Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks

A quarterly, IT strategy special report from the experts at IT Pro

IT PROTHE

REPORT

AN

PUBLICATION

In association with

SPRING 2014

Is Big Brotherwatching you?

The big eye in the sky has us all worried. Should we be fearful or thankful

it’s watching over us?

www.itpro.co.ukhttp://www.juniper.net/uk/en/BIG BROTHER

About our sponsorJuniper Networks is the industry leader in network innovation. Our silicon, systems and software transform the economics and experience of networking for service providers and enterprises worldwide. Juniper enables high-performance networks that combine scale and performance with agility and efficiency, so customers can build the best networks for their businesses. For more information, please visit: http://www.juniper.net/

uk/en/

BIG BROTHER33

www.itpro.co.ukwww.itpro.co.uk

There is one CCTV camera

for every 11 people in

Britain. Add to that the

human element in the

form of special agents, security

guards, police and military and it’s

safe to say you are being watched

wherever you are.

There’s nothing new about any of

that though. Businesses – whether

commercial organisations watching

over employees to ensure they don’t

trade secrets or fiddle the books or

retailers clamping down on

shoplifters – have always protected

their interests. Now, however, the

game has changed. And not

everyone is playing fair.

You know what you know

The NSA PRISM debacle shone a

spotlight on surveillance and

monitoring. Those that we should

trust (government) implicitly have

ultimately betrayed us. They’ve done

things they pretended they didn’t do,

shouldn’t do, we thought they never

would do. The trust is forever broken.

Yes, there are the numerous

arguments it’s for the greater good.

Many people won’t dispute this is

fact. Indeed, many feel it’s not what

has been done, in terms of

monitoring, that’s the issue. It’s the

deceit that hurts the most.

“Transparency and openness are

certainly paramount objectives for

any processing of information, “ says

Sally Annereau, data protection

specialist at law firm Taylor Wessing.

“People are generally prepared to

accept that for law and order

purposes, it will be appropriate to

allow law enforcement bodies to

access certain types of records.

However, effective democracy rests

on an electorate being kept informed

so public bodies and governments

can be held to account if their actions

step beyond what are viewed as the

boundaries of acceptable use.”

While the number of cameras and

monitoring tools around us are

growing, we shouldn’t always blame

the government. Indeed, research

published by the British Security

Industry Association (BSIA) claimed

that privately owned CCTV systems

outnumber those of local authorities

and police by around 70:1.

“There is a popular misconception

that the camera population in the UK

is owned by the government. The

BSIA statistics set the record straight

once and for all. It is private

businesses who own the material

camera population, not the

government. Day to day, these

cameras are not available to the

government and law enforcement

agencies, they are busy working to

protect their owner’s premises,” said

Pauline Norstrom, vice chair of the

BSIA’s CCTV section.

Welome to the future:

We are watching you

Are we headed for a future where our every moment is watched and analysed?

Should that dictate our behaviour or should we just get on with things and relax?

Feature The surveillance state: Fact or fiction?

Maggie Holland

has been a journalist

since 1999, starting as

editorial assistant on

Computing magazine.

She is now group editor

of Cloud Pro and IT Pro.

BIG BROTHER19

www.itpro.co.uk

http://www.juniper.net/uk/en/

www.itpro.co.uk

Since Edward Snowden’s

revelations, discussions on

surveillance have

understandably focused

on government monitoring.

But, used correctly, monitoring is

a valuable resource for IT

departments, both in the battle

against hacking and cyber crime, and

also for improving IT operations.

Monitoring, though, is not

without restrictions. Laws, especially

data protection laws, employment

laws, HR practices and privacy norms

all limit some types of surveillance.

This applies, in particular, to

monitoring employee behaviour and

their use of data and applications.

At the same time, better use of

monitoring, and instrumentation, can

give IT departments a much better

view of the way networks and

applications are performing.

Application performance

management, but also business

process management, rely on activity

monitoring to work – although it

need not go down to the level of

monitoring who is doing what on the

network.

A watchful eye

Monitoring can also provide a vital

early warning both against cyber

attacks, and of data leakage or theft.

Data loss prevention (DLP) tools

again rely on monitoring, both of

data flows and user behaviour. A DLP

application, for example, will flag if an

employee, who normally accesses

half a dozen customer records in a

day, suddenly starts to download

thousands.

Active monitoring is also a key

weapon for defending against

advanced persistent threats, or APTs.

APTs, unlike other forms of malware,

are designed to be stealthy.

Monitoring for unusual network

activity, or data exfiltration, may be

the only way to spot an APT at work.

“There are plenty of good reasons

to monitor IT and network usage.

Security: obviously understanding

what is going on in a network is the

mainstay of preventing the ingress of

malware and the egress of sensitive

data. By linking the latter to users,

[firms can] spot and correct careless

behaviour and root out malicious

users,” says Bob Tarzey, analyst and

director at Quocirca.

“But it’s also about user

experience. The way the network

performs is a key part of

understanding the end-to-end user

experience. This is especially

necessary for organisations that

provide on-demand services to

consumers, other businesses and

partners, which is two-thirds of all

business in Europe. (see Quocirca

research report here)

He adds: “Then there is business

process monitoring: making sure

business processes are as efficient

and secure as possible. But

companies can also gain operational

intelligence. This goes beyond

security and into commercial insights.

For example a call centre can monitor

actual call volumes or waiting times

and see if these correlate with other

data, such as customer type or

Keeping tabs without

compromising privacy or security

There’s a fine line between protecting company interests and overly snooping on

employees and what they get up to as Stephen Pritchard discovers…

Feature Monitoring: The IT department’s view

Stephen Pritchard

has been a journalist since

1990. Today his main

specialisms are business,

technology and finance. He

writes for a number of

national and international

titles, and is a contributing

editor and columnist for IT Pro.

Contents Spring 2014

ContentsPrologue P3A foreword by Cloud Pro and IT Pro group editor Maggie Holland.

What’s happening to my data? P5Khidr Suleman puts the case for and against surveillance and monitoring.

What are we scared of? P9We take a look at the key enterprise fears when it comes to access and security.

Monitoring: The employer’s viewpoint P13We look at how employers should approach security and monitoring.

Monitoring: The employee’s viewpoint P16We look at security and monitoring from the individual user’s perspective.

Monitoring: The IT department’s viewpoint P19How can the IT department monitor and maintain security without invading privacy or locking everything down?

