Alan Calder on IT Governance, information security & ISO 27001

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise - or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 - this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week - and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data - this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing - let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research - take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information - and this week would be a good week to get started on an ISO27001 project!

Well, that’s a relief - the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective - it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

Lots of organisations think they don’t need to worry about theft of credit card data. I don’t know why. Payment card data theft is now big business - the level of professionalism available in this industry includes the development of bespoke software supported by an extremely efficient helpdesk and you don’t usually get this level of specialization until the industry is starting to mature.

Apart from the interesting fact that darkside helpdesks appear to be more efficient than many over on this side, you have to wonder why every organisation that accepts payment card data isn’t already at least PCI DSS compliant? Why hasn’t the PCI Security Council already come up with some form of ‘PCI DSS Compliant’ badge and certification scheme so that paying customers can concentrate all their business on the websites and businesses of those organisations that have actually bothered to do what it takes to protect their card holder data?

The private sector needs to take data privacy more seriously if it is to stop the Information Commissioner’s Office getting the power to audit their information security systems without warning. According to ComputerWeekly, this is the warning from James Alexander, technology security partner at management consulting firm Deloitte.

His comments followed Deloitte’s finding that only 54% of technology, media and telecommunications (TMT) firms will tell customers if their data privacy is breached.

Well, I take the contrary view here. What we NEED is for the ICO to take some action, because the the voluntary approach doesn’t work – just look at how organizations in both the private and public sectors are dragging their feet over PCI DSS compliance! The privacy of individual data requires more stick.

As ample proof, one need only look to the latest cases of lost MoD laptops and Carphone Warehouse’s recent misdeeds.

I rest my case!

Once upon a time, there was only BS7799 for information security - now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use - and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps - but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice - but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate - to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

A sensible article on Firefox in an enterprise environment leads to the obvious conclusion that anyone who buys a product in its o.x or 1.ox versions ought not to be employed (or not for very much longer, anyway) in any organization that is even minimally risk aware.

And, frankly, you don’t have to be much of a contrarian to spot that Firefox isn’t much of a competitor for Internet Explorer. While the out-crowd hype has driven Firefox market share to 8.45% in a short space of time, IE still has 87.28% of the market. When Firefox started out, the IE share was about 96%. 1-0 for hype.

Now, ask yourself: if you were a criminal (hackers, crackers, and other malcontents included), and you wanted to attack websurfers, what would you target? The two or three browsers that, between them, have less than 5% of the market, or the single one that has about 96%? Ok, so, given that the both the professional and the amateur online criminal fraternities have been targetting IE for a few years, how many vulnerabilities do you think they may have found by now?

And, given our apparently insatiable mania for bigger, better, faster, cooler, NOW! - what’s the likelihood of new IE releases having new vulnerabilities?

In other words, browsers are always going to have holes, and the crooks are always going to focus on exploiting the holes. And they sure are - witness the flaw found last month in all browsers EXCEPT IE. Hmm.

So, on the one hand, we’ve got Microsoft - who’ve built a machine for cranking out updates and getting them to end users quickly and efficiently - and on the other, we’ve got Mozilla, who’ve got… how many guys actually working on fixes?

Of their nightly builds, Mozilla say this: “You will find bugs, and lots of them. Mozilla might crash on startup. It might delete all your files and cause your computer to burst into flames.”

Thanks. That’s a helpful warning.

Even Mozilla recognise that the hype is running out of steam.