Monday, February 07, 2011

Welcome To 2011, Year Of The Rabbit

This year our normal New Year message to clients and partners comes exactly one month late. Another way to look at it (with the Chinese New Year starting February 3rd) is that we are bang on time.

一个好年头 (Another Good Year)
2010 was another year of growth for 360is with more clients in new sectors and a formalised datacenter performance practice. We deepened our profile in Private Equity with more virtualization projects (VMware and XenServer), and in mainstream Investment Banking with more VDI (VMware View and XenDesktop) assignments. Our Security practice continued with steady growth, and included new business from UK-based online gaming and "dotcom" sectors. 360is now counts among it's clients several of the UK's fastest growing and "best to work for" companies. While the UK Economy may have disappointed in December (particularly retail), through 2010 we saw our Financial Services, Mining/Metals, and Hi-tech Manufacturing clients rebound.

年更强 (Stronger In 2011)
The outlook for Q1 2011 is better than many thought. For the services sector at least, it looks like the December 2010 disappointment really was snow related, or was everyone at home with flu? This year promises more investment activity, increasing demand for raw materials (China again), and growing orders for our UK Hi-tech manufacturers.

We expect the trends of 2009-2010 to continue for 360is:
  • Increasing average project size
  • Steady rate of new client acquisition
  • Increasing number of projects per client
  • Steady geographical focus on UK, South East
  • Increasing client diversity beyond historic finance/telecoms base
  • Steady ratio of bookings to billings to backlog, no credit risk
  • Conservative recruitment strategy focused on "talent" not "resource"

科技是一个礼物 (The Gift Of Technology)
What technological gifts did 2010 bring our clients, and how can we best use them to increase their prosperity in 2011?

Multi-Core Systems
Multi-core systems have been around since at least 2005. One fact of which you may not be aware is that x86-64 CPU manufacturers have long since given up on making CPU cores go faster. Faster cores require more exotic materials, more expensive cooling apparatus, more complex micro-architectures with only marginal performance gains, and present all sorts of problems with manufacturing yield. That last point frightens shareholders to death. Instead, today, Intel and AMD devote most of their efforts to making more cores per square millimeter of silicon. More cores means more processing capability. Problem solved, right? Not really.
While increasing the numbers of cores (made possible as transistors get smaller) does increase theoretical performance, in practice this must be balanced with the right amount of memory bandwidth and core-to-core interconnect design. Even then, our problems have only just begun. The fact is most software does not take great advantage of multiple cores, more serious still is the fact that most programmers lack parallel programming skills. Finally, there are many classes of computational problem which are serial in nature, and are never going to gain much from running on a multi-core CPU.
Wont Microsoft/Oracle/IBM/VMware sort all this out for me? Not really.
While technologies like virtualization (whole-system or zone-based) allow you to run many workloads on a single CPU (keeping many cores occupied at once) they do nothing to speed up the execution of any one task or thread of activity. In order to speed up your IT from the end-user's perspective you may have to resort to more carefully considered system performance tuning, and that may require a deeper understanding of systems hardware and application software than your staff posses. The really big gains in performance can't be had by simply adding a product here and a patch there.
360is consultants have extensive experience in squeezing the maximum performance out of an infrastructure. Using a toolkit of repeatable intellectual property we are often able to increase performance even for serial, single threaded processing through our formal methods approach. Find out more about our performance practice.

Non x86-64 Servers And Other Novel Hardware
If like most of our clients, you are in the UK, then IBM Power CPUs calculate your insurance premiums, Oracle SPARC processors compute your taxes, and Intel Itaniums keeps your commuter train running on time (mostly). If you are out of work, then it's an IBM z10 CPU that you have to thank for paying your benefits. While Intel or AMD x86-64 systems dominate in the front office, the back office is more mixed, and with good reason. No, these particular systems do not run Windows, or Linux.
This year x86-64 front-office systems will be joined by new servers based upon ARM, Loonsong, Atom, and SPARC-T3 CPUs. So the next time you visit your hosted/colocated systems in a shared datacenter, keep an eye out for them. If you want to know how these systems might provide a competitive advantage to your business, get in touch. 360is has a record of working with novel hardware platforms that increase the profitability of our clients.

The Inevitable Spread Of Productivity Services
Technology vendor's continue to channel hundreds of millions of pounds a year from their marketing budgets into rebranding products and services "for the cloud". At 360is we call this "cloudwashing", it's much like the "greenwashing" that the same vendors underwent a few years ago. However, through the fog of cloudwashing there is value and real adoption happening in the world of cloud services. At 360is we are users of cloud-based productivity tools like Evernote, Dropbox, ManyEyes, and Google Chrome (as a tool to access other Google services). These productivity services offer an inbuilt ability to work anywhere, on any device, over any network. Whether or not they conform to your security policy, your users will soon be using services like these. If they make life easier then they will spread in the same way that instant messaging spread a decade ago.
360is can help you select and standardise upon productivity tools and provide secure remote access to your confidential information.  