Cloud: Friend or foe? P22What role does cloud play in this new world filled with fear, uncertainty and doubt?

Case study: Mozzart Bet P25The European betting firm worked with Juniper Networks to enhance security and uptime and achieve 99.9% availability.

Q&A: John Mancini, AIIM P27He stresses the importance of protecting your company’s biggest asset.

Q&A: Rodney Joffe, Neustar P29We talk to the security advisor about the challenges ahead.

Q&A: Henrik Davidsson, Juniper Networks P31We discuss the fears and uncertainty surrounding securityand monitoring issues in the enterprise world.

Are we headed towards a surveillance state? P33Will George Orwell’s predictions of the future come true?

Where next? P36Rene Millman ponders what the future holds when it comes to monitoring.

SPRING 2014

www.itpro.co.uk

EDITORIALEditorMaggie [email protected] 7907 6837

ContributorsSteve Cassidy, Max Cooter, Caroline Donnelly, Clare Hopping, Jane McCallion, Rene Millman, Stephen Pritchard, Khidr Suleman

Design and layoutSarah Ratcliffe

Editorial DirectorTim Danton

PublisherPaul Franklin

ADVERTISING & REPRINTSAdvertising Manager Paul Lazarra [email protected] 7907 6857

LICENSING & SYNDICATIONInternational Licensing Dharmesh Mistry +44 20 7907 6100

MANAGEMENTGroup Managing Director Ian Westwood

Managing Director John Garewal

Managing Director John Garewal

MD of Advertising Julian Lloyd-Evans

Chief Operating Officer Brett Reynolds

Group Finance Director Ian Leggett

Chief Executive James Tye

Chairman Felix Dennis

All material © Dennis Publishing Ltd, licensed by Felden 2013, and may not be reproduced in whole or part without the consent of the publishers.

Liability While every care has been taken in the preparation of this magazine, the publishers cannot be held responsible for the accuracy of the information herein, or any consequence arising from it.

Dennis Publishing Ltd

2

http://pubads.g.doubleclick.net/gampad/clk?id=58354980&iu=/359/impcount.co.uk


www.itpro.co.ukBIG BROTHER3

The NSA’s PRISM surveillance programme has changed the world as we know it. Yes, we’ve always suspected that the government is

watching over certain people and certain activities, but we never suspected just how far such monitoring went.

Some people feel really uneasy about what they believe is a large and worrying invasion of their privacy. They don’t agree that a blanket, just in case, approach to monitoring is justification enough to snoop on innocent people.

Others feel that if you’ve done nothing wrong you have nothing to be worried about and that such actions are necessary for the greater good.

The debate is likely to rumble on for some time to come about whether the NSA’s programme was an acceptable use or abuse of power. However, it has also shone a spotlight on wider concerns relating to monitoring and security. In a

The NSA’s PRISM surveillance programme has changed the world as we know it.

Prologue Maggie Holland

Maggie Holland

Editor, IT Pro

No-one likes being watched: Or do they?

For further insight on security, visit www.itpro.co.uk/security

Let us know your thoughts...We’re keen to hear your feedback on this report and find out what you’d like to see included in the next one. Get in touch at [email protected]

world where data volumes continue to grow and we’re offering up personal information to the internet and connected devices on a daily basis, how can we be sure that only those that need to see it actually do?

What are the key fears in an enterprise context? How can business and IT decision makers protect their company’s most-prized assets, while at the same time avoiding crossing the creepy and intrusive line?

Khidr Suleman puts forward the arguments for and against surveillance operations like PRISM, while Jane McCallion offers advice for businesses on how to effectively monitor without being a creep.

Caroline Donnelly looks at things from the employee’s viewpoint and warns individuals to be wary of workplace monitoring, while Stephen Pritchard approaches the issue from the IT department’s perspective.

We also look at the role cloud plays in all this and try to decide whether its reputation has been damaged by operation PRISM.

In addition to some great Q&A pieces with industry experts, we also take a look into what the future holds and ponder whether George Orwell’s 1984 has moved from fiction to fact. The novel depicted a scary future surveillance state - are we headed in that very direction?

We hope you find this special report informative and useful as you navigate the important but danger-filled world of monitoring.

As always, we welcome your feedback on what you enjoyed about this report and what you’d like to see in future issues.

Thanks for reading.



http://www.itpro.co.uk/security

http://deceptionforce.org/

BIG BROTHER5 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk

Is digital privacy dead? When former NSA analyst and whistle blower Edward Snowden outed Project

PRISM during the summer of 2013, he presented a convincing case that the US government is watching us.

Following the revelations, the NSA admitted that it “touches” 1.6 per cent of data which passes through the internet every day. However, it claims the collection is the equivalent of putting a dime on a basketball court and that just 0.025 per cent of data is reviewed by analysts.

This may not sound like a lot but it still means the NSA processes around 29PB of data per day - more

data than the 20PB web giant Google handles on a daily basis.

Is this form of indiscriminately monitoring on such a global scale simply the price we have to pay for all the technology we can use in the modern world? Or is it a giant leap too far? And can the positives of such surveillance ever outweigh the negatives?

Pro surveillance: Sacrifice for the greater good Isn’t the whole point of the data collection to make the world a safer place? The internet is now critical to our daily lives. It’s not only the primary source of information for us most of the time, it’s also the

cornerstone of our economies - providing jobs and facilitating the transfer of goods and services. Unfortunately, the internet is also heavily abused. The web is used not only to plan, but to promote and execute atrocious actions including paedophilia and terrorist attacks.

If there is even a remote possibility that such heinous crimes can be prevented via some form of monitoring, isn’t it the duty of law-abiding citizens to comply? Even if that means sacrificing digital privacy? Look across Capitol Hill and you’ll find plenty of people who will argue this to be the case.

The NSA claims its surveillance programmes and solutions, such as

What’s happening to my data?NSA PRISM surveillance: Necessary evil or a misuse of power? Khidr Suleman takes a look at the facts and ponders whether monitoring has taken a step too far...

Feature What’s happening to my data?

Khidr SulemanKhidr Suleman is technical editor at IT Pro and has been in the role since March 2012. Prior to that he worked for fellow B2B tech publication V3 as a reporter.



and Article 8 guarantees a right to respect for private and family life – a law which at times is so liberally applied that it even protects the rights of known criminals.

