassing episode for Lush's managing director.

The ICO has the power to fine companies up to £500,000 for poor data-protection practice, but last year it emerged that it had issued fines for less than one per cent of the breaches it had investigated. However, the ICO recently announced that companies will face harsher fines if they fail to protect personal data.

PCI-DSS exists to ensure retailers meet specified criteria related to handling this data, but so long as this is enforced by credit card issuers rather than through legislation, some organisations will undoubtedly ignore it altogether or try to find a low-cost way of achieving certification with the minimum of effort.

Protecting a user's card details means building credit and debit card processing systems with security in mind from the ground up. It is not about treating standards such as PCI-DSS as a mere box-ticking exercise applied retrospectively to an existing system for the minimum possible cost.

There were more than 31 million people shopping online last year, and the number of credit card transactions will continue to rise. Retailers need to recognise the value to their brands of the information that they hold and the importance of protecting it.

Do we need to wait for the inevitable Enron-style breach before being forced into a knee-jerk and heavy-handed Sarbanes–Oxley-type legislation?

We think not. Security is an investment and not a cost, and we need to start investing now. While we recognise the value of what the payment card industry has set up and the role that the ICO plays in policing the field, what we really need is for these security requirements to be enshrined in law.

We need to make them part of the legal fabric of doing business in the UK. By enshrining them in law we will reduce slip-ups in the future and, if they do happen, ensure that offenders are properly chastised for their lack of care.

Reducing credit card security breaches, particularly relating to online retail, will result in increased consumer confidence and higher spending, benefiting all retailers – but only if they make the investment in security now.

Ray Welsh is head of marketing at The Bunker

This week saw the release of Imperva's latest 'hacker forum analysis' report which drew statistics from its monitoring of discussions from the dark corner of the internet.

Collecting information from a number of forums, Imperva claimed that one has almost 220,000 registered members, although many user accounts are dormant. Imperva monitors hacker forums "to understand many of the technical aspects of hacking" as they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction.

It said: “Forums contain tutorials to help curious neophytes mature their skills. Chat rooms are filled with technical subjects ranging from advice on attack planning and solicitations for help with specific campaigns. Commercially, forums are a marketplace for selling of stolen data and attack software. Most surprisingly, forums build a sense of community where members can engage in discussions on religion, philosophy and relationships.”

I ran through the reports' key findings with Rob Rachwald, Imperva's director of security strategy. Among the most discussed topics were distributed denial-of-service (DDoS) attacks (22 per cent of discussions); SQL injections (19 per cent); and spam (16 per cent). Ruchwald said: “Look at the types of attacks: DDoS followed by SQL and XSS; these last two are about data theft to steal something from a database – all of these topics show a similar mindset.”

He added that generally, DDoS is not a sophisticated method of attack, as it is a case of whether you "punch in the face or in the gut".

“The discussions are on how to do a DDoS, how a strategic attack works and how to increase the Gbps. The discussions show how to innovate and make an attack stronger,” he said.

Another key finding revealed the amount of discussion on mobile platforms; in 2010, more than half of the 2,000 discussions were on the Apple iPhone, with only around 300 discussions on the BlackBerry, Android and Nokia platforms.

Rachwald said these mainly focus on the future growth of hacking in mobile devices, with the iPhone central to this discussion. He said: “On the positive side, look at it from the perspective of the IT security guy who knows what to secure. This gives some number that shows what is going on within the underworld.”

Another key finding was on the level of training in hacking. Statistics showed that 25 per cent of all discussions were on "beginner hacking". Rachwald said: “A person can go to a site and learn skills by watching a video and, over time, they will boast about what they can do and build a reputation based on that. Some will then recruit you and from that we see how these forums give birth to groups like Anonymous or LulzSec.”

Imperva also found that 22 per cent of discussions were on hacking tools and programs, 21 per cent on website and forum hacking, and eight per cent on botnets and zombies.

Concluding, Rachwald told me that by definition, hackers are early adopters and there is value in the way that they use forums and their standing in them.

As with any job, you need training to be able to perform a trade, and with black-hat hacking, it is not a case of heading to your local Job Centre and selecting 'cyber criminal' as a career option. These forums exist, are real and are alive with discussion. Statistics such as these can only help those on the other side to remain a step ahead.

As more high-profile data-theft stories continue to dominate the news, organisations are increasingly under pressure to have a clear understanding of their data and how it can be accessed.

Despite efforts to stem the flow of breaches, the emphasis needs to be on prevention rather than cure.

Last month, Yale University acknowledged that a recent change by Google to include searches on FTP servers had led to the potential exposure of sensitive personal information affecting more than 43,000 students.

Given that FTP servers are often used to share corporate information more securely, many organisations may find themselves having to manage similar data security issues that are not within their control.

With this in mind, businesses need to have stringent controls for data that is managed both internally and elsewhere. As both insider and external threats continue to rise, below are a few best-practice points to counteract potential breaches.

Separate externalised data It is crucial to ensure that all data published or presented externally (including FTP repositories) meets your organisation's requirements for privacy, security and authenticity. With a number of file transfer methods available, it's important that employees are aware of policies that categorise which data can be externalised.

Understand the implications of social media Data and information can now be exposed through a multitude of social media channels. Organisational policies and checks must be extended to keep up with the various data sources to highlight and plug any potential gaps or vulnerabilities. Social media represents one of the greatest risk scenarios if not managed with care. Organisations are liable for the data that is captured from social media streams, so it is vital to implement policies and restrictions that control what is exposed.

Ensure appropriate security is applied to internal data repositories and stores, particularly those containing personal information Historically, many organisations have responded slowly to data storage requirements or failed to remove duplication of records. Users may have selected tactical storage solutions such as removable media drives, cards and online storage solutions, such as Mesh and Dropbox. Although these solutions can provide effective storage, the data moves outside of your control and must be secured. Understanding, policing and managing encryption on removable and online data repositories enables businesses to blend flexibility with the security needed to safeguard integrity.

Audit your controls Changes made by others (including third parties) may impact on your strategy. Ensure you do not rely on the security policies of others to enforce your data controls. Know your data, publish data security guidelines to your staff and ensure these guidelines are enforced, particularly for new starters or when staff members leave your company. For the latter, ensure you recover the data and restrict access to the appropriate users.

Understand mobile working Businesses are becoming more mobile with their data and it is up to each organisation to ensure they are aware of the risks associated with a change in their working practices. Laptops, memory sticks and external hard drives need to be encrypted and strict controls should be applied to limit access to wireless networks to authorised users only. Clear guidelines on the creation and usage of passwords can help to secure devices that are accessed remotely, for example, via the use of two-factor authentication on your VPN.

Failure to manage sensitive information both inside and outside the office can have severe consequences for an organisation's reputation and profitability. Today, information can be exposed in a variety of ways and it is important that organisations meet the challenge of securing their data.

Matt Lovell is chief technology officer at Lumison

A year in the headlines has left HB Gary in the same position as the likes of Sony, RSA and Lockheed Martin.

CEO and co-founder Greg Hoglund recently admitted that after a slow first quarter, 2011 was shaping up to be "a great year for HB Gary".

Earlier this year, HB Gary Federal (a separate entity) was hacked following a call by its CEO, Aaron Barr, to release information on the Anonymous group. A password was discovered that allowed multiple data sources to be discovered and held to ransom by Anonymous.

Hoglund told me that Anonymous was not a group but a brand that anyone could use. “My experience was around hackers who later became LulzSec and at that time they were Anonymous, they have now all been arrested,” he said.

“I was very impressed with the UK law enforcement as there has been lots of high-profile arrests. There has been a string of cyber disasters but this did not end up hurting us. Anonymous wanted it to hurt us, to get some satisfaction.”

He was keen to point out to me that HB Gary was not hacked. HB Gary Federal had a web server with an SQL Injection vulnerability; the attacker stole the password to log in to a private Gmail account.

“HB Gary Federal had three employees and they used our Google Apps account as it is expensive to set up, and Barr was the administrator; so when they got the password they got into the account. It is simply unacceptable and they deserve to be caught and go to prison,” he said.

As this was my first meeting with HB Gary, I asked Hoglund what the company actually does. He said firstly that it is not a defence contractor, as has been falsely claimed, but a software producer with no government contracts. He said the company manufactures enterprise endpoint software that can detect malicious software and botnet infections on the physical memory of a computer.

Hoglund said the advanced persistent threat has always been a focus for the company, but it was nothing to do with what occurred in February.

He said: “We are finding that it is often Chinese state-sponsored attacks and threats; customers are working with us to figure out if they have a problem. It is an epidemic but it is not a problem forever. Any large enterprise has a compromise, we come across it but often enterprises need to see a smoking gun.

“In the US, the government has completely got it and they are trying to start to work with industry; they are making some efforts, but you cannot depend on government as they are not going to solve the problem – you need to detect in your environment. You need to contain or detect where they have been.

“You will never keep people out of your network and there is no silver bullet as security is not a technology problem, but an intelligence problem. If you can detect an intrusion and make a list of attack methods, then the attacker has to think of something new each time.

“Attackers are leaving their fingerprints all over the computer and it is not hard to detect an attack as malware often looks like it has been written by a kid, but it is looking for weapons programs and defence technology. It does not have to be sophisticated, as security products and staff focus on the perimeter.”

