CISOs' newest fear? Criminals with a big data strategy

Peer to Peer Security

Outside the world of critical national infrastructure, sharing of experiences and data is still too ad-hoc for many reasons, none of them good. The execs shared that their contracts of employment explicitly forbade them from sharing security or other important proprietary information.

Although financial regulators are nudging firms towards sharing, it is still unsatisfactory. As one exec put it, “retail is ruthless” - and it may not shock you to learn that several execs saw security as competitive advantage and if one of the other players in the market falls into a hole, this is a good thing.

This shows two things. Firstly, that you don’t get to the top rung without some steel in your spine and secondly, that outside of financial markets there is no fear of contagion. They work in a zero-sum game, and a breach that capsized Tesco would be a big win for Sainsburys and Morrisons, so why should they share the best information?

The dead hand of history

Like the three wretched prequels to Star Wars, ICL VME, Windows XP and Cobol will never go away. We can’t call in JJ Abrams, Bill Gates or Bjarne Stroustrup to reboot them into something that doesn’t suck out our will to live.

Our execs shared stories of millions squandered in failed attempts to remove systems that are now easily older than the people maintaining them. Many of them contain business logic that wasn’t documented properly: what documentation that existed has been lost or exists "on some tape somewhere."

As the foundations of many firms and government departments, they are seen as a new attack surface. Up until recently there simply was no path from the outside world to them. Indeed, if presented with VME’s command line interface, you will assume that it’s actually a spoof and that no one would have done that on purpose, so there is a useful degree of security by obscurity.

As we upgrade the linkages, unsuspected paths are appearing. So poorly understood are some of these systems, and so neglected as they are by the bright young things in infosec consultancies, they may be pwned without anyone noticing. Trustwave already regularly comes across systems that have been subverted for over six months - and that’s just the ones that get spotted.

But it’s not just systems whose names you don’t even remember. Windows XP is forgotten but not gone and the consensus of the execs is that any firm that says all its systems are patched up to date is either lying or deluding itself. Even the idea that any decent sized firm has a plausible list of all the systems they rely upon was met with a mixture of laughter and scorn.

Servers are routinely built to the prevailing corporate standard, then often forgotten. The consensus is that whatever their misgivings about cloud services, our execs saw them as at least being professional about patches and basic security. However, the way that cloud vendors disclaim any liability and routinely refuse to take part in security audits is an problem that may well be the source of the next round of security horror stories.

Amazon was cited as a good example of this, with highly respectable security but a complete lack of reassuring security blankets.

What did we learn?

A common theme in our Roundtables is that the old IT Director model is splitting up, often into a bringer of change and new revenues, and someone who keeps the lights on. Not being “business” often makes security a facilities management role where you get little kudos for reliability and safety, but get blamed both for the breaches and the business limiting measures you put in place to try and make systems secure.

This is more irritating where the pressure to increase exposure is coming from the “Change” CTO, so risk management is an increasingly important skill at the top level of IT. However several of them moaned that there isn’t a clear line of responsibility for security because it is such a poisoned chalice.

The bottom line is that e-crime is just like crime. It will never go away and the most critical skills for an IT exec is to manage risk and be able to articulate the reasoning behind the risks you take. ®

Our roundtable programme only works if we get readers like you around the table. We'll be announcing our next tranche of roundtables soon. To ensure you're kept fully up to date, signup for a Reg account here. Or if you've already got one, take the time to ensure we have an up-to-date email address for you. ®