By collecting information from US citizens and foreigners, the NSA is ignoring fundamental laws that the US and its allies are built on. And with the US Congress and secret FISA Court green lighting this without input from citizens, who’s to say that further down the line these bodies may not choose to restrict other Constitutional rights. Freedom of Speech, Freedom of Religion and even Freedom of the Press may be curtailed in the future - all in the name of safety.

In fact, the limiting of Freedom of Speech already appears to have started. Google has already tried to use the first amendment to challenge bodies such as the DoJ and allow it to reveal information about data collection - unsuccessfully, so far. And the web giant isn’t the only one to have been silenced.

Ladar Levison, owner of encrypted email site Lavabit, made the decision to shutdown the service after apparent pressure to grant access to customer information. The exact reasons


its XKEYSCORE analytics tool, are necessary. The agency claims to have captured 300 terrorists using intelligence generated in this way.

In his testimony to a Standing Committee on Intelligence in June 2013, NSA chief General Keith Alexander claimed more than 50 terror plots have been foiled since 9/11 because of the programmes in place. These include plans to attack the New York Stock Exchange and the New York City subway system with possibly devastating consequences.

So is having emails scanned

and meta data collected from phone calls really that big a deal, if there’s a possibility that it could help save just one life? In that context, a reasonable person would likely respond in the affirmative, especially when you consider that most emails are spam, the content of phone calls are not disclosed and there is no proven impact on the daily life of innocent people.

You could go further and say that society has already willingly consented to monitoring on a daily basis. We’ve all got smartphones that can track our locations to within metres, ISPs have access to our internet browsing habits and, if you live in an urban area like London, the chances are your face is plastered over CCTV walls on a daily basis.

With wearable technology such as Google Glass on the horizon, the arrival of smart rubbish bins, and encrypted email services run by Lavabit in addition to Silent Mail being shut down, the lack of digital

privacy is perhaps something we’re going to just have to get used to.

Against surveillance: It’s a gross misuse of power Data collection isn’t always illegal. And many questions most definitely remain over the effectiveness of this method. On the face of it, it seems the NSA can’t be trusted with the great responsibility of the powers it has been granted.

In the US, the 4th amendment in the Constitution protects civilians from unreasonable searches and seizures and sets out requirements

for search warrants based on probable cause. Almost all other countries have similar laws, which aim to protect the rights of citizens.

The Human Rights Act 1998 is used by European member states

Albert Einstein: The world is a dangerous place to live; not because of the people who are evil, but because of the people who don’t do anything about it.


BIG BROTHER7 www.itpro.co.ukhttp://www.juniper.net/uk/en/


behind the closure are unclear as Levison explained.

“I feel you deserve to know what’s going on - the first amendment is supposed to guarantee me the freedom to speak out in situations like this,” he said. “Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests,” he noted on the site.

Not enoughDespite the NSA claiming to have foiled 50 attacks, questions remain

over how and why some of the world’s deadliest attacks such as 9/11 and the Boston bombing slipped through the net.

In the case of 9/11, reports suggest the NSA started collecting data in some form around seven months prior to the attack and that other agencies, including the FBI and CIA, knew of a substantial threat and even the identities of the hijackers. It would seem all parties involved failed to co-operate and act. Certainly not in time anyway.

Perhaps, more worryingly, was the failure to prevent the Boston bombings given the length of time

Dianne Feinstein, the head of the US Senate intelligence committee, has switched sides on the NSA spying scandal, calling for a total surveillance review.

Feinstein had been one of the NSA’s strongest supporters in the face of criticism over reports it monitored internet and telephone communications as part of PRISM.

She had been quoted as saying the mass collection of data did not constitute surveillance, as “it does not collect the content of any communication, nor do the records include names or locations”.

However, allegations that the agency has been spying on leaders of allied countries has prompted an about face on Feinstein’s part.

“Unless the United States is engaged in hostilities against a country or there is an emergency

need for this type of surveillance, I do not believe the United States should be collecting phone calls or emails of friendly presidents and prime ministers,” Feinstein said in a statement.

“With respect to NSA collection of intelligence on leaders of US allies – including France, Spain, Mexico and Germany – let me state unequivocally: I am totally opposed.”

Feinstein also said it was “abundantly clear that a total review of all intelligence programs is necessary”.

In relation to the revelations, that German chancellor Angela Merkel may have had her phone monitored by the NSA for over 10 years, Feinstein claimed US president Barack Obama had no knowledge of such actions.

She added she had been assured such monitoring would not continue.

On 29 October 2013, in the US, the author of the 2001 Patriot Act introduced proposed legislation that looks to curtail the NSA’s powers, including the warrantless collection of bulk phone meta data. The 118-page bill, dubbed the USA Freedom Act, was put forward by Congressman Jim Sensenbrenner and Senate Judiciary Committee Chairman Patrick Leahy.

“Modest transparency and oversight provisions are not enough. We need real reform, which is why I join today with Congressman Sensenbrenner, as well as a bipartisan group of 15 Senators, to introduce the USA FREEDOM Act,” said Leahy.

The two most senior intelligence leaders, James Clapper and General Keith Alexander were due to appear in front of the House intelligence committee the same day.

Credit: Jane McCallion

US Intelligence head slams NSA PRISM monitoring

Benjamin Franklin: They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.




Cisco and Google claim the PRISM programme has not only damaged trust but could also be harmful to American businesses.

Cisco made the claim in November 2013, as it warned revenue would shrink by up to 10 per cent in its then most recent quarter, claiming demand in China had caused a backlash against American communications firms.

Indeed, rivals EMC, IBM and Oracle, were reported to be facing an official investigation by the Chinese government that August following revelations that the NSA had been carrying out wide-scale monitoring of global electronic communications.

According to an earnings results call transcribed by Seeking Alpha, Rob Lloyd, president of development and sales at Cisco, said: “This issue has caused, increasingly, customers to pause and [it is] another issue for them to evaluate...it’s certainly causing people to stop and then rethink decisions and that is I think reflected in our results.”

Meanwhile, Google’s law enforcement and information security director Richard Salgado became the first

representative of a major technology company to testify before the US Congress following the revelations.

Salgado said: “The current lack of transparency about the nature of government surveillance in democratic countries undermines the freedom and the trust most citizens cherish, it also has a negative impact on our economic growth and security and on the promise of an internet as a platform for openness and free expression.”

Echoing comments made by Box’s CEO at a conference in London also in November 2013, Salgado warned the scandal could lead to the creation of a “splinter-net” by putting up barriers.

