January, 2009

For many organizations and people, the times are hard. Downsizing, downgrading, layoffs and budget cuts. You name it, they got it.

In my experience, times like these also make it easier to choose the right solution and tools, and to make the right decisions. Why? Consider this: when the economy is boosting, a large number of vendors offers an amazing variety of products, tools and solutions. And since your budgets are bigger, you are easier to tempt into buying a tool that is not vital. It is nice, and it does offer some value. But it is not vital.

Today, when the economy is suffering and we all are reconsidering investment plans; one single question is running in our mind.

Is this tool / product / service absolutely vital?

And we make better decision, buy the necessary tools only, save money and get a better security solution for the organization.

The other side of this is that in these periods some great assets (as in humans) are laid off. They may not like it. Actually, they most likely hate it. And they may turn this hate around and point to you. Or the organization you work at. And before they leave, they are more likely to fill the machinery with sand (you can imagine what happens with your car engine if you fill it with sand…). The sand they are likely to use may include:

• virus, bots and other harmful malware

• backdoors to gain access to the systems later
• information theft
• information alteration

The two first are pretty self explanatory. And they are fairly easy to find and distribute. You can even target them to your specific organization, and thus avoid the detection of most antivirus systems. Setting up secure perimeters and divide your network into smaller segments with smart gateways may help detain such a scenario, and reduce the impact.

The information theft is also pretty self explanatory. Slurping around the LAN, looking for valuable information is not that hard. Good guides are available online. Avoiding this scenario requires a system to grade information, and to granulate access to it. If you do not need access to the information, you should not have it either.

The information alteration is IMO the worst case scenario. Imagine that someone is able to access mission critical information. These can be construction prints, manufacturing routines, recipes, software source codes and similar information that is vital to your organization. Instead of just stealing it and sell it off to the highest bidder, this person alters the information without telling anyone. Some time later, the building that where in construction crashes to the ground. Investigations shows that there is a weakness in the construction plans, a required pillar is no longer there.

In production, the full badge of 100 000 printers are rendered useless due to the faulty manufacturing routines. The 500 000 boxes of Curry Chicken is waste, the recipe where adjusted, and now it is uneatable. The automatic software updates of your 10 000 customers renders all their systems unusable. Not right away, but by adding faulty transactions, that over a period of two years runs undetected, and only discovered by the auditors. The result is a series of lawsuits that kills your business.

Information alteration is not that hard. It takes some cleverness, some knowledge of what is vital to your company, and access to the information. Again, to protect yourself, make sure that your employees have access only to what they need to have access too. Logging and using the logs are vital too.

And of course – this also goes for System Administrators and IT-personnel. And the security people. There are plenty of examples of security personnel and IT/system administrators turning from good to bad. And according to this, 88% of IT-managers would steal passwords they have access to if they where laid off.

I believe that 2009 and 2010 will be the year organizations learn to value their information, and learn to protect it. Granulated access and grading of information will be important now.

Other trends I see are SaaS growing in Europe. Security as a Service is a very interesting area, particularly for SMEs. Just buying the required security off the shelf, paying a monthly fee and not having to worry about managing systems and faults is very attractive. And these days I believe SaaS will show up on the radar, just as ASP did a few years back.

“I am compliant”
“Oh, that is nice! Does it mean you are secure now?”
“I have no idea. But I am compliant. I have a certificate.”

Compliance and regulatory adaptations will continue to be important. I see a growing demand that these regulations are aligned to business needs, organizational behaviors, and to reality. The banking and financing industry are high on following and adopting the regulations, and yet we ended up in a global economical crisis that no one foresaw. I say regulations are necessary, but unless they are adapted to reality, and not the other way around, they will be no more than a huge waste of time and money.

Compliance is IMO not about being able to show a certificate. Compliance should be about implementing an end-to-end process, making it Governance, Risk and Compliance (GRC). It should include understanding; development; communicating; implementation; measuring; and monitoring.

Sadly, still many organizations are more focused on hiding what they are not doing, than spending resources on implementing a process that both support their needs and make them compliant. It may seem like the lack of understanding makes many organizations make the wrong turn, and 2009 may very well be the year they realize that GRC is not just a joke.

What are your top trends for 2009? How will 2009 impact your workplace? What are the top factors you see will make an impact on your infosec work 2009? Please post your comments below!

Sometimes, I can feel my age. Not my mental age, which is 22, but the age counted in winters my body have experienced. And yesterday, another number where added. As a good friend put it: "I read it somewhere that you are one day older than yesterday..."