VDI - Virtual Desktops - Desktop As A Service
Virtual Desktop deployments continue to grow in number as both large and small clients display increasing acceptance of this method of desktop delivery to end users. The primary drivers for VDI deployment remain:
- Avoidance of desktop hardware refresh 
- Ease of migration to Windows 7 from XP
- Stronger Disaster Recovery/Business Continuity
- Ability to manage/maintain more desktops with fewer/static IT staff
360is have executed a number of virtual desktop projects using all the major vendor products for large and small organisations in the public and private sector, using a variety of endpoints including thin clients, tablets, and mobile devices. Find out how.

If you would like to discuss any of what you have read about with one of our consultants then we would be happy to meet with you at your offices or at our London or Wokingham sites. Simply get in touch.

All that remains is for us to say is Happy New Year and finally"gung hay fat choy"(*)
(*)"may you become prosperous"

WikiLeak's Lessons For UK Information Security Professionals

“A government is the only known vessel that leaks from the top” - James Reston, Journalist

Rarely does a story with a strong Information Security thread garner quite so much attention in the mainstream press. However, when the leaking of secret state information is combined with pent-up public interest in subject matter like current and future adventures in the middle east, climate change, the banking crisis, and international relations, demand meets supply and column inches result.

The WikiLeaks publication of US State Department cables in November/December 2010 was featured in the recent Q4 2010 issue of Executive Intelligence, the 360is Quarterly for UK CSOs/CIOs and IT Security Directors:

"On November 28th, the whistle-blower web site WikiLeaks began disclosing the first 220 of 251,287 US State Department cables dating from the 1966 to 2010. These cables ranged from SECRET//NOFORN to UNCLASSIFIED in their protective marking, and contained many unguarded, frank, and often critical comments from US diplomats on a range of subjects."
Putting to one side the virtues or vices of making this particular information public, what lessons can we learn from it as Information Security professionals? What actions should we propose to our directors while the subject of information security is fresh in the mind of the main board? What tactical, practical advice can we put into action in light of what this WikiLeaks episode has taught us?

Information Security problems of this type are a subject that many find difficult to discuss. For the most part we are talking about the actions of insiders; employees, contractors, or close members of your supply chain. Managers find the broad subject of insiders harder to broach than that of the threat from external attack. However, most of the practical advice we have for our clients is around process rather than people, and can be implemented without alienating staff or making them spied upon.

(1) Recognise Where You Are Vulnerable
As with external Information Security threats, the key to improving your internal Information Security posture is to first recognise where you are vulnerable. Understanding your current vulnerability to leaks should be a part of formal Information Risk Management. Make a start by writing down answers to the following questions:

  • Where is confidential information kept in your organisation?
  • In how many different places can it currently be found?
  • Are multiple copies routinely created of confidential information?
  • How many different access methods are there to this information?
  • What size community of users have access to it?
  • What controls are there over who can access what, where, and when?
Armed with answers to these questions and the rest of this article, you may begin a process of prioritisation, focusing on where your most leak-worthy data is kept. Target areas where the greatest quantity of the most confidential information is held, made available to the largest user community, with the minimum of controls.

The full details of how the US State Department leak came to pass have yet to be released and may never be fully disclosed. However, given the current speculation that a relatively low level, young Private of a few years service had access to all this material, and did not arouse suspicion when extracting it, the US State Department would score very low on any Information Security scorecard one can imagine.

(2) Know If You Are A Target
Some organisations attract leaks because they are repositories for particular confidential information, or because the information they hold is highly newsworthy, others find themselves subject to leaks because their employees sometimes struggle with difficult and conflicting concerns about the nature of their work. While your newsworthiness may fluctuate over time, certain sectors tend to experience a perennial popularity with leakers. If you are in the energy, pharmaceutical, government, or banking sectors, you should consider yourself a prime candidate for leakers at this time. Companies engaged in arms manufacture or doing any kind of business in troubled parts of the world are likewise a target. Are you an aggregation point for sensitive information from several of the sources above? If you operate a law or consultancy firm, or other business where you are entrusted with sensitive information from clients in these industries or geographies, then you will be a target for leaks.

As both a prominent government office and an aggregation point for all types of sensitive information from diplomats around the world, the US State Department is one of the more likely targets for leakers.

(3) Diligence And Statutory Obligations (Compliance)
As a minimum, you as the designated Information Security officer should ensure your organisation's  awareness of, and adherence to, the minimum standards for compliance. As CSO (or equivalent, most UK firms do not have a CSO) failure to do so will eventually end up being a problem that lands at your office door. Confidentiality and privacy are key tenets of several pieces of compliance legislation designed to protect the information of individuals, particularly where you may be required to hold personally identifiable information. However, you may have obligations even if you do not handle this kind of information. Of particular relevance to UK companies are the Data Protections Act, the UK Corporate Governance Code, the Freedom Of Information Act, and for many, PCI. All of these have Information Security connotations although some more oblique than others.