Post hearing, Salgado told Reuters: “You can certainly look at the reaction, both inside the United States and outside of the United States to these disclosures, to see the potential of the closing of the markets through data location requirements.

“This is a very real business issue, but it is also a very real issue for the people who are considering using the cloud and for those who currently use the cloud and may have their trust in it rocked by the disclosures.”

PRISM fallout could damage business, claim Cisco and Google

the NSA has had its surveillance procedures in place.

Dzhokhar Tsarnaev, the surviving suspect, told federal investigators he downloaded extremist materials from the internet, including instructions on how to make home-made pressure cooker bombs.

Yet, what appeared to be a primary source of suspicious activity was not picked up in the day-to-day NSA data sweeps. And no explanation has been forthcoming.

Justification or an excuse?Even if we take into account all the good the NSA does, can it really be trusted with the information it gathers? The answer, in the opinion of many people, is no.

A leaked internal audit conducted by the NSA from May 2012 appears to confirm a gross misuse of power. The audit uncovered 2,776 incidents of unauthorised collection, storage and distribution of legally protected communications over a 12-month period.

Serious breaches included a violation of a court order and unauthorised use of data of around 3,000 Americans and green-card holders. Is this evidence that absolute power corrupts?

Acquiesce or object?It’s a polarising subject, but whatever your views on data collection, the NSA leak did us all a favour by getting it out in the open and generating debate. After all, you can’t change something if you don’t know it’s happening in the first place.

People now have two options. Most will choose to do nothing. They’ll simply carry on with life, which will remain unaffected, for now. Or they may sign up to one of the many petitions that are trying to push through reform and take steps to restore some semblance of privacy. Those tasked with dealing with

sensitive information will certainly have a vested interest in ensuring they can do their jobs without invading privacy or

breaking laws.With the closure of

encrypted email services Lavabit and Silent Mail, and assertion by Google that users have “no legitimate expectation of privacy”, email appears to be the most vulnerable type of communication.

But it’s still possible to encrypt instant messages and phone calls using services. The Pirate Bay co-founder has also secured funding for an anti-snooping app called Hemlis in response to the NSA’s data collection.

No doubt more services like this will also pop-up in the future, so maybe there is still hope for privacy yet.



Technology is a wonderful thing. When used to make working and personal lives easier,

reduce effort and human error and speed everyday processes up, while costing less, it’s a glorious asset to behold.

That’s one side of it. But, there’s a darker, less happy side too. As IT becomes ever-more sophisticated in what it can do for us as workers and consumers, the number of bad guys and gals out there ready, willing and able to make use of it for ill intentions grows.

In other areas of the IT sphere, we move forward by sharing use cases and deployment methodologies.

Without giving away our secrets, we’re happy to share - on a generic level at least - the good, bad and ugly of projects gone by. We’re certainly not shy about showing our battle scars when it comes to bog standard desktop or cloud deployments.

Money talks, security stays quietHowever, when it comes to security, we’re often rendered speechless with no-one willing to say anything until they’ve been outed as having been hacked.

“As the profile of cyber security continues to rise in the media, organisations are more wary of the bad publicity that goes alongside a security breach. Many sectors are

intensely competitive and customers who lack confidence in the ability of an organisation to protect their information will not struggle to find an alternative source of supply. Enterprises are increasingly aware of the impact of a security breach on their bottom line,” says Lee Newcombe, an expert in information security at Capgemini.

“At the same time as the profile of cyber crime and cyber security is on the rise, enterprises are being offered new opportunities to deliver their IT in more flexible and innovative ways through cloud services or the adoption of agile development methodologies. The challenge for the enterprise decision makers is to find,

Fear and loathing in the enterprise: What are we scared of?For every bit of good technology does, there is someone out there trying to exploit it for less philanthropic intentions. We look at the key fears and issues...

Feature Fear and loathing in the enterprise



enforcers must forge closer ties with industry to plug an IT skills gap that has the potential to hamper their investigative powers.

That’s according to Andy Archibald, head of the Government’s National Cyber Crime Unit (NCU), who used his address at the E-Crime Congress event in central London in March 2014, to highlight the need for skilled IT workers to help in the fight against cyber crime.

“The world and environment we’re policing is changing and there is an absolute need to respond,” he said.

To emphasise this point he cited the different skills law enforcers must draw on today to tackle bank robberies that rely on technology to be carried out, rather than weapons and getaway cars.

“You can be in a room anywhere in the world, with access to malware and the ability to hack into and intrude into businesses in the financial sector, and you can commit crime and fraud and make millions of pounds,” he added.

During his address, Archibald admitted the skills law enforcers need to successfully clamp down on cyber criminals are in short supply, though.

“We need still to retain the ability, skills, experience and knowledge about how to investigate and engage with the Criminal Justice system, but the skills we need to recover evidence and recover intelligence from the internet are high-end skills and technical skills that aren’t in high abundance in law enforcement,” he said.

In particular, coders, programmers and people with skills in reverse engineering are highly valued by law enforcers. But, it can be a challenge to attract and retain them, admitted Archibald.

“It’s a tough marketplace...Not only does the public sector [and] law enforcement need these skills, but so does the private sector,” he said.

“[In] the private sector, traditionally, the salary packages have been more attractive. I think that’s a challenge for law enforcers. How do you begin to address that particular


and then implement, the balance between innovative IT delivery and appropriate information risk management.”

When it comes to security, it would seem the average enterprise is stuck between a rock and a hard place. They do want to up their game in terms of protection, but they’re not willing to speak out and necessarily ask for help from their peers.

Newcombe offers some sage advice to help businesses who want to go it alone to mitigate current risks.

“Know your real-world threats and concentrate your efforts on the threats most likely to cause you harm,” he says.

“Identify the data and services that your business relies upon and protect them appropriately.”

He continues: “Adopt an architectural approach to information risk management so as to make sure

you get a traceable, consistent and comprehensive set of security solutions... Focus on your detection and incident response mechanisms. Prevention is a laudable aim, but you are unlikely to be able to prevent all potential attack vectors whilst providing a service that can be used by your staff or your customers.”

He concludes: “Make sure you know when you have been compromised and how you will handle that scenario.”

Another skills crisis?Some organisations have recruited people to the role of chief security officer (CSO) so they have a more focused stance on protecting their most important assets. However, such skills are often hard to come by as it remains a field shrouded in secrecy.