Hoglund concluded by claiming that the APT will continue and "we are in a cyber cold war now".

Hoglund and HB Gary will head into 2012 as major names in security, and I dare say that this is not the last we will hear of them.

Month after month, the frequency, size and complexity of attacks against businesses online are increasing.

Rather than becoming more civilised, the internet is becoming less so; even as businesses are moving greater parts of their revenue stream to online channels.

Attacks near the end of 2010 were reaching 10,000 times the normal traffic seen by e-commerce sites, with thousand-fold increases in other sectors – and these attacks were targeting more businesses than ever before. If this trend continues, how can businesses protect themselves?

In the last quarter of 2010, we saw more attacks against our retail and financial services customers than we'd seen against our entire customer base in the previous three quarters. That growth has increased into 2011, with attacks to deny service – or compromise the servers behind the service – increasing each month.

This ‘de-civilisation' is being driven by the increased anonymity present as more systems, which are often insecure, are online and permit adversaries to hide in the ever-spreading shadows on the internet.

Yet adversaries are attacking for many different reasons. The profit-motivated attackers are either after extortion (using Distributed Denial-of-Service attacks) or black market profits (using theft of marketable valuables, like credit cards).

Politically motivated attackers might target national entities (like the 2009 attacks on South Korean and US government and financial services sites), or companies that have engaged in activities they disagree with (as in the Anonymous Operation Payback attacks in 2010). They might want to simply satisfy an agenda (as in the case with many anti-globalisation and environmental organisations).

Whatever their motivation, adversaries can easily and cheaply amass significant assets to conduct their attacks. Botnets have become a commodity. The rise of broadband around the world gives attackers new pools of machines to compromise, with increasing amounts of bandwidth at their disposal.

Even as online assets become more critical, the environment in which they exist is becoming more dangerous and our systems are often not robust enough to scale well and survive in a hostile environment.

The problem isn't that our systems aren't robust enough, it is that when we build them, all too often we assume reliability, rather than failure. With that foundation, adding reliability often requires complex and fragile overlays to provide a semblance of robustness (consider the complexity involved in synchronous multiple-geography database replication, the bugaboo of many disaster resilience projects).

If instead we begin with an assumption that everything will fail, we can build robustness into our designs from the beginning. Consider the case of the Domain Name Service (DNS) as an example: built atop the most fragile of architectures (UDP) at each layer, additional robustness is added until DNS failures are the exception, rather than the rule.

Perhaps we can learn from systems like DNS that, in designing for failure and success, will prove to be robust into the future.

Andy Ellis is chief security officer at Akamai

The software company Red Lambda announced its entry into the European market this week with the launch of MetaGrid.

Intended to offer a form of crowd-sourcing to increase the scale, speed and efficacy of security and operational intelligence for companies with big data IT challenges, the company describes the technology as "next-generation security and operational intelligence software".

Talking to SC Magazine this week, COO Todd Krautkremer said the company was formed in Orlando following an establishment at the University of Florida by founder and CTO Rob Bird, and now has bases in Minnesota and Southern California, with its UK office in London.

Krautkremer said the concept of the company was to "apply virtual super-computing technology to security". With a full public launch just over a year ago, a team was hired to take on the security market, and the first result was MetaGrid.

Krautkremer said: “This is a software application that sits on our platform ‘AppIron', which is essentially a super-computer with MetaGrid sitting as a layer on top to do unusual anomaly detection and situational awareness.

“This brings computers together to pass out tasks to create a response. Our grid is a combination of distributed computers, P2P networks and surface technology. These are brought together to create a super-computer, and the knowledge can be applied to security.” 

It said it is the first company to combine big data technologies to create an ultra-scalable, purpose-built software platform designed to keep pace with the increasing volume, variety and velocity of IT operational data and find the threats and opportunities buried within it.

Krautkremer said the idea of a crowd-sourced grid network of intelligence allows threats to be seen outside of the perimeter, while current tool-sets focus on known threats.

“Attacks have changed and the network has changed, so securing big data is a problem, and in trying to solve the new security problem we analyse new information at every moment to determine an investigation,” he said.

“We believe that bringing all of the big data together and analysing it, we can determine if it is a threat or not. We are capturing data and developing for ‘unknown unknowns'. This is a whole new era of security that we are focused on.

“If you can consolidate and work in the way that your adversaries are, you can crunch petabytes of information to provide an advantage.”

Once data is captured and analysed to find anomalies, it is shared across the grid and compared with other knowledge. Krautkremer said this is similar to how hedge-fund technologies index and parse data, and by the time it gets to a user it has been analysed with intelligence in the memory.

Bird said: “Security, as with most aspects of IT operations, has been a big data problem for years. AppIron and MetaGrid fuse massively scalable grid computing, relational stream processing and breakthrough artificial intelligence into a single, cohesive solution that transcends the capabilities of conventional approaches and delivers true situational awareness.”

It is almost a year since I was told that 2011 would be the year of consumerisation, and I recently met one executive who has been gifted with managing the challenge.

Ever since I was introduced to the concept of the ‘consumerisation of IT' (to give it its full title), I have been given opinion, perspective, research and solutions to address and mitigate the problem.

Last week at the Gartner security conference in London, I met Cesare Garlati, senior director of consumerisation at Trend Micro, who said businesses' staff were forcing IT decisions.

In terms of productivity, Garlati said this was a "no brainer" as employees will often work beyond standard office hours when they have access to mobile devices.

So what is the way forward according to a senior director of consumerisation? He said: “Embrace is the optimal approach. Create a plan that spans the whole organisation; say yes for some but not for everyone by determining a group of users and figure out what technology is allowed; and figure out what tools are needed and put the right infrastructure in place.”

The survey found that security (64 per cent) was the main concern in allowing personal devices to be used in the workplace, followed by data loss (59 per cent) and compliance (43 per cent).

Talking to SC Magazine, Garlati said: “Mobile is part of consumerisation but people do not understand it. People like it and use it. IT wants you to use it, but do not want to be held liable. This is a civil war.”

Garlati added that often, IT is not the driving force of technology, but the end-user adopting what they feel comfortable with.

I concluded by asking Garlati what his role as senior director of consumerisation actually involved; he said he is mainly looking at solutions and driving these to customers. With no real solution in sight, perhaps theory is the way forward.

I recently met with a consultancy based in Cheltenham that, like many others in its sector, describes itself as "a bit different".

Started by three people in a living room, Electric Cat is now a CESG-CHECK-approved company with around 15 full-time staff, including nine consultants

.

James Wootton, managing director of Electric Cat, said its customers are primarily in the government sector "who came to us, so we tried to form a company that had some integrity to it". The company achieved its CESG-CHECK mark in order to work with government departments.

Wootton said: “A lot of the approval is in live tests, as exams do not make you a penetration tester. Almost all penetration testers were born with the skills – they want to see how a toy works, rather than just play with it.”

Acknowledging the work of the Cyber Security Challenge, Wootton said this type of practical assessment was the way forward for the industry. “Just because it looks great on a piece of paper, it does not mean you are going to be able to do it,” he said.

Robert Vaughan, CLAS consultant at Electric Cat, said there is a gap in the market for penetration testing. “You can talk to people about information security and see them understand it and figure out how it applies to you, but some have no concept of applicability to themselves,” he said.

“You need to talk to people at the simplest level, as nobody is prepared to understand what they do not already understand. They do not understand what it means to reveal too much information; there is a massive need for it.”

Electric Cat has worked on cyber education projects with schools and universities, and Vaughan said there is often a lack of understanding about correct procedures. He added that businesses often lack an understanding of what to do with a vulnerability once it has been identified, because they do not know when it is applicable to them.

So is there a lack of general interactivity with technology on a user basis, or is there a lack of people who are generally interested? Perhaps with its interaction at several levels, Electric Cat is aiming to create the next cream of the crop.

With so much furore over data-loss prevention, it is rare that we look at the capturing technology, in particular intrusion prevention systems (IPS).

I asked Jonkman the most basic question about IPS: should it stop malware coming in? He said: “We have one major target: an IPS that is good at catching malware. Companies have moved away from that as they are not getting hardware based on how comprehensive the ruleset is.

“Our focus is always on malware; IPS is better with an anti-virus client, but Suricata uses the session's command and control centre. With the major ruleset in the first version of Suricata, people took to it and decided to put in new features – from this we created a ruleset and this is where we came to be where we are. Our real focus is on malware and we publish a new ruleset every day.”

I asked him if a new daily ruleset was standard. He said most providers will issue a new ruleset once a week or once a month, but as Emerging Threats Pro takes in more than 50,000 malware samples a day and delivers 20-40 new signatures every day, it feels the need to issue a ruleset daily.

“A ruleset is around 1MB and the rule manager will see what it did not have and push it to the sensors,” said Jonkman.

“We are very much vendor agnostic and work with partnerships; we do not compete and hardware companies see us as a partner and an OEM.”

Emerging Threats Pro claims to be the only IPS company serious about identifying and analysing malware before it becomes effective. It also called the reliance on desktop-based anti-virus "a very short-sighted decision".

I asked Jonkman how it deals with zero-day threats; he said these were not the biggest threat as the company will get an initial sight of the command and control centre.

