Alan Calder on IT Governance, information security & ISO 27001

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

A sensible article on Firefox in an enterprise environment leads to the obvious conclusion that anyone who buys a product in its o.x or 1.ox versions ought not to be employed (or not for very much longer, anyway) in any organization that is even minimally risk aware.

And, frankly, you don’t have to be much of a contrarian to spot that Firefox isn’t much of a competitor for Internet Explorer. While the out-crowd hype has driven Firefox market share to 8.45% in a short space of time, IE still has 87.28% of the market. When Firefox started out, the IE share was about 96%. 1-0 for hype.

Now, ask yourself: if you were a criminal (hackers, crackers, and other malcontents included), and you wanted to attack websurfers, what would you target? The two or three browsers that, between them, have less than 5% of the market, or the single one that has about 96%? Ok, so, given that the both the professional and the amateur online criminal fraternities have been targetting IE for a few years, how many vulnerabilities do you think they may have found by now?

And, given our apparently insatiable mania for bigger, better, faster, cooler, NOW! – what’s the likelihood of new IE releases having new vulnerabilities?

In other words, browsers are always going to have holes, and the crooks are always going to focus on exploiting the holes. And they sure are – witness the flaw found last month in all browsers EXCEPT IE. Hmm.

So, on the one hand, we’ve got Microsoft – who’ve built a machine for cranking out updates and getting them to end users quickly and efficiently – and on the other, we’ve got Mozilla, who’ve got… how many guys actually working on fixes?

Of their nightly builds, Mozilla say this: “You will find bugs, and lots of them. Mozilla might crash on startup. It might delete all your files and cause your computer to burst into flames.”

Thanks. That’s a helpful warning.

Even Mozilla recognise that the hype is running out of steam.