ITWales.com

Interview: Richard Hollis & Tony Neate at the eCrime Summit

by Sali Earls

The first Welsh eCrime summit took place in Cardiff on 8 February with the mission to develop an effective and coherent defence plan for Wales. Sali Earls spoke to two of the key speakers to discover their opinions of the current situation and ideas for the way forward.

Richard Hollis is the founder and CEO of Orthus, a European information security consulting firm headquartered in London specialising in cost-effective, product agnostic IT security solutions. He is a seasoned security professional with over 20 years industry management experience, and extensive hands on experience in designing comprehensive IT security, business continuity and disaster recovery programmes for more than one hundred blue chip high tech companies throughout Europe. His career has included time spent as Director of Security for Philips Communications, Deputy Project Security Director to the US Embassy Moscow Reconstruction Project and numerous sensitive security positions within the US Government. His expertise has been shared via numerous articles and white papers, and in appearances on BBC, Channel 4 and CNN, as well as appearing in print in Time, SC, InfoSec, Computing and Computer Weekly.

Tony Neate is Tactical & Technical Industry Liaison at the National Hi-Tech Crime Unit, where he has been seconded from his role of Detective with the South Wales Police. His 29 years of Police service has seen him work with all aspects of commercial fraud, including responsibility for computer crime investigation, and the recovery of computer based evidence in South Wales. Since the mid-1990s, he has worked in the field of Hi-Tech Crime, dealing with offences ranging from unauthorised access and email abuse to cyber stalking and paedophilia. Tony is the Secretary of the Association of Chief Police Officers (ACPO) Hi-Tech Crime Working Group which was formed in 1996 to look at all aspects of computer related crime on a National basis. In 2001, Tony took up his position within the National Hi-Tech Crime Unit, the lynchpin in the UKs co-ordinated response to cyber-crime.

Do you think companies are at greater risk from internal or external threats?

RH: It's perceived as exterior. Everyone's got this picture of the "boogey man" sitting in his basement, breaking in to a bank in Jakarta, but 7 out of 10 people in jail for cybercrime are employees of the company that's prosecuting them, and that's a fact. As a contractor, I may work with a small company where everybody's "family", and they don't want to suspect their family - you don't want to look within. But the first thing I say to them is, "You've got a 70% probability that I'm going to chase this incident right back to your staff - what are you going to do when I bring that to you? You better answer that question now - what's your policy on prosecution, what's your HR policy?" It's a cold hard fact, and I think I'm being conservative. Almost all the forensics cases I've worked always point to an internal - someone with access, motive and opportunity.

With that in mind, should companies be able to track employees email and computer usage?

TN: Yes, but there are different levels. People should spend a little bit of time on the internet - look at the policies you can pick up in hundreds of different places, simple easy to use policies to fit your particular business. There is no one particular place to go, but if you put in the search criteria "small company staff policy" you will get a number of hits back that may give you templates to start. OK, this might take you a few hours, but it will give you a very good basis where you can come from and it's a good starting point. If you are a bigger company, maybe you have 10 or 20 employees, you may have a big enough turnover, and a big enough profit margin where you can actually employ a company. Look at the company, look at what they have done, then use references to see if they have been used by anyone else, and get them in to look at your system, to do a check on your system to see how secure you are from the outside. Then you go onto some of these anti virus sites and Microsoft, you can go on and actually get them to check your system while you are online, and they will check and tell you where your vulnerabilities are. It's not hard to do that type of thing, and all companies, certainly within the small to medium enterprise zone should start looking to do this, and realising that they are vulnerable. It's the basis.

What should CEOs and MDs be asking their systems administrators to ensure that they are doing their job properly where security is concerned?