Emerging Threats Pro produces the ruleset for Snort and its own Suricata IDS that is based on, and supports, the Emerging Threats open source project. Jonkman explained that it was initially funded by the US Department of Homeland Security to build an open infrastructure; eventually the Open Software Foundation (OSF) built a next-generation engine, which it acquired and called Suricata.

Suricata remains an open source development owned by the OSF. It was recently boosted by Kaspersky Lab after the anti-virus vendor, which uses this ruleset for its in-lab research, began a co-operation, with malware samples exchanged and further work made on extending Emerging Threats Pro ruleset coverage.

Kaspersky Lab said its specialists had begun feeding data into Emerging Threats Pro to improve the ruleset for all its users.

Nikita Shvetsov, director of anti-malware research at Kaspersky Lab, said: “We are happy to be collaborating with the Emerging Threats Pro Team, the open source team to go to for the best IDS/IPS ruleset. Our combined efforts will [allow] both organisations to optimise their signatures, which will then trickle down to better internet security for all.”

Jonkman said Suricata is being used extensively and it continues to support the open version, which has been downloaded 170,000 times. He added: “We want people to realise that IDS is the best protection against malware and would like to say to administrators, 'why do you not just focus on catching malware?'."

Media headlines and warnings from security experts and government agencies pale in comparison to the sure knowledge that you have been targeted.

Would you change your attitude if you knew someone, or some organisation, was after your data? In 15 years of talking to people about improving their security, I repeatedly hear the response: "But we are just a [insert benign industry here]… who would want our data?"

Industry by industry, organisations have learned the hard way that their data is valuable to someone. Banks, stock traders, software vendors, payment processors, retailers, hospitals, NGOs, militaries and governments have discovered through very public breaches that their data is indeed wanted by some bad actors, be they hacktivists, cyber criminals, competitors, insiders or foreign agencies.

So imagine for a minute that you get clear intelligence that you or your organisation has been targeted. It could be as blatant as Anonymous threatening you for some perceived slight. You may see your organisation's name appear in the press, or you may get an alert of a spear phishing attack against an executive.

Once you realise you are the target of an adversary, your approach to security transforms. You circle the wagons; you check your access logs; you take the results of your vulnerability scans seriously. You consider updating and patching your operating systems and revisiting your firewall policies.

However, this does not go far enough. It may protect you from attacks that target a broad swath of targets, but if the adversary is determined, they will bypass even systems that are patched and running the latest anti-virus signatures.

They will use zero-day vulnerabilities, target your more-vulnerable partners or find systems that do not even run anti-virus software. To protect your endpoints from this level of targeting, you need to lock them down so no unauthorised code can run. This is what whitelisting does. The droppers, remote access and Trojan applications used in targeted attacks will not run.

Is that all you have to do? Of course not. Targeting involves a lot more that computers and networks. A determined adversary will go to great lengths to get what they are after. Bribing, blackmail, breaking and entering, and infiltrating, take data protection into the human and physical realms. Why make it easy for your attacker? Preventing desktops and mobile platforms from relatively simple attacks is the first step. Beefing up your background checks and internal monitoring is next.

Richard Stiennon is founder and chief research analyst at IT-Harvest

The laptop detection technology from Absolute Software has always interested me from a consumer perspective, but what benefits does it actually offer to businesses? After all, how many laptops are stolen on a regular basis and need to be recovered?

I talked to Lorrayne Smith, distributed systems team leader at communications firm KCOM Group, who helps to oversee IT hardware assets including 1,100 laptops and 900 desktops. Add to the equation the company's 2,000 employees across nine locations, and the fact that many of them work on customer sites, and the challenge becomes a big one.

Ahead of the deployment of Absolute Software's Computrace three years ago, KCOM Group chose to lease its hardware, rather than buy it outright, meaning it needed to take extra care in tracking the whereabouts of its IT assets.

Talking to SC magazine, Smith said: “The main reason we used Absolute Software was because we had PCs and desktops and needed to get hardware back. Once it was implemented we used Computrace to do a data wipe so, if a laptop is stolen, we have not lost data.

“It has solved an issue in tracking PCs, as often they are used for working from home by engineers. We send out replacements too, and sometimes it is a challenge to get the laptop back, which is why we use Absolute Software to track PCs if they have not ‘called home' in 30 days.

“We use it as a capability, but it is all about keeping a close eye on the assets, as we are low on number of stock and it is important to get them back. We find that if someone has [a laptop] and is leaving, they tend to keep it back for the next starter.”

Computrace is able to pinpoint a laptop's location as soon as it connects to the Internet, so KCOM Group can identify a missing machine and know precisely where it can be retrieved from.

“Keeping track of employees' laptops can be a nightmare in terms of administration and organisation, and that's before you've made allowances for human error. No matter how hard you try, it is inevitable that laptops will occasionally be misplaced,” Smith said.

She added: “We had a laptop stolen and I got an email saying it had been recovered by the police. We left this in Absolute Software's hands and they tracked it – we did not have to do anything.”

The deployment has also reduced 'PC drift', as information obtained from the Absolute Customer Centre can determine when a computer has not been used for some time; the device is then located so it can be redistributed elsewhere.

“Without Computrace, we would not have known where a faulty laptop was and it would have sat in the drawer for months, when it could have been repaired and given to another employee to use. More importantly, a laptop left in an unlocked drawer presents a big security risk when the data is potentially confidential,” said Smith.

A recent report by The Information Commissioner's Office (ICO) on an NHS trust's loss of patient data highlights a new challenge for businesses generally.

In the incident at the University Hospital of South Manchester NHS Foundation Trust, a medical student lost the personal information of 87 patients after mislaying an unencrypted memory stick.

The student, who had been on a placement at the hospital's Burns and Plastics Department, copied the data onto the personal device for research purposes. According to Chris McIntosh, chief executive of ViaSatUK, the incident demonstrates the risk of a complacent approach to data protection, as well as the need for training to be carried out across all levels within an organisation.

He said: “There is little point in having a policy in place if it is not adhered to by everyone. Sensitive information on patients needs to be secured and, if it is stored on portable storage devices, these devices need to be encrypted.

“Data protection training needs to be instilled at an early stage for those working with sensitive data in the same way that health and safety training is undertaken before staff begin work. It should also be transparent who has, and who has not, received this training so that presumptions are not made, rules are adhered to and the risk of further losses like these are prevented in future.”

Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said the story was "hardly encouraging" as the NHS holds the most sensitive of our personal information and the public expect it to adequately protect this data.

He said it was particularly disappointing that the trust assumed the student had received data protection training. “Given the importance and sensitivity of the information in question, this should have been checked properly and addressed immediately,” he added. 

Christian Toon, head of information risk at Iron Mountain, said the case highlights the need for adequate information management training for staff at every level.

“The NHS needs to integrate corporate training and self-regulation into its organisation and build a genuine culture of 'doing the right thing', so that mishaps can be avoided. While no information management system is fool-proof, correct training and regimented checks as part of a cultural shift will ensure that the human factor is less of an influence and limit data-loss incidents,” he said.

Another worrying aspect of this incident is the negative implications of the ‘bring your own device' (BYOD) concept. Stephen Midgley, vice president of global marketing at Absolute Software, said this case was a prime example of the challenge companies face in light of the BYOD trend. “They must take appropriate measures to enable central management of devices, as this is the only way they can ultimately ensure the protection and integrity of their data,” he said.

Marc Lee, EMEA sales director at Courion, said the case illustrates the need for organisations to better understand the assignment of appropriate risk levels and user access rights to everyone accessing the corporate network.

He said: “Enforcing strict access rights management will help organisations control not only who is accessing sensitive data, but also how this information is being used and who is entitled to copy confidential data on personal devices such as unencrypted USBs. This will inevitably minimise the risk of inappropriate data use and will help organisations ensure that only the right people have access to the right information and are using it in the right way.”

This incident, then, has implications that go beyond simple data loss prevention and robust policy management. It is a clear warning about the perils of giving temporary staff access to data, the use of unapproved personal devices and a lack of training.

As well as the various security tools that are available to IT teams, it is great to see the in-house development of solutions and even better when they choose to talk to the press about them.

I was recently contacted by a member of Stockport Council's ICT department who told me about a new in-house development to allow remote access to desktops. Calling it the '.Roamkey', it is ‘a secured operating system stored on a bootable USB pen drive' that allows a user to make use of an unmanaged computer to access ICT services in a secure manner.

I asked Mark Doyle from the ICT department what the circumstances were around the solution being developed. He said that the solution was developed in order to resolve a number of issues, namely that employees were previously using insecure or unmanaged equipment to access Stockport Council's ICT services and not only did this pose a risk to security of the internal networks, it also presented a risk of data leakage security.

He also said that users were experiencing difficulties configuring their personal computers to access Citrix, creating a support overhead on unsupported IT equipment, while providing extra IT equipment (laptops or thin clients) for casual home workers was proving to be ‘prohibitively expensive'.

Asked if he was inspired (either positively or negatively) by other available solutions when creating this, Doyle said: “We began developing the .RoamKey purely in response to needs identified via IT service management. We believed that we had the skills and knowledge already available within operational ICT to develop a solution.

