Tag Archives: information security

What are the biggest challenges when sourcing information security professionals?

During each RANT forum and conference information security professionals gather together to talk about some of the most pressing issues in the industry.

One of the topics that often gets brought up is recruitment and how organisations in both the public and private sector go about bringing in the most talented individuals.

During the latest conference, some of the industry’s top professionals gave an insight into what they thought about the process and how it has evolved over the years. We asked them what they perceived as the biggest challenges when sourcing information security professionals.

Tom Salkield, professional services director at Integralis, said: “We need to attract more people into this industry sector … there are some big problems that we actually need to solve.”

According to Mr Salkield the industry must integrate more with the education system to get people interested in IT security.

“We need to be working much more closely with schools, colleges and universities to entice the new leaders of the future to come and enjoy the big debate we’re involved in,” he added.

Many other professionals gave their opinions on the industry and their thoughts on the matter can be seen in the video below.

For example, Javvad Malik, senior analyst at 451 Enterprise, believes it’s about more than just the technical skills that are required, he thinks it’s also about personalities and “people who can fit into the mould”.

The stereotype of having information security professionals all come from hacking origins is now gone and individuals are constantly emerging from a range of backgrounds and this diversity can only be a good thing.

Acumin has been hosting the monthly RANT events for the last seven years and encourages everyone to get involved with the discussion and lively debate.

Each forum and conference sees hundreds of information security professionals join in and share their ideas on the future of this ever-growing industry.

Attending RANT is a great way to broaden your thoughts and expand your network and the next event will be held on August 28th in London.

Cyber security is in an era of ‘prominent activity’

When one of the most senior figures in British security remarks that cyber security is a global threat, you know he isn’t beating about the bushes – he’s informed, he knows, and he’s happy to spread the bad news.

Jonathan Evans, director general of MI5, the British intelligence agency that works to protect the UK’s national security against threats, informed an audience at the Lord Mayor’s inaugural annual Defence and Security Lecture, that although cyber crime has been a threat to network security for many years, we are now in an era defined by prominent activity.

Such is the threat of online malicious activity to the integrity of UK security that it is up there with terrorism as one of the four major security challenges the country has to battle on a daily basis. 24/7, one simply cannot rest on one’s laurels.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a speech entitled The Olympics and Beyond. “And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime.”

Serious words indeed. Backing up his arguments about the need to develop a robust system, tighter relationships with various organisations and improved sharing of best practice, he cited an example of how detrimental the actions of cyber criminals can be.

One major company, listed on the London Stock Exchange, was hit with revenue losses of £800 million – just imagine that on a national scale and you begin to see a clear picture of how damaging this can be. That money could be redirected elsewhere, help create jobs and boost economic activity.

“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions,” he added.

“What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”

We definitely agree that it is important to develop closer links within the IT industry, across sectors that specialise in risk management, information security, ethical hacking and business continuity.

This is why Acumin hosts and invests heavily in RANT, a forward-thinking, blue-sky thinking risk and network threat forum. We love conversation, ideas, communicating with people – even those we don’t agree with – and exchanging information, which is the most valuable currency we have.

“The two words ‘information’ and ‘communication’ are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.”

So said the renowned American journalist Sydney J Harris. Bear this in mind and there’s nothing an organisation cannot achieve. We’re in this together; a team.

The big snooping debate

After announcing that it is considering introducing a new bill that will give the GCHQ unprecedented powers to monitor people’s emails, texts, social media content, phone calls and web browsing history – in real time – the government has had to defend itself from a barrage of condemnation.

Critics of the proposed legislation, which may be included in the Queen’s speech in May, have dubbed it a “snooping bill”, claiming that it is a clandestine way of monitoring the activities of everyday people.

The government, however, has assured the public that there is nothing sinister about the bill, no echoes of an Orwellian future, there will be no centralised database storing people’s information, and all information will remain “invisible”.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” explained prime minister David Cameron, attempting to assuage opponents.

“We should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

Advocates of the bill have asserted that this is its focus – to protect people and curb crime whether it’s tackling cyber criminals or terrorists. Akin to a software update, the new legislation is designed to respond to the significant changes that have taken place by virtue of the digital revolution, which has, in no short way, radically transformed most aspects of society. As Mr Cameron noted, a warrant will be needed to access the private information.

Others, however, are less sanguine. Nick Pickles, director of the Big Brother Watch campaign, sees it as leading to a reality that is comparable to the kind of surveillance that is prevalent in Iran and China, two countries known for having, for example, limited press freedoms.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses,” he stated. “If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Although details of the proposed bill have yet to be finalised, it is believed that one of the most significant aspects will be for internet service providers and mobile phone companies to keep hold of all data travelling through their respective spheres.