RH: "Show me the proof." A lot of systems administrators now, they have a lot of defences in place, they have firewalls but they are not reading the logs. "What's the activity on there? Show me the proof." One of the things we recommend to a client is to download free "sniffer" software and let it run on the network for a week, and it will show all the strange anomalies that are there, what kind of traffic is going on, who is trying to log in through ports that they shouldn't be - where's the proof? "Where is the proof that I have got a security problem?" is what I'd love to hear a CEO ask a systems administrator, when he keeps on asking for firewall maintenance and monitoring money "Show me the activity, show me the log." I don't think people read logs, I don't think people actually go down to the nth degree, and understand what it is that they are looking at and know where the vulnerabilities are to their business. A CEO who's smart enough to say "Show me the proof", and get it, and not let it rest, follow it through to get the proof, whether it's a Sarbanes Oxley review, some sort of audit that he's under, it should all be there, and the enterprise should be geared to be able to show proof.

On the Orthus website you describe security as a process rather than a product. So companies need to ensure that the policies they use are dynamic, and they need the vision to move forward. As a consultant, how would you persuade companies to trust something that is intangible like this?

RH: This is a subject near and dear to my heart. The reason that we got together to form the business was based on this idea that too many people in the market saw security as an end destination. They felt that if you buy a firewall to connect that is all you had to do, and firewall marketing directors sold the idea sometime in the late 1990s that to connect to the internet all you need firewall. Firewall = security. So we came on the scene, we were sort of the antithesis to that. We believed that the security industry was product led versus process and that they were selling firewalls but they weren't configuring them properly. They weren't putting policies on, they weren't patching and upgrading, they weren't monitoring, and what they were monitoring they didn't understand, so it was useless with this idea that it was product first, process second.

So we spent a lot of time educating people in the understanding that the kit is worthless unless you configure it, unless you actually put the time and effort to actually know what the policy is, and that has to include what firewall ports present what vulnerabilities, and what has to be patched and what doesn't. So, we preached the gospel, as it were, according to process not product. Product is definitely a piece - you need a firewall, but quite frankly you can configure a router to give you pretty much the same thing. It's about picking the right pieces of kit and placing them at the right time in layers of security. So I started from the beginning to talk to a client about "What are you trying to protect, and why are you trying to protect it, and what's going to happen to you if you fail". The policies and procedures have to all be geared toward that objective, and that objective is going to be unique to that company, whether they are a police department, a fire department, "mom and pop.co.uk", you know, selling shoes online, everyone has got their own problems, everyone has got their own pain level, everyone has got their own secret sauce that if they lost it, it would put them out of business, or harm their business. So you have to understand that and of course you have to know that what you write has got to go right around protecting that, that is the game, and if buying a firewall is a piece of that, or some gadget, then we're here to help you.

TN: It's about people - of course technology helps, but it's about putting the processes and procedures in place to support what you are doing, and I can't stress that enough. The amount of times we see systems being compromised, basically because of social engineering of customers, of clients, of contractors, and members of staff who are compromised because of situations. So at the end of the day, it is a matter of the process over the technology. You need to have the technology, you need to be aware of the technology, but the process has to be in place, and the education.

Do you think it's enough to have a virus checker and a firewall?

TN: I think it's a starting level. At this conference, I am launching an SME document, which is a guideline, a starting point, to look at where the basics are, and if you start with the basics then it's a start. All houses, if we use that as an analogy, have locks on their doors and locks on their windows - it's a start - it's having anti virus, patches and firewalls. If you wanted to go further, you might have an alarm system on your house with microwave detection in certain rooms, and other things like a camera maybe. It's a little bit more expensive and a little bit more secure, but there are other things people can bring in - they can actually get a consultant in, and there are some great consultants around, relatively cheap, that can look at your systems and tell you where you can improve them. The more money you wish to spend, then the more secure you can be, but there's a certain point you can get to without spending a lot of money. Some of the best anti virus software available today, according to some of the surveys that have been done, is free. Free firewalls are available, patches - when it comes to Microsoft patches. These are three basics that you can get right at a low cost.

With so many recent well publicised security breaches and hacks of software, how would you advise companies when selecting technology?

RH: It all depends on the organisation. For a small organisation to be able to build from the ground up, using the Linux platform or some sort of flavour of Unix, would be great. Quite frankly, do you know what I would advise companies who are building from the grassroots up? I'd tell them to go Apple. Go against the law of averages. 97% of the hacks are on Microsoft, because 97% of people are on Microsoft platform - you want to be part of that 3%, go with the Apple platform. That's what I'd tell somebody who's truly designing for security, and then start to identify, minimise and manage. You can download another operating software on top of Unix, and you still might have a hole - everything's got a back door, everything's got a hole is my experience. So it's a better way to go. I'd take them online to look at your operating software.