The solution? Cyber crime law

Getting security right and protecting businesses, government and the general public against cyber attacks is vitally important.




issue as we move forward so we can attract the best, retain the best and ensure we continue to develop and protect our environment?”

One way would be for law enforcers to engage more with the private sector to gain access to the skills they need, he said. This is something the NCU is already doing.

Forging close ties with businesses in the private sector will also make it easier to share knowledge about cyber attacks, he added, which in turn will make it easier for law enforcers to gauge the scale of threats.

“My ambition in the coming months and coming years is, when we begin an investigation and try to work out what’s the best strategy, I don’t want to just be sitting in a room with colleagues from law enforcement having that discussion,” he said.

“I want to be in the room with people perhaps from intelligence services, perhaps from the private sector, from the banks and from the retail sector and from the ISPs and from a multi-national global institution who can advise us on how best to take on that investigation.”

Preparing for the worstThe recent Cyber Security Challenge looked to address skills and expertise

shortages by setting up fake scenarios to see how people reacted.

Computer student Will Shackleton was crowned the winner this year.

The event, hosted by intelligence and security organisation GCHQ in March 2014, aimed to find skilled cyber defenders capable of

protecting the country against a serious cyber attack.

Kevin Williams, partnership engagement and national cyber crime capabilities manager at the National Crime Agency (NCA), explained how important it is for new experts to be recruited to deal with high-level cyber attacks.

“As the UK’s lead on tackling cyber crime, the National Crime Agency

needs to be in the minds of those wishing to pursue a career within this sector. Events such as the Cyber Security Challenge provide a fantastic opportunity for us to not only test the skills of those taking part but also provide them with pathways which allow them to exploit their sought-

When we begin an investigation and try to work out what’s the best strategy, I don’t want to just be sitting in a room with colleagues from law enforcement having that discussion.

One of the biggest security risks for businesses is tail-gating. This is when an employee holds the door open for the person behind them, who hasn’t needed to use a security device to gain access.

This very common practice compromises security. It exposes the building and, more importantly, the people in it, to everything from petty theft to computer hacking and terrorism. It also puts the tailgater at risk as there is no record of them being in the building (should it need to be evacuated).

The best way of preventing this practice is to integrate the security systems with the management systems of the company.

By integrating systems, only people who have properly checked into a building can gain access to any of its facilities, whether that’s lights or computers.

As soon as you introduce the system everyone has to check in properly and anyone who doesn’t would immediately be viewed as suspicious.

It also means I can give my clients an accurate list of people in their building within minutes.

In addition to increasing employee safety it also reduces energy costs, which can be as high as 30 per cent [of overall spend].” Chris Percy, founder and president, DSI

Tail-gating: The security problem not many of us know about

after cyber skills,” Williams said.Some 42 people took part in the

two-day competition at the Cabinet War Rooms in Whitehall. They were kept on their toes throughout with challenges simulating real-life attack situations.

The challenge opened with a breaking news report describing a cyber attack on London’s financial district that brought down online banking platforms. This meant new stock market flotations could not be completed and BACS systems were compromised.

The challenges were conjured up by cyber security experts from BT, GCHQ, the NCA, Juniper Networks and Lockheed Martin.

“Getting security right and protecting businesses, government and the general public against cyber attacks is vitally important,” said Mark Hughes, CEO of BT Security.

“We at BT understand just how critical it is to ensure the right people are found, trained and ready to take on key roles in the cyber security profession.”

Credit: Caroline Donnelly, Maggie Holland and Clare Hopping




Eugene Kaspersky, CEO of Kaspersky Lab. You’d be hard pushed to find a more bubbly, cheerful and occasionally explosive presenter on the depressing, inescapable and often implausible field of cyber security. Then again, I guess he should be pretty jolly, since he’s in the business of plugging the leaks, Wiki or otherwise, in company and home-user computer networks.

Kaspersky presented at the 2014 CeBIT exhibition in Hannover in early 2014. The event is something of an annual barometer for trends in computing and, in line with other shows, there’s a distinct flavour here of the recession being well and truly over and done with.

Lots of crazy robots with little tethers running back to massive racks of controlling servers: lots of people of a rather older sort, who disappear with great regularity into the apparently infinite series of private meeting rooms.

All change One of the sponsors enlightened me as to some of the changes that have occurred. In the old days, it used to be delegated techies who attended, let out of their basement offices for a once-a-year jolly. Now, it’s the CEO and the CTO walking the halls, very often arriving so they can sign off a deal with a supplier that’s been in the pipeline for months.

It was this audience that Kaspersky had in mind. He didn’t dive in especially deep to his topic - not one slide gave any hard numbers behind any of his assertions. What he provided was a rapid-fire tour of the motivations behind the attacks e wanted the room full of CXO types to sit back in shock and think “wait, this isn’t some crazy nerd talking here – it’s a chief exec, just like me, who knows the limits of my beliefs.”

While stories of hackers making their own petrol station discount

cards by hacking the sales system of the chain of garages didn’t get much attention (they were caught within a month, apparently), the story of a heist lasting five years, of coal from Russian automatic loading systems for coal trains, clearly had a bigger impact.

An engaging presentation Incredulity management didn’t appear on his big screen, or on the cutesy cartoon board being drawn off to one side of the stage as he spoke. But it ran through his whole presentation. As techies, we all have a responsibility to figure out what the bosses are going to understand, given that they probably won’t want to dive into the deep details of what makes an attack work or fail. And, at a certain level, the attack that gets through is the one that someone is too incredulous to spend money protecting against.

With a room full of CXOs, Kaspersky wasn’t going to move much below appeals for international standardisation and cooperation to talk specifics about risks to net neutrality. Nor was he going to go into the differences between having to protect a vulnerable machine against

its own security holes, or putting imperfect machines behind restricting traffic chokes of some kind. He wanted other people – largely, regulators and various forces for social change – to shoulder the burden of improving cyber security, mostly by way of very non-technical initiatives like education and legal changes to regulation.

He even had a section on the nature of cyber espionage, though at this point I suspect he realised he was treading on thin ice against his own preferred fixes for the lower-level criminals – it’s very hard to co-operate internationally when your co-operators are also spying on you.

Right at the end, the master of Ceremonies blindsided him with a final question: “Who worries you more – the cyber criminals, or the NSA?”

