Network Security

Canada ups cyber security spending as China worry rises | Reuters

October 18, 2012 by tim in Network Security, Observation | Leave a comment

See on Scoop.itI should get out more

This article discusses increased cyber security spending plans by the Canadian Government.

No one would argue that spending on cyber security makes sense – indeed a government would be grossly negligent in not securing its networks.

The problem I have is that I just don’t believe a top-down approach is enough to establish the necessary security.  It is not just because of the nature of networks, nor even the cultural issues that lie at the heart of good network security, nor again the dynamism required to keep a network secure.

In addition to all these reasons, I am just far too sceptical of government led initiatives and the box ticking mentality they can produce.

A bottom up process – created specifically to deliver benefits directly to participants beyond some kind of government accreditation – is essential.

See on uk.reuters.com

Data Threat Clearinghouse – old idea

December 6, 2011 by tim in Network Security, Risk Management | Leave a comment

After my post yesterday about the UK’s Cyber Security Strategy comes news today about possible US legislation to create a Data Threat Clearinghouse.  This is far from a new idea – even I have been advocating something like this for more than 10 years.  The surprising bit about this news is that the scope of the proposal seems so limited.  When cyber risk is so variable, complex and dynamic, they only want to deal with data threats?

Maybe I should read the proposed legislation…  I’ll come back on that.

But that aside, why leave whatever this entity is about to Government?  As I said here, you don’t leave Governments to share what they choose with you.  For all sorts of reasons and in almost any context, sharing works better when the master chooses what to share with the servant, not the other way round.

The private sector needs its own approach here.

Up-date:  I have now read the proposed US legislation and though what is proposed is a great idea, I would change my summary above as follows:

The private sector really badly needs its own approach here.

Why?  If I have understood how proposed Bills are drafted, it comes in 2 parts.  The first calls for the establishment of a National Cybersecurity Authority and the second, for a National Information Sharing Organization.

My first concern is that the scope of the proposal is too narrow.  The Bill is an amendment of the Homeland Security Act, so its admitted focus is on Federal systems and critical infrastructure and the threat posed to those by terrorism.  Clearly this is a valuable cause as terrorism is a significant threat but it is far from the only one; motivations are many and various.

My second concern is that ‘we will get what we are given’.  There is much talk of a willingness to share information – but that is caveated always by the discretion of the Secretary.  So, the concerns I expressed above about Governments only sharing what they choose to share are confirmed as being baked into the proposal.

Third, Governments are not the most dynamic of entities.  The draft bill (just 37 pages for both proposals) discusses minutiae like compensation and retention bonuses for the staff of the new agency…  Really?

Unless the private sector is willing to rely on Government to give it too little, too late, it needs to come up with a better plan of its own.

A collaborative approach to cyber risk

December 5, 2011 by tim in Insurance, Network Security, Risk Management | Leave a comment

I have now had a chance at a first read of the UK Government’s Cyber Security Strategy.

There is some solid stuff in here and I obviously can’t argue with the essentially collaborative approach it espouses – I have been going on about that for years.

I will be particularly interested in watching what happens – if anything – at the ‘strategic summit’ proposed with ‘professional business services, including insurers, auditors and lawyers to determine the role they might play in promoting the better management of cyber risks’.

On one hand, I fully expect it to be one of those meetings for which all Governments are famous – meetings meant to show something is being taken terribly seriously rather than to actually achieve anything.  And that would be fine because the tenor of the Executive Summary is that the Government is inviting the private sector to join their ‘vision’ – yes, they use the ‘vision’ word.

I don’t want to get all Libertarian on everyone but in the interests of all cyber security stakeholders, shouldn’t the private sector be leading the initiative on developing better cyber risk management?   And most of all, isn’t that because cyber risk management is essentially a practical concern?

About time

December 5, 2011 by tim in Network Security | Leave a comment

I can’t believe this (complete endpoint security) hasn’t been done before.  Update 6/12 – apparently it has – at least according to a friend at a large security company who said something rhyming with ‘ollocks’ when I mentioned this.  You know who you are…

I think it is fairly well known that as many as 90 percent of successful network attacks are against vulnerabilities for which a patch already exists. Despite this, many computers do not have the latest security patches installed.  Naturally, this unnecessarily exposes networks to a variety of malware threats.  Apparently, part of the problem is that patches are time-consuming to track and administer and it is sometimes difficult to see which computers actually have critical patches installed and, even if they are, whether they are installed correctly.

The Wall Street Journal article (Sophos Brings Industry-First Complete Endpoint Protection) is based on an announcement from Sophos, that their Patch Assessment brings new visibility to this problem by identifying, prioritising and scanning for critical threat-related security patches.  Apparently, the Sophos approach means entities can now know which threats a patch prevents, can prioritise patches from the most critical to the least and do all this for patches from multiple vendors including Adobe, Apple, Citrix, Microsoft, Skype and others.