“We had previously looked at using removable media to initiate client rebuilds. We were not aware of any similar products until after it was developed, although it became apparent at that time that a number of expensive but very similar alternatives were becoming available.

“We did review some of these but found that they offered nothing additional (for Stockport Council) to what our own .RoamKey could provide. The .RoamKey is CESG compliant (but not approved) as all our GCSX/GSI users are office based we do not have a specific requirement to implement a CESG approved product.”

Asked how this is meeting the needs of the council, its IT team and employees, Doyle said that employees are now able to make use of their own ICT equipment to securely access council provided ICT services and there is no longer any need for users to configure their own equipment or to request support form ICT.

“There is a cost saving as dedicated ICT equipment no longer needs to be purchased for casual or ad-hoc home workers and ICT can now provide .Roamkeys to staff for remote working in compliance with the Code of Connection,” he said.

Doyle said he believed that Stockport Council's ICT department was the first in the public sector to do something like this, and it has plans to sell .Roamkey to other public sector bodies and private industry.

Earlier this year I talked with some leading identity and access management (IAM) solution providers after some notable movement in the sector.

I spoke with Scott Morrison, CTO and chief architect of Layer 7 Technologies about some of these topics, specifically about the Jericho Forum's suggested changes earlier this year that people should control their identity. 

The guidelines also suggested that a person's own username and password should be accepted universally, I asked Morrison if this is workable or something that is impractical as each site needs to know who is logging in with the credentials they provided.

He said: “This was the dream of OpenID, a credential that could be used across a range of websites. At first look it seems counter-intuitive as traditionally, owners of a service have always issued credentials to access a service.

“For example to get your corporate email, you need to use corporate-issued IDs. But if you stop and consider the lack of ceremony and validation that most websites demand for creating an account and issuing an ID (usually little more than the hoop of getting past a CAPTCHA), it becomes logical to think that maybe we should just accept credentials that come from another identity service. In the end, these are as valid as credentials issued locally by the website and from an architectural perspective, has a nice elegance to it.

“Of course, identity provisioning remains an issue. If I show up as Scott Morrison with credentials issued somewhere else, most sites still need to create some record of me in a database to run effectively; it may just no longer need a local password and this is a pretty big step forward.

“So the idea is certainly practical and technically feasible; the real barriers to adoption are cultural. Web developers aren't accustomed to developing sites that use this idea. An awful lot of web development is template driven and if the template you are using already has a user signup section that includes local passwords, that's what is usually used.

“What is interesting is that six months ago I would have maintained that OpenID was dead, just another good idea that failed to take off. But interestingly enough Oauth seems to be giving it a new lease on life.”

It had been suggested to me in some meetings that ‘identity' and ‘access management' should be considered separately. I asked Morrison if he felt that if they are separate, do they need to co-exist as you cannot have one without the other?

He agreed, saying that identity is about ‘the claims we use to prove who we are who we say' while access management uses identity by running authentication (validation of security tokens and thus establishment of claims) and authorisation (is an identity allowed access to a resource).

“They are linked, but it helps to consider them separately because they are each important concepts in their own right,” he said.

Talking with other providers this summer about hosted IAM solutions led me to wonder if this is something businesses should be demanding from their service providers.

He said: “Business should look for the cloud access management solution that meets their unique needs. A specific cloud provider may not offer the best of breed access management system. However, I do think it is reasonable to push cloud providers to accommodate existing standards such as security assertion mark-up language (SAML) and emerging standards like Oauth on their access control.

“For example, many SaaS providers, such as Salesforce.com or Google docs can use SAML to allow federated sign on with enterprise IAM equipment on premise, or with cloud-based solutions. In 2011 this should be a pretty basic requirement.”

Finally, a conversation I had with Extreme Networks and Courion earlier this year said that businesses should look at Active Directory settings and privileges as a simple method of ensuring that users have access to the right applications and services.

Morrison said that businesses with an existing investment in Microsoft technologies and ActiveDirectory should look closely at what IAM capabilities this technology offers.

He said: “Certainly the latest versions of Active Directory Federation Services have offered a very rich and capable federation model that works well in Microsoft environments. However there are certainly non-Microsoft equivalents that might be a better fit with a businesses' existing technology infrastructure.”

As people are forced to consider their online identities more and more, perhaps it is worth knowing that there is concepts and solutions ready to solve the dilemma.

There have been some notable botnet takedowns in recent times, including BredoLab and Mariposa.

Most recently, the Rustock botnet was taken down by a group of companies led by Microsoft's digital crime unit. I spoke with Alex Lanstein, senior security engineer at FireEye, who was involved with the takedown. He explained that the project to bring Rustock down began 18 months ago ‘when there was initiatives to do something good on the internet'.

Lanstein said: “We went after a major threat and the decline in spam shows how good the takedown was. Microsoft was involved in this, but it needed industry collaboration to take down such a threat.”

I asked him about how this compared to the takedown of Mariposa a year ago. Lanstein said that the difference in the botnets was significant, as Mariposa was more kit-based and was sold to many users, while Rustock was developed and used by one party, so one person was responsible for its output and activity.

Lanstein said that in order to take down a botnet, you need to hit each command and control (C&C) server that is being used by every variant of the malware. “We spent over a year identifying each one so 100 per cent of the botnet was taken down,” he said.

“You have to watch every server and variant and know what the malware looks like. It can seem easy to look over the C&C, but if there is a backup access to the botnet can be recovered. We had to hit six or seven data centres within minutes as otherwise, if they knew what we were doing, they may have been able to wipe files.”

Speaking to Symantec.cloud, it confirmed that there had been no activity with Rustock since the takedown. To date there has been no arrests made in connection with Rustock, however there was some speculation on the identity of the person behind the botnet. Lanstein said that logs that he had seen suggested that the owner would keep a low profile should the botnet be taken down.

I asked Lanstein if he felt that copycat botnets would appear following the capability of one person setting up Rustock. He said: “I don't think so, as spam has been harder to get through due to anti-spam and spammers being reliant on rogue credit card processors, fake anti-viruses and pharmaceuticals. The whole spam model will not go away as there is money to be made from spam.

“You could say that the spam problem is over because the threat now is about specific attacks with customised malware. We are seeing increased attacks over the last six months, and state-sponsored attacks that have no economic impact at all.”

Botnet takedowns are a very remarkable part of our business that require collaboration between professionals and individuals, a lot of hard work and expert timing. With other botnets still live and likely to be constantly sending out spam, there's no time to sit back and admire the work.  

The Anonymous movement has come under fire from its own members this week, as at least four members have publicly criticised its recent actions.

At the start of this week, a former Anonymous member known as ‘SparkyBlaze' publicly left the movement and criticised the recent actions, saying that when he started out he thought he was helping people, but over the past few months things inside Anonymous had changed.

This was followed by a Twitter tirade by another member who called himself JohnDoeJKM, who also spoke out against Anonymous actions against the public. He also criticised the merger with LulzSec for removing the option to collectively decide on targets and said that Anonymous ‘is fractured and wild with no focus or direction'.

A statement appeared from a member from Nigeria, who identified himself as ‘SanDel' and admitted hacking into the Federal Airports Authority of Nigeria and launching a distributed denial-of-service (DDoS) attack against the Aero Contractors, Air Nigeria and Arik.

However he said that when people got arrested, the Anonymous leadership did nothing. He said: “To other Anonymous members I recommended that you quit. You are not doing anything that can make a change. The best is to contact your politicians and make a change.”

In a letter to Anonymous from someone simply signing off as ‘anonymous', it said that ‘lately something has been wrong', in particular targeting members of the public. 

It said: “Because of your recent acts you've gone from liberators to terrorist dictators. I'm posting this as a guest because I feel that by simply disagreeing with you, I run a risk of attack.

“You'll never gain popular support in the way that you're going, attacking corporations and releasing customer information makes them blame you, not the corporations. Whoever has told you that this was the logical approach has misled you.”

This member also criticised the ‘OpBART' operations for hacking databases and releasing customer information.

“BART is public transportation for those without transportation, this is the last resort for most people. BART customers may not have a choice but to use BART, so you hurt them further by releasing their personal information like you're a bunch of lowlife scum. This is why you are thought of as cyber terrorists, this is why the people don't follow you,” it said.

Personally I doubt that the public resignation will make much of an impact upon Anonymous. It has continued to insist that it does not have leadership and operates as an umbrella term for global activists to work under.

I spoke with James Lyne, ethical hacker and senior technologist at Sophos, who said that you have to assume that the Anonymous membership ‘is pretty huge'. In terms of members leaving, he said that what may make a difference is the comments from those leaving may ring true with other members.

He said: “What may create a response was what was in the open letter, that the actions of the group infringe on people's privacy that the group was meant to uphold. The actions are moving to human harm and while a massive DDoS against SOCA is not condoned or right, the difference between that and releasing information that harms people who have no idea of the concept of information security is huge.

“There does seem to be a change in the stakes with the actions of the group, but four people will not cause a change, but what will be interesting to see is if the comments have any impact on other members.”

While Anonymous has not officially responded, it did acknowledge that not all members would all support the same cause.

There has been no comment via its AnonOps blog page, but in a tweet, it said: “Some Anons support ‘OpBART', others don't. Some support ‘Antisec', some don't. Some support both, or neither. All valid Anonymous stances.”