Kaspersky hedged his bets with a 90 per cent non-verbal answer. He spread his arms wide and eventually shook the MC by the hand, limiting his words to a carefully non-committal “Thank you very much” before going on to say “Every time I use a computer, I am aware of the possibility that someone – government, or criminal – could be watching.” Credit: Steve Cassidy

Eugene Kaspersky on the cyber jungle


BIG BROTHER13 www.itpro.co.ukwww.itpro.co.uk

In George Orwell’s novel Nineteen Eighty-Four, the people of Great Britain are under constant surveillance.

‘Telescreens’ in their homes and workplaces allow them to be monitored round the clock, constantly, lest they do or say anything untoward. Their post is opened and read before being passed on. The powers that be know everything about them.

The book has had such an effect on us as a society that its themes and even some of its language – thoughtcrime, newspeak and Big Brother – have entered into every day usage.

Against this background, how is it possible for organisations to carry out

any form of monitoring without being perceived as some kind of dystopian tyrant? Can it ever be done ethically and is it possible to persuade employees, partners and clients that it is necessary?

The good news is yes. All these things are possible. However, companies need to be careful how they tread, because there are plenty of bear traps to fall into.

Who are you looking at?Before getting into ‘how’, though, you first need to answer ‘why’ – why do you want to carry out any kind of monitoring activity?

According to George Tziahanas, vice president of legal and compliance solutions at HP

Autonomy, the primary reason companies carry out surveillance is because they are obliged to do so.

“In certain industries – certainly financial services and, to a lesser degree, in the pharmaceutical sector – the employer is obliged to provide a layer of supervision or surveillance over their employees,” Tziahanas says.

Alan Delany, an associate at law firm Maclay Murray & Spens, who specialises in privacy and monitoring, explains that in the UK this would apply to businesses such as those regulated by the Financial Standards Authority (FSA).

“Often for them, there will be a requirement as to the recording of electronic communications inside and outside the organisation,” he says.

Outside of regulated industries, there are other reasons companies may wish to introduce monitoring technology, such as protecting confidential information or trade secrets, or ensuring certain levels of customer service.

These are all valid reasons, but if organisations want to avoid any programme coming back to bite them, there are some serious legal considerations to take into account as well.

Breakin’ the lawWhen it comes to the legal aspects of carrying out monitoring activities it can be a bit of a minefield, according to Delany.

“There are several different legal restrictions, ranging from the Data Protection Act to the Regulation of Investigatory Powers Act (RIPA) to, potentially, human rights considerations,” he says.

Striking a balance – how to monitor without being a creepMonitoring in the workplace can be helpful and constructive, but it can also potentially damage workplace relationships and sow the seeds of mistrust.

Feature Monitoring: The employer’s view


Jane McCallionis staff writer at Cloud Pro and IT Pro, following the completion of an MA in journalism. Prior to that, Jane worked in PR and was a freelance journalist.



The reality is that, irrespective of what industry you are in, whether regulated or unregulated, you are almost certainly not going to need to monitor every single employee in your business.

Some businesses - particularly those in heavily regulated and scrutinised industries such as the financial sector - are specifically concerned about what users are getting up to on social media sites, according to Andy Holmes, business development director at IT compliance and security firm Actiance.

“Similarly there are some that want to look inside their organisation to find out who are the bad apples. Frankly, we’re not interested in that conversation because, ultimately, there is no point. It’s just more big data, and organisations already have enough of that to deal with. It also breaks the bond of trust between the individual and the organisation,” he says.

“The key, then, is a measured, targeted approach that can be explained to employees, partners, customers and regulators alike, without causing alienation or suspicion.”

Tziahanas adds: “You have to do some sort of up front analysis before you start dropping technology in to go looking for stuff.

“For example, where are the


“Also, you could run the more general risk of constructive dismissal claims if you are snooping on employees and covertly checking their emails,” he adds.

So what is to be done?Helpfully, there are a set of regulations that fall under RIPA known as the UK Lawful Business Practice Regulation, which set out examples of why an employer might want to monitor electronic communications.

According to Delany, if organisations comply with those regulations and tell employees monitoring is going to take place, they will largely be in the clear.

There are sector-by-sector variations as well. For example, for businesses regulated by the FSA, there will often be a requirement to record all communications, both internal and external, and retain them for a certain period.

However, for many businesses, this kind of regulation will not apply.

“It comes down to business needs and transparency, and those are the themes that run through this whole area,” says Delany.

Choose your targetOnce you have established ‘why?’ you need to establish ‘who?’.

You could run the more general risk of constructive dismissal claims if you are snooping on employees and covertly checking their emails.



BIG BROTHER15 www.itpro.co.uk


greatest parts of the risk to the organisation? Who are the key parties I might be working with that present risk? Then keep the surveillance activities to the minimum necessary to identify those risks.”

Winning hearts and mindsUltimately, a successful monitoring strategy is one that promotes buy-in from those who will potentially be under surveillance, rather than

If you take a hearts and minds approach and show employees that it’s to protect both the business and employees, you should be on solid ground.

breeding suspicion and resentment.“We try to encourage our

customers to think ‘Who do we need to help? Who do we need to manage? And how can we do that positively?’,” says Holmes.

“Then it becomes a much more limited environment where you are monitoring individuals,” he says.

One way of encouraging acceptance of new practices, as well as avoiding blanket coverage, is engaging HR to promote the

technology as a protection of the individual.

“We have had a couple of instances where, because we are able to determine what kind of activities people have been engaged in, we can demonstrate that negative or damaging things our clients or their employees have been accused of are untrue,” says Tziahanas.

Delany adds that there are also additional third-party considerations to take into account.

“If you are an employer that has recognised trade unions, they are going to want to be consulted and may well have their own perspective,” he explains.

“But, ultimately, if you take a hearts and minds approach and show employees that it’s to protect both the business and employees, you should be on solid ground,” he concludes.

Keep these regulations in mind to stay on the right side of the law.

RIPA: A UK law that came into force in 2000, RIPA governs the interception of phone and email conversations. You must inform users inside and outside the company their communications may be monitored.

Lawful Business Practice Regulations: A subsection of RIPA, these guidelines are specific to businesses, giving examples of how you can carry out monitoring within the law.

EU Data Protection Directive: A European law dating from 1995, this regulates the processing of personal data within the EU. However by the end of 2014 it will be superseded by...