Now, anyone who has heard me blather on about the desperate need for a collaborative approach to managing ‘cyber’ risk will know that this is the kind of thing that I can bore for England about.  Not being a network security expert however, I assumed – before I read the article – that this particular process was already in place.

It is not that this isn’t good news – obviously it is – but it seems to me the security industry ought to be at least a little embarrassed it hasn’t introduced such a capability before.  It just looks like too obviously a ‘good idea’.

I feel nearly the same way about this news as I do after reading this story – about an eight Ferrari pile up.  Apparently excessive speed may have played a part.  Ya think?

HTTPS isn’t as safe as you might hope

December 1, 2011 by tim in Network Security, Risk | Leave a comment

Yesterday, I added an explanation of HTTPS to the Glossary, after I saw this article about how unsafe it can be – safer than HTTP, though it is.  The report concluded:

As currently implemented, the Web’s security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems.

 

This is why the ‘cyber’ insurance model doesn’t work

November 21, 2011 by tim in Cyber, Network & Information, Insurance, Network Security, Risk Management | Leave a comment

A few days ago, I said (here) that the ‘cyber’ insurance model doesn’t work.  This story – about the Illinois water plant hack is a good example of what I was trying to say.

There are a number of different approaches to reporting this story and each focuses on slightly different issues.  Amongst the approaches, some consider various technical failings, others suggest different motivations and yet others inevitably discuss the potential systemic concerns.

The point I was making in my earlier post about the need for risk transfer to be integrated into models of ‘cyber’ risk that focus on managing the risk from the perspective of the risk itself, rather than the risk insurers accept, as is the situation with every other risk insurers accept today, is amply made by this story.  Insurers can’t hope to cope with ‘cyber’ risk unless ‘cyber’ models accommodate all these, and other issues.

I am not saying that insurers either can or should accept all the risks that are posed to critical infrastructures by ‘cyber’ threats; the risks is simply too big for that – even if we don’t yet know what really happened in Illinois.  I am saying however, that if insurance is to play a responsible and valuable role in supporting the biggest risk business faces in the next x years, it has to think about new approaches.

PS.  I keep putting ‘cyber’ in inverted commas because I wrote in a comment here (on LinkedIn) about people who blather on about ‘cyber’ being lazy about what they mean.  It is just too easy a shorthand, isn’t it; guilty…

Update:  This article, suggesting there is no evidence of a system hack, certainly muddies the waters…

US networks ‘as porous as a colander’

November 8, 2011 by tim in Network Security, Risk | 1 Comment

According to this Wired article, U.S. networks are “as porous as a colander”… and the Pentagon doesn’t know how to keep US military networks secure.

This was the message of a Darpa convened “cyber colloquium” in Virginia yesterday.  As I read the article, there are two reasons Darpa says networks can’t be secured.

According to Regina Dugan, Darpa’s director, the reason is complexity, or rather, over-complexity:

“We are losing ground because we are inherently divergent from the threat,” conceded Dugan… Current network security is a numbers game: According to Darpa research, securing sensitive information on the military’s networks requires, typically, programs running 10 million lines of code. On average, the malicious code, viruses, bots, worms and exploits that try to penetrate those defenses rely on 125 lines of code. Eventually, simple beats over-engineered.”

According to Gen. Keith Alexander, who leads U.S. Cyber Command, it is dynamism:

“We diagnose the malware, clean up the systems, get set up again and wait for the next exploitation. We have to change the way we think abut defending our systems.”

Apparently, the usual ideas trotted out to rectify this problem (a second, more secure internet, safe from the wilder elements in the real Internet or the same Internet but without its anonymity) have been discounted.  The purpose of the conference was to call for new ideas.

To generate those ideas, Darpa is looking to bring in hackers to help set policy, designing dynamism into the framework, “on timescales that correspond with the dynamic nature of advances in cyberspace.”

Bringing in hackers isn’t new; Darpa has been recruiting them for some time.  Designing dynamism into security infrastructure however; that would be novel.

What could the insurance industry learn from this…

 

How will cyber risk be modelled? Part 1

November 1, 2011 by tim in Cyber, Network & Information, Insurance, Network Security, Risk Management | Comments Off

Insurers are struggling to model cyber risk.  In this first of two posts, I suggest that because of the dynamism and complexity of cyber risk, insurers should reconnect with the original purpose of models and then re-think their design.  The result could be cyber risk models primarily designed to understand cyber risk rather than the risk insurers accept, which is not the same thing at all.  The way cyber risk is understood also points to how it will then be managed.

In a second post, I will describe some of the elements I expect will form part of cyber risk models.