All companies should have a security policy, but how should SMEs approach this without it becoming an unwieldy undertaking?

TN: You don't have to have one. What I hope will come out of the conference is BS7799 which is the industry standard for security, and if you just look at those ten principles you can see where you should start looking to put simple things in place - password control, access control - even if you only have two computers, how they talk to each other. One of the other things that I don't like to hear is when they talk about broadband - broadband is installed now by a number of different companies, and do they actually talk about firewalls when you are looking to install it - do they come with firewalls? It is classified as always on - why? Why are they always on? It's like saying that your front door is always open - when you're not at home, shut your front door. When you're not online, turn off your broadband connection. If you turn it off and you only put it on maybe 10-15% of the 24-hour period, you're only vulnerable 10-15% of the time - if you leave it on for 24 hours, then you are vulnerable 100% of the time. So it's things like that people have got to start looking at.

Why do you think businesses are slow to react and slow to report eCrime to the police?

RH: Well part of it is, you know, you don't want to air your dirty laundry out to your neighbours - there's a reputation risk. If you're a bank, the last thing you want to do is report "We may have lost some credit card numbers", that has a clear financial impact if you report it and a serious security breach is made public. Another one is "Don't ask. Don't tell", "No, we don't have any problems here, and because we said we don't have any problems, we don't need any money for security issues, to identify, minimise and manage that threat to our business." It could be a board reason, it could be management reasons - nobody likes to look like they got caught with their guard down. Some of the most brilliant cases, as far as I'm concerned, are the people who've had the nerve to say, "We let our guard down. We lost some credit cards." That's a hard thing to do, and go on and correct the problem, and risk financial loss to your company and reputation loss, and no one has a handle on how much their reputation is worth until they lose it.

What do you think the greatest eCrime threat is today, and how can companies avoid being a victim?

RH: Ignorance. Without a doubt, ignorance is the biggest threat to companies. Companies that don't do a self assessment of what they have to lose and what it's going to cost them, and dealing with security as a knee jerk reaction, dealing with security when they have to, when they've got hacked, when they've lost the credit cards, or lost something of value, then and only then does it become something on their list of things to do. I think that's changing, whether it's because of legislative requirements now because of Sarbanes Oxley, everyone's trying to be more transparent, but I think the biggest problem is ignorance and not understanding that security is in fact an asset, it's not a liability. It's not something you pay for, it's not insurance any more. I think it's starting to make it's way to the forefront - companies don't want to see themselves on the front page of the Financial Times, so they are starting to ask proactively - it doesn't matter to me how it happens, it's happening - ignorance levels are going down and security awareness is coming up. Security is one of the top 10 questions I'm hearing. If it were in the top 50, it would still have changed substantially in my lifetime.

TN: For a lot of companies who are online or doing business online, the biggest risk that I see is the lack of consumer confidence - they are hearing all the scare stories about phishing, about identity theft, about attacking systems with viruses, and people unless they are well educated about how to do it properly, will start turning off their machines and not buying the services, and not buying the goods. You've got to start educating rather than scare mongering, and one way to do that is through conferences like this and information like the SME leaflet we're going to launch. There are an awful lot of big companies out there who still aren't regularly updating their anti virus, there are major problems with companies not patching their systems. There were good arguments before from companies who found this difficult, but at the end of the day if a major virus or major worm hits you, your company can go down. A lot of companies that go down never recover again. Basic firewall management, intruder detection systems, but they have to actually put the process and people behind it to know what they are doing, when they have a firewall installed to know that it is configured properly in order that it does its job. It's the basics, doing the basics.

Further Information:

Orthus
Visit the website of Richard Hollis' organisation where you can find many useful hints and tips to secure your systems
www.orthus.com

National Hi-Tech Crime Unit
Download the SME guide launched by Tony Neate at the eCrime Summit, and find out more about the NHTCU
http://www.soca.gov.uk