Although the US State Department may not be subject to the same compliance legislation as your organisation, they failed to honour even basic obligations (be they explicit or assumed) in keeping sensitive information confidential.

(4) Segment Your Data
Do you currently segment your sensitive information, or do you maintain a single monolithic store for all confidential material? If a potential leaker were to gain access to that store, what is the scope of disclosure that you might suffer? By segmenting your sensitive data you have a better chance of limiting the scope of a leak.

  • Segment by status: active client versus inactive/former clients.
  • Segment by "security level" of the information: secret, confidential, unclassified.
  • Segment by time: don't keep files for completed projects with the currently open client files.
  • Segment by user/group: litigation versus patent, analysts versus sales, buy-side versus sell-side.
Segmenting your sensitive information sounds complicated but it can be as simple as not keeping project files older than 3 months in the same place as current files, along with a process for individuals to obtain access to the archive with the proper authorisation and oversight. Increasingly, Email is used as a long term information store, ignoring the huge problems created by doing that, secure Email archiving and retrieval products can facilitate the same segmentation of Email that you would have with traditional file stores.

Enforcing the most basic file-folder security on drive shares (by user, by group), or more complex access control lists (if supported by your storage) can dramatically reduce your vulnerability to a State-Department-sized leak.

Finally, do you individually encrypt the most sensitive documents or indeed any documents in your organisation? Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.

It is unknown whether or not there was any real segmentation where the US State Department cables were stored. It does not seem likely. Either that or there was a requirement for segmentation and this requirement was routinely ignored. One can find no other reason why cables ranging over 30 years and 6 security levels from hundreds of sources were so readily available to 1 junior staff member.

(5) The Human Element, A Matter Of Staff Maturity And Common Sense

Don't give low-level or casual staff a high-level of security clearance, this includes staff working in IT. Of course in order for the phrase "low or high level" to have any meaning at all, you first need to have implemented something from (4).

Regardless of employee seniority or access, some staff may still feel compelled to leak. What then?

Consider establishing an internal ethics board where staff can take their concerns and have them heard. However, your best chance of preventing information leaks comes during the initial staff recruiting and vetting process. Do you vet staff who regularly handle highly sensitive or client confidential information?
Having worked for many city institutions, 360is consultants are able to recommend the services of a suitable staff vetting agency. Instruction is also available for your fellow directors and senior company officers on the correct way to invoke UK Legal Professional Privilege, and general handling practices for the most sensitive communications.
Some of our clients have a regular rotation of staff, preventing any one person getting too comfortable (and possibly carefree) with sensitive information. In some cases this is an option, but for most firms it does not fit their operational model.

If the current speculation is to be believed, a relatively low-level, young Private, of only a few years service had access to the leaked material. In addition to this, it is also speculated that over a million other individuals had access to some or all of the information. This would suggest that either the information should not have been marked secret/confidential at all, or that there has been a failure to consider the human element in it's handling. Even the most optimistic Information Security professional will find it hard to believe that any "secret" shared with a million individuals will remain secret for very long.

(6) Handling A Leak

Sooner or later your confidential information will escape either accidentally or with help from an external hacker or an insider with access. Once this happens, it is the way in which your organisation handles the leak that partly determines total cost to your organisation in terms of reputation and revenue loss.

At what point do you inform your clients if there are potential implications for them? Who will handle enquiries from the press? What assurances will you offer partners, suppliers, and customers/clients that information concerning your business dealings will be better protected in future? How can you "get ahead of the story" and start taking control of the incident?

  • Put a plan in place now
  • Rehearse that plan periodically
  • Use external professional crisis management if you lack relevant experience in-house
  • Understand any legal obligations to clients, partners, and the regulator
  • Ensure the right personnel are press/media trained

360is consultants recommend bringing in a professional response team who have handled these types of situations before. Most managers are not trained in dealing with the media and can quickly find themselves in an awkward position without proper preparation. 360is are able to assist such a team in formulating technical answers to some of the questions that will need to be supplied both to post-incident internal investigators and journalists.

We will leave an assessment of the State Department's handling of this episode to the reader, but suggest you consider these questions:
Have they managed to "get ahead of the story" or are they still reacting to it?
Do their partners feel re-assured that this is any less likely to happen in future?
Have their actions, post-incident, served to increase, decrease, or had no effect on public perception of Information Security within their organisation?

More From 360is Executive Intelligence
This briefing on preventing leaks and the WikiLeaks episode of December 2010 is referenced in "Executive Intelligence" the quarterly security briefing provided by 360is to our current and former clients. Executive Intelligence is now available to all UK Information Security Professionals in our network. Find out how to subscribe to our UK quarterly security newsletter.

The full text of this article is available in PDF form via the Resources section of our web site here.