Back in 1994 (or perhaps it was in 1995 - my seniority seems to be directly connected to Alzheimer) I needed a tool for secure storing of data on the run.

One in my network spoke nice words about PGP - Pretty Good Privacy. I decided that since it was one of the few solutions available, and they had a solution for my Mac (yes, I admit I have a dark history...), the decision where easy to make. I started to use the PGP Disk - a tool to securely encrypt content on a disk.

Due to the things my company dealt with back then, we also needed an encryption solution for e-mail and file transfer. PGP came to a rescue here as well. Their PGP suit even included a plugin for Eudora (any one else remember Eudora???) and I implemented the full use of automatic encryption and signing of messages between our HQ in Norway, the sales office in France and our development unit in Pakistan. We even thought a few of our customers to use these tools.

Long story short - I have been a happy user of PGP for many years, and I still use it occasionally. And PGP has gone a long, long way from the early days where it where mostly a geeks tool and something only the most paranoid 'be using.

In 2009, the basic concept is the same - secure data on devices and on the go. And as in the early days, they are still innovative and delivers tools and solutions that IMO far exceeds those of their competitors.

Today, there are two critical factors of any security solutions. First their readiness for mobility (devices, users on the move, data on the move), and second manageability. As for PGP, they have not slept in the class. Focusing on manageability in their PGP Universal Server, they are able to deploy encryption and enforce policies on a wide range of devices - ranging from servers to mobile devices, including BlackBerry devices.

Even though the products has evolved and functionality has been added over the years, the PGP suit of products are still easy to use. The administrator can even deploy the tools without user interaction, a vital option in some organizations.

Another feature that is critical is transparency for the user. The PGP Universal Gateway Email enforces policies automatically, without any user interaction. Imagine having to teach 1 000 users to encrypt all e-mails they send out that contain business critical information. Then you must enforce them to actually remember to encrypt the right emails. After 6 months, how many of the 1 000 users to you think still are encrypting the emails?

Imagine another scenario - you are working on the annual report, it is due in two days, and you send the preliminary report to a collegue. Or so you think, just typing Anne and hit enter in the To: field. You think it will go to Anne Hansen, while in fact this time Anne Berrington gets it. And Ms. Berrington is a journalist in the national business paper.

With tools like the PGP Universal Gateway Email, the e-mail would have been automatically encrypted, and Ms. Berrington would need special credentials to open it. Since she is not in the right group, she would not get access to the report. No harm done, except the blushing on your face when she calls and tells you about the error.

Since it's start in 1991, PGP has been the spearhead of encryption - both on hard-drives and on the move. The ease of use combined with strong encryption and high level of innovation, makes the PGP tools suitable for any organization - from the one-man company to multinational corporations. So when you are in need of file encryption software, look no further!

Farnborough, United Kingdom, 12th January 2009 - Finjan Inc., a leading provider of secure web gateway solutions for the enterprise market, today announced the findings of its IT security survey conducted during December 2008. In light of the economic downturn and rising cybercrime attacks as indicated in Finjan’s Web Security Trends Report Q4 2008, Finjan conducted an online survey among 200 IT and security professionals. The survey focused on determining the trends for allocating IT budgets in 2009 compared to 2008.

The results reveal that the total IT budgets for 2009 tend to be reduced compared to 2008. However, the IT security budget outlook was more optimistic since organizations intend to dedicate a larger part of their total IT budgets to IT security.

Key findings from the survey:

• 38% of all respondents stated that they do not expect a change in their 2009 IT budgets, while 34% indicated that they expect them to be slightly smaller - reflecting the general declining trend in corporate budgets.
• 34% of the respondents indicated that their IT security budgets for 2009 will increase, indicating a general trend that organizations will allocate a larger part of their overall IT budget to IT security. 43% of all respondents expect their IT security budget for 2009 to remain the same.
• The survey also found that the upward trend in IT security budget allocation was more pronounced in the financial and governmental sectors than in others.

”During an economic downturn it is to be expected that all budgets come under scrutiny. Organizations are trying to get the most out of their spending and reduce the Total Cost of Ownership (TCO) of their IT investments – efficiency being the name of the game.” said Yuval Ben-Itzhak, Chief Technology Officer at Finjan.

“While 2008 saw IT security departments facing new challenges in protecting valuable business data against an ever-increasing wave of cybercrime attacks, 2009 is adding a further economic challenge to the mix. As a result, organizations are looking for a comprehensive security solution with low TCO that covers all their Web security needs and is also simple and easy to manage.” added Ben-Itzhak.