At present, such information is accessible by intelligence agencies, the police and other public bodies, without any external organisations signing off. If the law is to go ahead, there is a desire to see an impartial body set up to monitor requests to ensure that freedoms are being protected and not abused.

“Whoever is in government, the grand snooping ambitions of security agencies don’t change,” Isabella Sankey, director of policy at Liberty, was quoted by the government as saying.

“The coalition agreement explicitly promised to ‘end unnecessary data retention’ and restore our civil liberties. At the very least we need less secret briefing and more public consultation if this promise is to be abandoned.”

Why you will matter

We’re now getting to that time of year where we pause for reflection, take stock of what we’ve learnt and cast our eyes ahead to the new year with a sense of renewed optimism as to what we can achieve. 2012 can be better than 2011 and every year preceding that. That is the definition of progress.

As a sort of dissent to introspection of 2011 – though we may perhaps reflect on the year in a later post – we wanted to look back at Deloitte’s 2010 Global Financial Services Security Survey, a report we’re confident everyone involved in the information security and risk management industry will have read or at least come across.

The opening paragraph to the report was as strong as introductions go, which we think is worth quoting again, albeit slightly abridged: “The new decade marked a turning point for those of us involved in the information security industry. We now live in an age of cyber warfare. The environment is dangerous and sinister. The children who used to make mischief in their basements are now only bit players and rarely make the news anymore.

“They have been superseded by organised crime, governments and individuals who make computer fraud their full-time business, either for monetary gain or for competitive or technological advantage. Countries now accuse each other of cyber warfare.”

We think they hit the nail on the head there. We are all involved in a sector that has, in some ways, become one of the most important industries in the world, at the forefront of protecting governments and citizens against that wish to either cause harm and/or disruption for whatever reason, whether it is political or vindictive.

With every new development in cyber security comes, it has to be said, equally innovative and ingenious ways of getting around it. Our business is, therefore, in a global context, a 24-hour machine.

As we grow ever dependent on what can be best described as the ‘virtual infrastructure’, the physical world and its parameters represented and engaged with inside of a digital landscape, the need for more professionals and experts to work on ethical hacking and forensics for example, to get people up to an exacting level where they are SC & DV cleared, will become ever pressing.

Like the green industry has been touted as one possibility of getting the UK’s economy – and that of other nations across the world – back on track and booming, so too will the information security sector be instrumental in equipping people with jobs that matter.

Threats Facing Android

In a very recent article on PC World’s website, Eric Geier wrote that 2012 will see a rise in information security threats, aided, in part, by the ubiquity of mobile devices – smartphones, tablets and laptops for example – as well as the growing and sustainable popularity of social networks. Cybercrime is going to become a very pressing issue indeed.

Moreover, a new study by McAfee, suggests that Android is now the number one attacked mobile platform out there.

With that in mind, we thought we’d give some of you professionals working in forensics, governance and compliance, and information security and risk management a lowdown as to some of the major threats – and vulnerabilities – facing devices using Android.

Third party applications are one of the best things about using Android – the open source nature of it allows for widespread innovation and development, providing consumers and businesses alike with a huge variety of choices. Naturally, established names imply a certain level of tacit trust – you’re confident that you’re getting a reliable product – whereas unfamiliar names bring a level of uncertainty – you’ve got nothing to weigh it up against. Because the open source environment is defined by the sheer volume of developers and products out there, it can be a tough maze to navigate through.

Similarly, Google’s own casual mantra, their guiding company philosophy of openness and close collaboration, though commendable brings certain, obvious weaknesses that is, in comparison to say Apple, a major shortfall. Take for example the verification process for applicants wanting to enter the Android market – in the last two years a number of apps, approved and available to users, have come with malware-infections. This is a major area that needs addressing.

Other things to be wary of include privacy settings. Though we may live in an age of ‘over-candidness’, where people reveal odd little titbits on sites like Facebook and Twitter, privacy is still a right worth protecting. However, in some cases, there are transparent weaknesses already built into certain devices. HTC devices, for example, automatically geo-tag photos and Tweets – you actively have to disable this feature. Consequently, other devices alleging localised services could, rather worryingly, sneakily utilise GPS permissions for location tracking. And of course there is the much publicised data collection and exposure on the company’s Sensation and Evo range.

One of the biggest risks is the easy access to a virtual private network (VPN), which many businesses and employees use remotely, providing an easy mobile working environment. Which is great for increased connectivity and in promoting flexible working, but also a route for cybercriminals to infiltrate corporate networks surreptitiously and either introduce corrupt software or thieve important data.

The threats are very real but there are measures in place to help protect Android uses. We’ll be discussing that in our next post. In the meantime for further reading check out the Acumin white paper on Android security: http://www.acumin.co.uk/cm/content/resources/white_papers