Rik Ferguson, certified ethical hacker and director of security and research at Trend Micro, said that Anonymous' PR originally gained public sympathy from the technologically engaged to encourage people to take part in DDoS attacks.

He said: “Although illegal, attacks against high-level targets is some form of a legitimate protest in some eyes, but hacking and releasing the data of innocent users impeding their privacy and putting their identity at risk is a different ball game.

“I have not seen any movement from Anonymous but it is difficult to determine who Anonymous is. With operation Facebook, it was not sanctioned by Anonymous but was done by members, so it seems that there is no control.”

Looking to the future of the movement, Ferguson said that he believed that members may splinter off into different groups in different countries as they feel empowered under the antisec flag.

“It could mean that the current tactic could become the norm and we could see groups with the same common belief but not working under the umbrella of Anonymous,” he said.

The Anonymous group is facing another member revolt in a week after a second 'anon' spoke against its actions.

Naming himself simply ‘John Doe' and tweeting at JohnDoeKM, he began by criticising the proposed ‘opFacebook' which encouraged other to target the social networking site on 5^th November, and went on to claim that the movement's aims had changed ‘since Lulzsec made random hacks ‘cool'.

He said: “What happened to the old method of discussing new ops (operations) and voting on their worth before announcing them? It used to work. It also stopped numerous fail ops that lacked potential. Made Anonymous more effective and focused. Is needed desperately.”

Looking back at the efforts against PayPal and MasterCard last year, he said that this was ‘all great work done by focused anons'. “Now there are millions of stupid ops. We are divided and have lost direction. This makes us ineffective and weaker,” he said.

“For example, as much as I commend people looking after the homeless, we dont need an op for it. People should just be nice without ops. Anonymous used to do great, world changing work. That's how we got where we are. Let's not throw it all away with stupidity eh?”

He also claimed that the public opinion of Anonymous is at an all time low because of ‘stupid lulz and retarded ops.' And that ‘the public loved us last year when we fought for good'.

“Now, no-one seems to know what they are fighting for, and the public tires of us. Media think we are failing. We need to unify and focus,” he said.

He also claimed that Anonymous members used to vote on operations, but ‘stupid ops got ridiculed and declared unofficial', but that does not happen anymore.

Looking to the future, he said that Anonymous should reform, show that stupidity will not be tolerated and that good work will be done again, that it should go back to the days before Lulzsec with ‘voting, focus, organisation', when it would not stand for trolls and lame operations.

He said: “Good, solid work that not only helps on a global scale, but that the public can get behind. That makes us proud to be Anonymous.

“Right now brothers, I am not proud of Anonymous. It is fractured and wild with no focus or direction. Overrun by cancer. Change is needed.”

He also said that the old system of voting worked but the new system of ‘free for all' does not and a movement ‘back to IRC for voting is the only option'.

He also called the ‘Antisec' operation a failure, as nothing of any real worth has been ‘leaked' yet and ‘it simply makes us look bad'.

During the series of tweets that have been going on for over four hours at the time of writing, he said that the more he was talking about his thoughts, the more other Anonymous members were admitting that they felt the same.

Earlier this week a former Anonymous member, who was known as ‘SparkyBlaze', publicly left the movement and criticised recent action in a statement. In that he said that when he started out he thought he was helping people, but over the past few months things inside Anonymous had changed.

The search for a secure computing solution for its tuition centres led Explore Learning to consider a sandbox solution with a difference.

A provider of private maths and English tuition services, Explore Learning is a national network of learning centres for children aged between five and 14 years. The scheme is designed to enhance knowledge, confidence and enjoyment of learning by using interactive computer-based tools that mirror the National Curriculum.

Speaking to SC Magazine, Stuart Morgan, IT director at Explore Learning, said that he has been looking for a solution that allowed users unrestricted access without compromising the network.

This led him to discover Faronics' layered security suite, Deep Freeze. The company said that it automatically restores workstation configurations with every reboot and prevents unwanted or unwelcome changes from sticking, ultimately reducing IT support and callout costs.

Morgan said: “We first looked at Deep Freeze in 2003/4 and have since rolled it out. This installs an agent on the desktop that is separate from the user and when a computer boots up, the whole session is in Deep Freeze. So rather than starting up in Windows, any activity gets stored in a temporary area and this is rebooted and in education this is fantastic.

“You can reboot the machine so if something detrimental has been done to the machine, you can wipe it. There is a constant battle with policies and needs of security and users, but with Deep Freeze you set up profiles and with the sandboxing option there is not this problem.

“We started with the standard version but moved to the enterprise edition so we can reboot the machine. Also, if we want to install software, we can do it in a ‘thawed' state so once it has been updated, we reboot and it re-freezes.”

Morgan explained that his three members of staff are responsible for 2,000 desktops in 48 centres across the UK that are used by 13,000 people. In the past issues were resolved using re-imaging tools to restore PCs back to their original state, but this took 15-20 minutes, however with Deep Freeze it is a standard Windows start-up.

I asked him if there is any problem with malware, or had been in the past. He said that there had not been a problem, as all activity was done in the Deep Freeze sandbox and executables were not relevant either.

He also said that the capabilities of the secure session in Deep Freeze enabled him to remove anti-virus software from the desktops that are running the client, so if a computer gets a virus, it is rebooted.

“We did not remove the anti-virus straightaway, and I would be cautious to recommend doing that but in terms of cost, Deep Freeze is lower per user than anti-virus,” he said.

Kristina Bell, vice president, international at Faronics, said: “This is an excellent example of how our solution can afford peace of mind in a large-scale networked environment that relies on PC performance, security and self-management for business critical operations. With a track record of reducing IT support tickets by up to 63 per cent, Deep Freeze effectively removes helpdesk headaches and lowers the associated costs, as demonstrated by Explore Learning.”

Earlier this year, CNS looked at how a network could be run without a firewall, so could a network being run without any anti-virus be the next frontier?

Research emerged last week that claimed that the Advanced Encryption Standard (AES) was ‘broken'.

The cryptanalysis project, carried out by Andrey Bogdanov (from the Katholieke Universiteit Leuven in Belgium, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research) and Christian Rechberger (ENS Paris, visiting Microsoft Research) found a ‘clever' new attack that can recover a secret key four times more easily than originally anticipated by experts.

According to the research, weaknesses were identified in 2009 when AES was used to encrypt data under four keys that are related in a way controlled by an attacker. It found that while this attack was more intriguing from a mathematical point of view, what was interesting was that the attack applies to all versions of AES even if it used with a single key.

The research also claimed that finding an AES key is four times easier than previously believed, yet the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an eight followed by 37 zeroes.

It said: “To put this into perspective: on a trillion machines that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”

Therefore, the research found that because of these huge complexities, ‘the attack has no practical implications on the security of user data'. However the researchers felt that the flaw was significant enough to publicise, as it was the most critical that has been found in the widely used AES algorithm, this was also confirmed by the designers.

The research created plenty of conversation online, as researcher Dan Kaminsky called it ‘excellent', but said that there is ‘a serious language gap between press and cryptographers that needs to be addressed'.

The story on this research by the IT news website The Register claimed that there was concern over the use of the word ‘broken', as this term in cryptography is the result of any attack that is faster than brute force and here, ‘AES may not be completely broken, but it's broken nonetheless'.

The AES algorithm is used worldwide to protect internet banking sessions, wireless communications and data on hard disks. AES has been standardised by the National Institute of Standards and Technology (NIST), the ISO and IEEE and has been approved by the US National Security Agency (NSA) for protecting top-secret information.

The claims that AES is broken are rather extreme, but the research shows that there is a distinct flaw in AES by way of a sophisticated attack vector and this can be latched upon by hackers.  

A 13-year mainstay of McAfee, Greg Day was among the best-known spokespeople for the company but this summer he switched sides to Symantec. Dan Raywood spoke with him about the move and the future of information security.

Day started out with Doctor Solomons in 1991 and then stayed with the company after its acquisition by McAfee in 1998. At McAfee he rose to become the company's director of security strategy.

In his new role at Symantec, as EMEA security CTO and director of strategy, he explained that he will be leading a team of security strategists across EMEA, whose remit will be ‘security through leadership for Symantec'. Day said that the team will provide content for event and speaking with customers, as well as focusing on trends and identifying where security is going.

“We want to talk to clients about what they should be doing and sharing industry practises. Not only with clients, but engaging with government and their activities,” he said.

“I will remain as vice chairman of the Intellect cyber security group and we will remain engaged with government on guidance to viewpoints on policy and direction. I work for a vendor but I look at it as other directors would.”

Last summer saw the acquisition of McAfee by Intel and recently, Dave DeWalt resigned as president of McAfee to be replaced by Michael DeCesare and Todd Gebhart. Day said that in his time at McAfee, he felt he had worked for ‘six or eight different companies' with his roles in the company's various divisions and under different CEOs, but he felt that it was now a completely different company.

He said: “I hope that they continue to do great things, but McAfee looks at security, while Symantec are making a transition into security and information and these have to go hand in hand and they are the only company bringing them together.”

Day said that another driving force for his decision to move from one security giant to another was Symantec's efforts with cloud technology via MessageLabs and its interest in mobile security.