General Data Protection Regulation (GDPR): The Data Protection Directive’s successor. Companies

processing more than 5,000 data subjects in 12 months and all public authorities must appoint a Data Protection Officer. Explicit consent must be given for data collection and

the purpose of collection made clear. Consent can be withdrawn at any time. Data breaches must be reported to the new Data Protection Authority within 72 hours and any adversely affected individuals notified.

ECHR: One of the best known pieces of EU legislation, the European Convention on Human Rights 1953 provides for the right to privacy (Article 8). Sufficient effort should be made to comply with Article 8, although much of the previously mentioned legislation covers similar ground.

Computer Misuse Act: A piece of UK legislation dating back to 1990, it forbids anyone from accessing another person’s computer even if that person has previously given you their password and consent. Ownership of the computer, account and data should be considered, as well as ongoing consent.

The seven monitoring virtues




“If you’ve done nothing wrong, you have nothing to hide,” is a phrase often uttered by pro-surveillance types to ease the concerns of people alarmed at the prospect of having their actions monitored.

In the workplace, it is commonplace for employers to keep tabs on the internet browsing habits of their staff, and - in some cases - the content of the emails they send to others outside the organisation.

After all, employees are often cited as a major source of cyber security mishaps within the enterprise. They

are regularly targeted by hackers looking for a way into the company’s network, and it’s not unheard of for disgruntled staff to purposefully leak data.

For these reasons, Bill Windle, people and cyber risk expert at PA Consulting Group, says it’s hardly surprising companies like to keep a close eye on what their staff are up to.

“Employers have obligations to the law, business partners, shareholders and customers as well as to the employees themselves to protect the data they hold (as well as

other valuable assets),” says Windle.“Monitoring can play an important

part in helping meet these obligations as part of a coherent, integrated, defence-in-depth approach to an organisation’s protective security.”

From a productivity standpoint, employee monitoring makes sense to ensure they’re not whiling away the hours until clocking off time on social networking sites, for example.

Or, as Leon Deakin, senior associate at employment law specialist Thomas Eggar LLP, points out, engaging in other activities that could possibly damage the company’s reputation.

“The potential for employees to cause their employer embarrassment and harm their reputation is probably justification enough to monitor their use of the internet and email facilities,” Deakin says.

“However, when you toss into the mix the various legal liabilities which can arise from misuse including, but not limited to, defamation, breach of confidentiality, negligence, and discrimination, it could be seen as a dereliction of duty [by the company] to not monitor [staff] to some extent.”

Explaining the riskKeeping a watchful eye on staff is all well and good, but it could backfire on organisations that haven’t taken the time to explain to their employees why it’s happening, warns Windle.

As part of this, he says staff should be made fully aware of how valuable the data they have access to is, and how important their role is in keeping it safe.

Training can only cover so much,

Keeping watch: Why you should be wary of workplace monitoringMonitoring employees for cyber security and productivity purposes is considered essential by some firms. But what if it goes too far?

Feature Monitoring: The employee viewpoint

Caroline Donnellyhas been a technologyjournalist for severalyears and joined the ITPro team as newseditor in March 2012.



monitoring, particularly if the way it is expressed is seen as being negative or critical of the organisation or its leaders,” he explains.

“Nevertheless, with careful handling there are a number of practical steps open to employees if they feel the level of monitoring is bordering on the intrusive.”

Deakin says the first step for employees should be to ask their employer for explicit clarification about how their time at work will be monitored.

“Even if the employer has informed the employee that certain aspects of their work will be monitored and has a clear policy on this, it’s is not always apparent what this actually means in practice,” Deakin explains.

“For example, how many of us are actually aware of what our IT team can and can’t see? As such, it is not surprising that some employees may be left feeling rather helpless or just bemused.”

Employees may also feel their company has crossed a privacy line by monitoring the content of their private posts on social networking sites, such as Facebook and Twitter.

This is usually done to clampdown on employees that might use these


though, and there is always a risk that employees may not realise their actions could have dire consequences for the company later down the line.

As an example, Windle cites employees that take classified data off-site on removable storage devices or by emailing it to a personal web address in order to meet an urgent work deadline.

In that situation, the employee may not realise the risks they’re taking because making sure their work is in on time takes precedence.

“This is where monitoring can play a constructive and supportive part in helping spot where employees take well-intentioned initiatives without understanding the real risks involved, nor thinking through who owns those risks,” he adds.

Employee educationTaking the time to explain to staff why they’re being monitored can also help allay any fears they may have about how workplace surveillance procedures square with their own rights to privacy.

However, if employees start to feel their company’s monitoring processes are bordering on the

intrusive, they are well within their rights to speak up.

That being said, Sol Cates, chief security officer at infosecurity vendor Vormetric, admits this is an issue that’s not always easy for staff to raise with the powers that be.

“It can be tricky for an employee to voice concern about employee

If you’ve done nothing wrong, you have nothing to hide.




sites to write disparaging comments about their place of work or co-workers.

Deborah West, an employment law partner at legal firm Temple Bright, says this type of monitoring might put people’s noses out of joint but there are legitimate business reasons for doing it. “Employees must appreciate that things they post on such sites can be damaging to employers, both in terms of exposure

Monitoring can play a constructive and supportive part in helping spot where employees take well-intentioned initiatives without understanding the real risks involved.

to claims from colleagues of discrimination,” she says.

“In the event an employer undertakes any such monitoring, this can only be lawfully done within certain limits. The difficulty is that as the use of different web-based platforms develops so quickly, the law is not always as quick to react to the evolving use of technology as it should be.”

If employees want to lodge a

formal complaint about their workplace’s monitoring procedures, Windle recommends they swot up on the latest guidance first.

“Assemble the facts on specific areas of concern and benchmark these against published best practice,” he says, advising employees to seek out a copy of the Holistic Management of Employee Risk (HoMER) guidance.

The document details how employees can check their own organisation’s approach to monitoring. It also provides guidance as to who and what may be legitimately monitored.

“By placing any concerns they have in the context of national best practice, employees can place their questions or challenge in a positive frame, seeking improvements for the organisations,” Windle concludes.

In light of the fact some employees have been caught using company resources to ‘mine’ for Bitcoins, perhaps employers should be paying more attention to what employees do...

Changes taking place in the underground market operated by cyber criminals, such as the increasing use of new technologies like Bitcoin, are making hacking attacks more dangerous than ever before.

The investigation, carried out on behalf of Juniper Networks, found the cyber crime black market is steadily growing in sophistication.