These ideas came out of reading a LinkedIn Groups (Privacy Risk Management specifically) response to this post.  The response was:

The challenge for an insurer to provide DDoS cover is to find a model with which to assess the exposure, and thus ascertain the cover and risk exposure. This requires an assessment model of sorts to score the potential client (and maybe a form of compliance statement to ensure a minimum standard of care before cover can be provided). Developing that model is not impossible, but it will take some time before that model can be tuned as there are no histories to work with.

It made me read the original post, which turned out to be one of those well-researched but slightly generic descriptions of cyber insurance written by a law firm advertising for coverage counsel work; i.e. interesting if deliberately not very specific.

Back to the response, it is a straightforward, high-level route map to underwriting cyber risk and so it is difficult to argue with some of it.  Like most commentaries on cyber risk however, it discusses cyber risk models without offering very much in the way of how such models might actually be designed.  It also makes two common but I believe fundamental mistakes.  It assumes cyber risk models will be like traditional models and that time alone will make cyber risk models effective.

On the contrary, I don’t believe cyber risk models will resemble anything traditional – i.e. loss based and tuned to emerging portfolio characteristics.  In fact, I think that if we pursue traditional modelling approaches, we will never effectively model cyber risk.

One reason traditional models can’t cope with cyber risk is, perhaps curiously, because of their reliance on portfolio theory.  Portfolio theory is the core underpinning of risk acceptance, allowing insurers to safely assume that not all risks are going to have losses every year, even if they don’t know how many will have losses.  But in relation to the amount and detail of risk information captured by insurers, and the frequency with which risk information is up-dated, portfolio theory also means insurers only capture enough information on each risk to verify that the risk falls broadly within the range of risks they want in a particular portfolio.  This is because, while the portfolio gradually changes all the time – for example as new risks enter and non-renewals leave it – the insurer operates under the reasonably safe assumption that neither individual risks nor other elements of the portfolio (the environment in which the risks exist for example) will usually change so quickly that the insurer can’t react to them.

The problem is that cyber risk isn’t like that; it changes a lot and quickly.  There are risks that potentially effect far more people, like pandemic risk and risks with far greater severity potential, like quake.  But there is no other risk that combines the number of potentially effected people and systems with so much severity potential, that is also in so constant a state of change, that is so complex and which, hardly surprisingly, crystallises into big losses so frequently.

Cyber risk is so different in fact that I don’t think cyber risk models will be designed to serve insurers in the way traditional models are.  Rather, I imagine cyber risk models will take a back to basics approach and be designed simply to understand cyber risk.  Risk management, with risk transfer as an integral part of the overall process, will flow from understanding the risk – at least as well as that is possible with a risk that changes so much and so quickly.  I believe in this idea of an independent model for two reasons.

First, because of cyber risk’s complexity I doubt that any one entity (insurer or otherwise) will be able to build an effective model on their own.  A model that is effective at understanding cyber risk will necessarily therefore be a collaborative process, first to collect sufficient data and second, so appropriate expertise is available to understand the data collected.

Second (and reinforcing the idea that collaboration can be a valid profit optimising strategy), in order to benefit from a collaborative modelling process, collaborators must have good reason to invest the time, money and effort needed to make an effective model.  I therefore expect that potential collaborators - system owners, insurers and the many experts needed to analyse cyber risk – will each want to be free (probably within a creative commons framework) to make decisions about how they choose to address cyber risk in their own interests.

A further purpose of the model will then be to allow for and to accommodate those decisions within the model – up to a point of course; ignoring cyber risk not being one of the options!  System owners will be able to decide how much to spend (on security for example) and what to prioritise based on model outputs of the latest threats or new legal concepts.  Insurers will be able to make similarly based decisions on the kind and amount of exposure they wish to accept.  Experts will be able to offer their services to system owners, insurers and others based on what they learn from the model, as long as the service is attributed to the model.

The sum of these issues suggests to me that it will make more sense for insurers and system owners to work together with relevant experts to design a model; an alternative would be to leave the design to an independent third party.  In either case, there are a few implications that flow from this suggestion…

One is that, by designing a full risk management model that fully integrates risk transfer, the model would put insurance (at least for cyber risk) back into its proper relationship with the rest of risk management, as opposed to it being the afterthought it often seems today.  Another would be that the almost impossible problem of both insurers and their customers maintaining ‘utmost good faith‘ towards each other, in the face of a constantly changing risk, would be eliminated.  Yet another however, is that the insurance value chain, as we know it today, would cease to exist.  But I’ll stick with the model discussion for now…

In this first post, I have indicated why I don’t think traditional modelling approaches will be effective for cyber risk and that insurers aren’t going to have enough resource or expertise to build the new kinds of models needed on their own.  Equally however, risk owners and experts aren’t going to invest time, money, data or expertise into a model that doesn’t directly help them otherwise address cyber risk in their own interests.

In part two, I will try to describe some of the main ingredients of such a cyber risk model.