He said: “More progressive companies have corporate app stores now and this is a big area for Symantec as there are two serious options now: either with more security on the devices; or with a built sandboxed model. Most companies will start with a sandbox and that is often a stopgap, as they need more native control and need to adopt an application quickly.

“People are looking and becoming more efficient and want things to work rather than figuring out whether it works or not.”

With vendors such as Good Technology, MobileIron and Zenprise now firmly setting their mobile management stalls out in the security space, I asked Day if this was a specific move forward for Symantec. He said that the company has had mobile solutions already but they had not ‘been shouted about'.

Looking forward into the future of information security, Day said that along with the advanced persistent threat, the real challenge is regarding information at the broader level and specifically at a business level.

He said: “Cyber crime against the public will continue but against businesses we do not know when it will stop. You start with social engineering that businesses have not woken up to and it is the age-old question of 'if the internet was started again, would we be in a better place?' I say it would be smaller but we would make other mistakes.”

“If someone wants to get in then they will, so you have to think about how long that will be sustained for and when they get in, what is going to stop stuff getting out. How do you defend against exfiltration?

“I am hearing ‘cyber defence' more and more and it is about whether you defend or prevent. You spend relevant to your risk, but you are never 100 per cent secure.”

A former IT administrator at a Japanese pharmaceutical company has pleaded guilty to hacking the company network and deleting 15 VMware hosts.

According to a report by nj.com, Jason Cornish said that he was avenging the dismissal of his friend who was a former IT supervisor when he used a public internet connection at a McDonald's to access the Shionogi network.

Court documents said that Cornish used a company user account to gain unauthorised access to a computer server and to take control of the vSphere that he had secretly installed on the server weeks earlier from his home internet connection.

He then used this to delete the contents of each of the 15 virtual hosts on Shionogi's computer network, each of which contained the equivalent of 88 servers that represented most of Shionogi's US computer infrastructure to support email, Blackberrys, its order tracking system and its financial management software.

The attack left Shionogi without the ability to ship products or communicate via email for several days, and it estimated that it cost the company almost £500,000 in losses.

Cornish pleaded guilty and is scheduled to be sentenced on 10^th November. He faces a maximum penalty of ten years in prison and a fine of up to $250,000 (£150,000).

Mark Fullbrook, UK and Ireland director at Cyber-Ark, said that this was the latest case of an IT administrator gone bad and highlights the dangers that can ensue from unmanaged privileged access. 

He said: “We've seen the San Francisco city network come crashing to a halt through Terry Childs and Sam Chihlung Yin threaten Gucci's global brand in similar incidents, all at a cost of hundreds of thousands of dollars. When will lessons be learnt?

“Whilst the punishment that Jason Cornish looks set to face sends a powerful message to the rest of the world on the repercussions of such actions, it's time that organisations start to take a proactive approach to security.

“Ultimately, organisations looking to avoid a similar fate need to ensure that networks are fully locked down and privileged access to systems is managed, controlled and recorded. This is the only way to prevent such incidents occurring in the future.”

Eric Chiu, founder and president of HyTrust, said: “The breach at Shionogi is a great example of how vulnerable virtualisation infrastructure and the cloud can be. Critical systems like email, order tracking, financial and other services were impacted, having been virtualised without the proper controls in place.

“The $800,000 in damages and multiple days of downtime at Shionogi could have been easily and very cost-effectively prevented with the right automated controls in place. Most significant is that a compromise at the virtualisation infrastructure layer is a potential compromise of everything else above it in the stack.”

Yesterday the talk was around whether a new video from the Anonymous group, where it pledged to kill Facebook, was genuine or not.

According to a blog by Gawker, the threat was genuine but was effectively inactive. It pointed to an Anonymous statement by ‘Speakeasy' where the beginnings of ‘opFacebook' were detailed as having ‘began several months ago and had between ten and 20 members'.

According to the statement, opFacebook initially had one goal ‘to bring attention to the fact that Facebook stored the data of user accounts' which morphed into a second goal ‘to develop an ethical, anonymous Facebook alternative'.

The statement, said: “Development began on the site (albeit slowly) and all was well for a few days. Then came news of anonplus, an Anonymous social network, similar to the one that was being developed at opFacebook. The site in development by opFacebook was slowing to a halt and so I decided to offer the source to the team at anonplus. This came as a relief as I was growing tired of the project.

“I expected them to accept my offer of free source code and a mostly functioning site that would have reduced the embarrassment they subjected themselves to with the epic fail of announcing a site before they started coding. Unfortunately however, the ‘leader' (I lol'd) was a bit of a bitch and I was subjected to a number of attempted doxes and then kickbanned.”

Speakeasy continued by claiming that the opFacebook channel was never removed and it was decided by others that a mass deletion of Facebook accounts would occur on November the 5^th, which spiralled into the rumours of an attack on Facebook.

The Gawker article claimed that the current panic ‘springs from some overeager hacktivists and media stumbling over the remnants of that abandoned operation and spinning it into a dastardly plot to destroy Facebook'.

Speakeasy said he did not know who created the opFacebook video and told Gawker he was surprised as to how the failed protest had spiralled out of control. “An attack on Facebook would be ridiculous. Even if it succeeded, Facebook has a lot of users and we want to help people, not hurt them,” he said.

As for the ‘official' line of the support for opFacebook, the Anonops Twitter said that opFacebook was ‘being organised by some Anons' but ‘this does not necessarily mean that all of Anonymous agrees with it'.

Another tweet from a different account at Anonyops said that ‘an Anonymous board meeting was held' and it had ‘decided to renounce opFacebook'.

So will there be any action on November 5^th against Facebook as the video called for? It is possible that a small number will remain charged enough to create an attack against the social networking giant, but as Imperva CTO Amichai Shulman told SC Magazine yesterday, the video was likely a call to arms and without enough horsepower, any attack will likely fail.

The Anonymous group has appeared to make social networking giant Facebook its next target with a new video.

While it is unclear whether the video is a genuine call to arms against Facebook or simply a member with a vendetta, it claims that ‘Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world'.

The two minute video, which can be viewed here, also said that ‘everything you do on Facebook stays on Facebook, regardless of your privacy settings' and that ‘deleting your account is impossible even if you delete your account, all your personal information stays on Facebook and can be recovered at any time'.

It ended with a message that said: “One day you will look back on this and realise what we have done here is right. Think for a moment and prepare for a day that will go down in history.”

It called on other activists and those keen to protect privacy to join the cause to bring Facebook down on November 5^th this year ‘to kill Facebook for the sake of your own privacy'.

Despite media requests for clarity on whether the video is genuine or not, Anonymous had not responded at the time of writing on either its Twitter feed or via its Anonops blog page.

Speaking to SC Magazine about the threat, Imperva CTO Amichai Shulman said that these announcements are often a call to arms.

He said: “I don't have reason to believe that it is not true, maybe they are trying to build up momentum as they will need a lot of horsepower. They may be able to disrupt specific servers on a geographical basis but they may need more people to interrupt the service.

“It will be very hard to bring them down and most likely they will share toolkits, but my guess is that they are trying to create momentum to recruit. If they had people why would they wait until November 5^th? My guess is that they will target specific geographical regions.”

Rik Ferguson, director of security and research at Trend Micro, agreed that the video should be treated with suspicion for now, as it was posted almost a month ago and had not been widely publicised on the usual Anonymous channels.

Looking at the group's points, he said that Facebook's own Privacy Policy states ‘when you delete an account, it is permanently deleted from Facebook' and while backup copies will be kept for 90 days after removal and deletion, he added that the point seems to be invalid.

He said: “The biggest and most important point though is this. Facebook is voluntary. You join Facebook because you want to. You provide information of your own volition and essentially at your own risk.

“If Facebook does know more about you than your own family, it is only because you told them. Conversely, while the social networking provider does provide relatively granular controls over how and who you share your data with, it is certainly my opinion that the default settings on an account are still too open and the mechanisms for controlling sharing are too complex.

“Posting information anywhere online is similar to pasting up a notice in a global meeting hall and should be treated in that way. Even if you restrict access to your information to only your friends, you cannot control how that information is further shared by people within your circle of trust.”

If the video does prove to be a fake, it would not be the first time that the hacktivist's lines of communication have been duped. Back in February, a statement appeared threatening Westboro Baptist Church and instructing it to cease and desist its protest campaign in the year 2011 demanding they 'return to your homes in Kansas and close your public websites'.

The statement was enough to warrant a response from the church and a few days later an Anonymous spokesperson denied that it was directly responsible, with pro-US hacker The Jester claiming responsibility and mounting a lengthy denial-of-service campaign.

To prove that insurance is sometimes worth considering, I recently spoke with a computer services company who deployed software which recently proved its worth.

Paul Tomlinson, managing director at Mirus IT Solutions, told me he had deployed software from IT automation company Kaseya four years ago and last week the company suffered a break-in which saw four customer laptops stolen.

Tomlinson said: “Our Kaseya setting takes a screen shot every five minutes and sends it back to us, so it is not too resource hungry. After the break-in at 4.149am, the computer was turned on at 4.30pm and we saw the user go to eBay, Facebook and use online banking, so we knew their name, phone number and address.

“We sent this to the police who arrested three people. So far we have recovered one laptop while police recovered a lot more too, so from the loss of four we recovered one, but if they turn on any of the laptops we have a chance of finding them.”

Tomlinson told me that the laptop ended up only two miles from the company's managed offices in Milton Keynes, but felt that without the Kaseya capabilities the laptops would have been lost.

“Kaseya sends an image which we use as a way to examine scripts, we have been using it for almost four years and we looked at the product for our managed service space. It has benefited us with the stolen laptops but it can be used for more in the future,” he said.

A further three training courses have been added to the line-up for September's 44Con.

Raytheon are running a one-day ‘Executive Cyber Training Course' aimed at non-technical staff who need a thorough and pragmatic understanding of the risks of online threats and defences.

Judging by the detailed synopsis, this looks like an ideal course for management and will benefit both the attendees (by dispelling the common myths and misunderstandings surrounding ‘cyber' threats) and the staff who work for them. The coverage is extensive and the course could perhaps be subtitled 'How to know if your vendor or techies are trying to scare you!'

The ‘SensePost HBN Developer Edition' course is a hands-on introduction to identifying and removing vulnerabilities in web applications. Programming language neutral, the course is aimed at developers and is delivered by Ian de Villiers of SensePost and Daniel Cuthbert of the Open Web Application Security Project (OWASP).

If you want to avoid being the next announcement on the LulzSec Twitter feed, this course will certainly pay for itself in application security improvements in no time.

Finally, the TigerScheme QSTM examination from Encription gives you the ideal opportunity to get a well-established penetration testing qualification that is recognised by CESG for the CHECK scheme. Successful candidates will receive a University of Glamorgan certificate and three-year membership of the TigerScheme.

The 44Con training page has been amended to include details of the new courses and many of the other courses now have more detailed synopses, so it is well worth checking out.

All of the 44Con courses are competitively priced, include refreshments and come with free entry to the conference, which itself promises to be a great way to enhance and update your security knowledge.

Also recently announced is the 44Con ‘capture the flag' contest, where groups of attackers will compete to exploit and subsequently defend a number of systems on a diverse and novel collection of IT systems. Prizes will be offered for the overall winner and also the best attackers and defenders. See http://www.44con.com/ctf.html for details.

Finally, the videos of many of the excellent talks from the BSides London event are now available for free at http://blip.tv/bsideslondon. There's a diverse collection of topics and they are all well worth the time. If you check out Alec Muffett's great ‘Sex, lies and instant messenger' talk you can even hear me contributing in the Q&A (but thankfully not see me!).

As children break up from school for the summer holidays and trips away from home are planned, the subject of remote workers and the problems surrounding external access arises.

While the challenge of managing personal devices has been well documented, remote workers accessing the network externally presents its own challenges too. Do you provide a VPN for them to connect securely through and if so, how do you ensure that they will use that capability to connect into the network?

Also, if someone does use a corporate-owned or approved device, how can you be sure that security updates and patches are pushed out and applied if an employee is out of the perimeter for one or two weeks?

To get an idea of the scale of a likely connection this summer, a recent survey of 1,000 city workers during July 2011 found that 73 per cent of workers will check their emails whilst on holiday, while 83 per cent of C-level staff will be in touch with their offices throughout their entire vacation.

According to the survey, of that 73 per cent, 54 per cent will check emails at least once a day, while 41 per cent will take a mobile device on holiday for work purposes.

Andy Cordial, managing director of Origin Storage, that conducted the survey, admitted that when corporate information is accessed from a mobile device, whether it is personal or company owned, and it is misplaced there are consequences.

“Who is to blame? Is it the employee who just can't let go or the employer for making them feel that they have to be accessible in the first place? Regardless of why it's happening, our advice to the corporate world is: if you expect to contact your staff while away then it is down to you to secure their devices,” he said.

However with remote working, there is plenty of opportunity to be prepared throughout the year with union and transport strikes not uncommon. Another survey of 1,000 commuters by SecurEnvoy found that 55 per cent of respondents believe that the threat of future strikes would encourage their employers to introduce IT measures that would allow them the flexibility to work from home, should they be affected in the future.

The survey also discovered that the majority of people who are able to work from home do so securely. It found that 89 per cent use a secure connection when communicating with the office, while 44 per cent use a password and two-factor authentication technology.

Bernard Parsons, CEO of Becrypt, whose Trusted Client solution has won the SC Magazine best remote access award for the last three years, said that this is one of the demands that IT managers have to face with workers these days.

He said: “One of the main problems has been business continuity. How do you enable business continuity for workers and guarantee connection for mobile workers? With the US it has been teleworkers with federal departments obliged to provide devices for teleworkers and companies recognise this in terms of the quality of life.

“Honestly it is no longer good enough to be on a home-based machine and this has raised awareness of threats, as companies have allowed employees to enter via their own home machine, we are the only one on the market to offer a service to scale to demand.”

If you are not offering secure connection then this is the season to be prepared as the year of consumerisation meets with a summer of connection.   

The shortlists have been announced for this year's Pwnie awards.

The awards are set to be presented at an event to coincide with this year's Black Hat USA conference in Las Vegas, Nevada next week. A total of nine awards will be presented for best server-side bug, best client-side bug, best privilege escalation bug, most innovative research, most epic fail, epic 0wnage and ‘lamest vendor response'.

Sony has received five nominations for Pwnie for ‘Most Epic Fail', including one nomination for releasing ‘a significant number of their network security team'.

In the nominations for the Pwnie for ‘Epic 0wnage', that ‘goes to the hackers responsible for delivering the most damaging, widely publicised or hilarious 0wnage', are Anonymous for hacking HBGary, LulzSec for hacking everyone, Stuxnet and Bradley Manning and WikiLeaks.

An award will also be given to ‘best song' and videos can be seen on the official website http://pwnies.com/nominations/.

At last year's awards, the award for best server-side bug went to Apache Struts2 framework remote code execution (CVE-2010-1870), while the best client-side bug went to Java trusted method chaining (CVE-2010-0840).

The awards for best privilege escalation bug went to Windows NT #GP trap handler (CVE-2010-0232), and for most innovative research to Dionysus Blazakis for Flash Pointer inference and JIT spraying. The Pwnie for ‘most epic fail' went to the Microsoft Internet Explorer 8 XSS filter, which was released with built-in cross-site scripting filters that, for nearly a year after release, enabled cross-site scripting on otherwise secure sites.

A man has been sentenced to ten years in jail for allegedly of stealing 675,000 credit card numbers that led to $36 million (£22 million) in losses.

According to the Washington Times, Rogelio Hackett Jr. was sentenced in a Virginia court to ten years in jail and ordered to pay a $100,000 (£61,000) fine on charges of trafficking credit cards and aggravated identity theft.

The weight of the sentence was described as a ‘strong deterrent to others who may be tempted to engage in identity theft' by US attorney Neil H. MacBride for the Eastern District of Virginia.

According to court documents, US Secret Service agents executed a search warrant in 2009 at Hackett's home and found more than 675,000 stolen credit card numbers and related information in his computers and email accounts.

Hackett admitted to trafficking credit card information, obtained either by hacking into business computer networks and downloading credit card databases or by purchasing the information from others using the internet through various carding forums since 2002.

Credit card companies have identified tens of thousands of fraudulent transactions using the card numbers found in Hackett's possession, totalling more than $36 million.

The BlackBerry PlayBook has been selected as the first tablet certified for deployment within US federal government agencies.

The PlayBook has Federal Information Processing Standard (FIPS) 140-2 certification received from the National Institute of Standards and Technology (NIST), which is required under the Federal Information Security Management Act of 2002 (FISMA).

Launched earlier this year, the PlayBook has been sold on the same security capabilities as the smartphone, while other devices have been snubbed for their locked or open source operating systems.

Does this mean that the PlayBook could become the primary choice for governments? The Apple iPad proved to be a capable option for the Norwegian Prime Minister Jens Stoltenberg when he found himself stranded in New York due to the Iceland ash cloud last year, but this was more of a case of necessity than choice.

It was recently suggested to me that security departments will look to UK accreditation body CESG (the Information Assurance arm of the UK Government communications headquarters for approved solutions). At present, CESG does not have any approved devices but it has approved the BlackBerry Enterprise Server.

Described as a ‘multi-tasking powerhouse' in its adverts and as an ‘ultra-portable tablet that fits comfortably in one hand' in its marketing, according to Research in Motion, the PlayBook allows for secure pairing with BlackBerry smartphones via the BlackBerry Bridge application, which enables users to access their BlackBerry smartphone's email, calendar, address book, memo pad, task list, BlackBerry Messenger and browsing functionality using the larger display on the tablet.

The company was in no doubt as to the importance of US federal government approval to its security focus. Scott Totzke, senior vice president of BlackBerry security at Research in Motion, said: “This certification demonstrates our continued commitment to meeting the needs of security-conscious organisations and enables the US federal government to buy with confidence knowing that the PlayBook meets their computing policy requirements for protecting sensitive information.”

CESG were unable to tell me if there was any testing being done on other devices, but this could be a major stepping-stone for global acceptance of tablet and ‘consumer' devices in the workplace. After all, if it is good enough for the US government, then many others may follow.

The upcoming 44Con security conference has announced its training line-up to run on the two days preceding the conference and the first speaker in the 'Infosec specialist' track.

Alex Lucas of Microsoft is currently a principal security development manager at Microsoft and will be speaking on the role of the security development lifecycle in improving the security of large projects, something of great interest to most commercial development organisations.

For the first time, the authors of the Web Applications Hacker's Handbook are running a course on the content covered in the soon-to-be-released second edition. Widely recognised as one of the best technical resources on web security and ranked number one in Amazon's web security section and number three in its network security section, this handbook is a detailed guide to practical and detailed security issues surrounding web applications. The course is being run by the authors, providing first-hand knowledge and insight into the latest web application security issues.

Traditional topics such as database and wireless security are also well covered. The wireless security training includes live 'hands on' work and is being run by Vivek Ramachandran, founder of securitytube.net, and well known for his work on wireless security attacks and defences; in particular the 'Café Latte' attack that allowed WEP cracking for the first time without prior access to the wireless LAN itself.

The Oracle security course covers both attacks on Oracle and how these can be mitigated by secure development practices: so will be of interest to database developers, penetration testers and technical security staff.

Social engineering is a mainstay for both penetration testers and criminals and is currently a hot topic in information security. In a course on social engineering tailored for the IT professional, Sharon Conheady and Martin Law will cover the theory and practice of integrating social engineering into security evaluations and penetration tests, with a particular focus on the tricky topic of keeping such tests ethical.

Social engineering is often an extremely cost effective attack and one that most technological barriers are powerless to prevent, so a thorough knowledge of it is valuable for any security professional.

With the increased deployment and associated security issues of mobile technologies, ensuring the security of applications that are deployed on them is an important issue and 44Con's Android security workshop will provide a detailed explanation of the security issues surrounding the Android platform from both a developer and a security auditor perspective.

Finally, Adam Laurie and Zac Franken are presenting a course on RFID technology security. Given the widespread deployment of RFID tokens in security access control systems, understanding its weaknesses and how they can be addressed is essential to ensure that such systems are deployed correctly and do not offer a false sense of security.

The 44Con training sessions are competitively priced and run on the 30th/31st August, immediately preceding the 44Con conference itself. Attendees get free admission to the full conference included in the training price. Full details and booking information are at http://www.44con.com/training/

With problems regarding missing documents and their relation to data breaches, I recently spoke to a company who have a solution that aims to solve the problem.

Formed in 2007, Israeli company Watchdox created a technology that fingerprints a document when it is sent and allows the document to be tracked along its path to the recipient. According to Watchdox's VP marketing and business development Adi Ruppin, this offers more than encryption or data loss prevention (DLP) as it is something that it embedded into the document.

Ruppin said: “A digital rights management (DRM) solution is often so complicated as people do not know how to use it. Often people will work around it, what we have is more traditional and easy to use and it can be provided as a Software-as-a-Service (SaaS) service.

“You can wipe out documents or revoke them so they cannot be accessed anymore. There is a plug-in for Outlook so every document has a policy and you can give different levels of permission: tracking only or enforcement, and if you have enforced everything, you can revoke if it is compromised. “

I asked Ruppin where this sort of technology has been deployed, he said that one customer set is Hollywood studios to protect scripts, as well as more typical enterprises who need to protect sensitive documents.,

Typically SaaS-based, the company recently launched a virtualised appliance version of the technology to enable an on-premise offering. According to the company, the virtual appliance addresses the needs of organisations that are required to meet specialised, strict security and privacy requirements.

Ruppin said that the channel has been waiting for a secure document exchange solution that can be deployed both as a cloud and as an on-premise solution and this allows companies to deploy advanced, scalable document security with no hardware or software installation.

A private cloud option offers dedicated cloud configurations for large customers as it gives organisations their own dedicated server infrastructures that are not shared with any other customer. The virtual appliance will be widely available in Q3 of 2011.

Ruppin told SC Magazine that the idea came from wanting to offer a range of options. “With SaaS it is easy and everyone has been using it, but also private cloud is being introduced and you can locate a specific data centre if you want to, so you know where it data is being hosted,” he said.

“For the virtual application, we repackaged the cloud offering into a form factor so it is the same offer to host internally. We see companies with the requirements to do this where a virtual application comes in and we see virtually any use for it.”

I asked Ruppin about the future and its next steps, he said that he expects more movement in mobile devices, specifically tablets, as security is needed there in some form. He said: “You do get some security with a PC to encrypt it. There will be a few additional functions for the iPad in the next month. We focus on the last user, and make sure that it does not leak once it gets to its destination so it makes sense to use in conjunction with encryption.”

With every data breach there is a victim.

While it may often ‘just' be a username, password or email address that is leaked, someone is bound to be affected. The announcement of a potential compromise of data could scare some more than others.

That said, some people are blase about data breaches so probably don't really care. So in an 'anonymous henchman' style, does anyone really care about the victim?

Well maybe a recent class action suite could cause someone to take action. In a report I read recently, around 80,000 people are seeking $40 million in compensation for their data lost by the Canadian Durham region on an unencrypted USB flash drive.

According to durhamregion.com, the data was personal information about people who had been vaccinated against the H1N1 flu virus. The class action suit was given the go-ahead by Justice Peter Lauwers of the Ontario Superior Court of Justice in late April, with Bowmanville resident John Sherlock Rowlands appointed as the 'representative' of the class.

It said that among the claims in the suit are that the region was negligent, there was a breach of a fiduciary duty, violation of privacy and breach of the Canadian Charter of Rights and Freedoms.

The USB key was lost in the parking lot of the regional headquarters by a public health nurse in December 2009. On the key was information on the 83,524 people who had been vaccinated between October 23^rd and December 15^th, 2009, at flu vaccination clinics provided by the regional health department.

The information included names, addresses, phone numbers, dates of birth, health card numbers, the name of a primary physician and personal health information provided when they got the vaccination.

Anders Kjellander, chief security officer at Blockmaster, said: “It is apparent that the loss of the data is catastrophic for everyone included; the person that lost the device, the organisation that has acted negligently and the people that had their information exposed, all are in a very painful situation.”

At the recent SC Magazine conference on securing and managing mobile devices I met with a new vendor in the sector.

Based in Sydney, Australia, janusNET offers email filtering technology without any need for software for the mobile, ensuring no dilemma for a business if it is a personally-owned device.

Managing director Greg Colla said that the janusNET technology separates the LAN from the mobile, connects to the Exchange server and allows for layered best-of-breed deployment to the server.

Colla said that often a problem with mobile security software is that it affects the performance of the device and annoys the user, so technology needs to be transparent to the user so that they have control.

“With email encryption you might forget to select it and if it is going outside your country it may go via somewhere where traffic may be monitored, so we brought in a policy to enable a civil servant to classify information,” he said.

“So when you send a message, you must be able to classify it and prior to policy, you use a secure network but the problem is a user does not know what a secure network is, so all backend rules should be automated.”

The janusGATE technology allows users to connect to the Exchange server via ActiveSync. Before a message is out of the firewall and organisation, you can inspect for keywords, attachments and if you see an important document attempting to be sent, an administrator can classify it as sensitive and deliver a notification to the recipient informing them that they cannot do that.

Colla said: “At an organisation, an architect can use the best solution and allow a 'bring your own device' (BYOD) policy. They can use a complete Active Directory group to subscribe users to a policy on deployed devices so they are locked down and you can set policy to protect information to the phone. With the non-approved devices it is less so, as you cannot lock down the phone, but it will allow filtered information.”

He concluded by talking about the ability to decrypt an encrypted message on a phone, commenting on there being decryption applications available, but he said what will be interesting will be when the operating system can decrypt itself.

The debate on mobile device management will roll on and on, but so will the solutions.

As LulzSec has proved with its recent antics, it sometimes takes an attack to demonstrate how secure your systems are.

Whether it is penetration testing or simple configuration, if someone informs you that there is a security issue that is related to your company then it is probably best not to ignore it. On the other hand, it can take a prank to prove a point. A couple of years ago a Macworld keynote was interrupted when Phil Schiller's presentation was hijacked, with messages posted that Steve Jobs had died.

A not too dissimilar report emerged this week stating that a former employee of Baltimore Substance Abuse Systems had hacked into the chief executive's presentation and replaced it with pornography. According to media reports, Walter Powell was fired from his job at the company in 2009 and began hacking into the computer network. The incident with the presentation to the board of directors landed him with a two-year suspended sentence, 100 hours of community service and three years of probation.

Graham Cluley, senior technology consultant at Sophos, said that this sort of case underlines the importance of having processes in place when staff leave, including changing passwords and removing access rights.

Marc Lee, sales director for EMEA at Courion, said: “While we all hope that our trusted employees don't do anything malicious and most of the times they don't, when they do it can be costly and devastating.

“It is important to make sure that those who have the ‘keys to the kingdom' are also overseen. Using access assurance solutions, including privileged account management that enables organisations to require administrators to ‘check out' privileged credentials, can better track which individuals are using and have access to these credentials.”

While Powell's actions may be harmful to the company, I am sure the CEO is glad that this was only a presentation to the board and not to shareholders or customers. Then the results could have been a lot more embarrassing.