Online crime has become increasingly sophisticated to the point where it now mirrors very closely the type of organised crime seen offline, the research found.

“Historically, 80 per cent of hackers were ‘freelance’ and just 20 per cent were part of organised crime,” says Mark Quartermaine, Juniper Network’s vice president of the UK and Ireland.

“Now, that has been flipped on its head as this hacking market matures and 80

per cent are working as part of organised groups.”

The researchers found a distinct hierarchy operating in these groups with ‘mules’, who carry out most of the groundwork, ‘vendors’, who provide services such as botnets for hire or money laundering, through to highly skilled ‘administrators’, who develop malware and exploit kits. The members of this elite top level are also the ones who make the most profit from the cyber crime economy.

The research also discovered the use of crypto currencies is increasing. While some transactions can still be carried out using traditional means, many criminal

sites now only accept payment in the form of Bitcoin, Litecoin or Pecunix, because of their anonymity and security characteristics.

However, Quartermaine does not believe that cracking down on these types of digital currencies would destroy the cyber crime black market.

“If they disappeared, these criminals would find some other way of transacting,” he says.

The ability to carry out attacks is likely to outstrip our ability to defend very quickly, particularly as the number of everyday transactions carried out online increases, according to the research.

“By 2020, the number of connected devices is predicted to be greater than the population of the world,” adds Quartermaine.

“Every way you look at it, networking is going to increase so vulnerabilities are also going to increase, which means it is something we have to get our head around now.” Credit: Jane McCallion

Professionalisation of cyber crime poses new risks



Since Edward Snowden’s revelations, discussions on surveillance have understandably focused

on government monitoring. But, used correctly, monitoring is

a valuable resource for IT departments, both in the battle against hacking and cyber crime, and also for improving IT operations.

Monitoring, though, is not without restrictions. Laws, especially data protection laws, employment laws, HR practices and privacy norms all limit some types of surveillance. This applies, in particular, to monitoring employee behaviour and their use of data and applications.

At the same time, better use of

monitoring, and instrumentation, can give IT departments a much better view of the way networks and applications are performing.

Application performance management, but also business process management, rely on activity monitoring to work – although it need not go down to the level of monitoring who is doing what on the network.

A watchful eyeMonitoring can also provide a vital early warning both against cyber attacks, and of data leakage or theft.

Data loss prevention (DLP) tools again rely on monitoring, both of data flows and user behaviour. A DLP

application, for example, will flag if an employee, who normally accesses half a dozen customer records in a day, suddenly starts to download thousands.

Active monitoring is also a key weapon for defending against advanced persistent threats, or APTs. APTs, unlike other forms of malware, are designed to be stealthy. Monitoring for unusual network activity, or data exfiltration, may be the only way to spot an APT at work.

“There are plenty of good reasons to monitor IT and network usage. Security: obviously understanding what is going on in a network is the mainstay of preventing the ingress of malware and the egress of sensitive data. By linking the latter to users, [firms can] spot and correct careless behaviour and root out malicious users,” says Bob Tarzey, analyst and director at Quocirca.

“But it’s also about user experience. The way the network performs is a key part of understanding the end-to-end user experience. This is especially necessary for organisations that provide on-demand services to consumers, other businesses and partners, which is two-thirds of all business in Europe. (see Quocirca research report here)

He adds: “Then there is business process monitoring: making sure business processes are as efficient and secure as possible. But companies can also gain operational intelligence. This goes beyond security and into commercial insights. For example a call centre can monitor actual call volumes or waiting times and see if these correlate with other data, such as customer type or

Keeping tabs without compromising privacy or securityThere’s a fine line between protecting company interests and overly snooping on employees and what they get up to as Stephen Pritchard discovers…


Stephen Pritchard has been a journalist since 1990. Today his main specialisms are business, technology and finance. He writes for a number of national and international titles, and is a contributing editor and columnist for IT Pro.


http://www.quocirca.com/reports/928/in-demand-the-culture-of-online-service-provision


log files and other system data across devices and sources, including applications, servers, PCs, mobile devices, or websites,” she says.

“Capturing and analysing data provides the basis for more efficient management of the infrastructure. That’s because you’re looking at all your systems data on a single console, rather than trying to make sense of the content of separate log files… More importantly, it allows for faster identification of root causes, and hence [it takes] less time to fix them.”

Issues remain unresolved Two challenges, though, remain: security and privacy. There’s also the proliferation of data sources in the business. In particular, the growth in the number of mobile devices needs to be monitored as such devices are often personal in origin.

“Increasingly IT is not in complete control of the endpoints: they are increasingly diverse,” says Quocirca analyst Rob Bamforth.

“Most of these devices are multiply wireless - Bluetooth, Wi-Fi, cellular and NFC - and increasingly seamlessly connecting. Wearables only add to the challenge. They will all be carried together. This means that having more smarts in the network to monitor will be even more important.”


geographic location.” This is another example, Tarzey

says, of monitoring acting as an early warning system. But extracting business value from a wealth of data remains a challenge. In fact, some IT teams might view the ever-growing volume of operational statistics a burden, rather than a source of intelligence that can improve enterprise operations overall.

“Most clients are already performing basic networking monitoring but are struggling with correlation and analysis,” cautions William Beer, managing director for cyber security at consulting firm Alvarez & Marsal.

“Clients who have managed to set up comprehensive monitoring often fail to see its value as their incident response and crisis management processes are weak. While monitoring definitely adds value, it becomes much more compelling when data is combined with [tools such as] threat intelligence. If not, all you are seeing is the aftermath of the problem.”

Although security is a key focus for monitoring – and some areas remain controversial – improvements in

analytics technologies are helping IT teams to extract more information from operational data.

“Using analytics, IT professionals can support, or even improve, the smooth running of an organisation,” says Martha Bennett, principal analyst at Forrester Research.

“Going beyond traditional log management, there are tools available that support the capture of

There are plenty of good reasons to monitor IT and network usage.



Feature Monitoring: IT department’s view

Ultimately, this cannot be separated from the privacy challenges around monitoring – and anything that might be seen as surveillance.

“Monitoring, logging and event management is a vital part of any network and computer system,” says Kai Roer, partner in consulting firm The Roer Group. The reason is simple: it allows for detecting anomalies which then can be dealt with.

“Logging system access is particularly useful in systems where a lot of different users are handling sensitive data, such as in a bank, or in health care. But from an ethical perspective, it is important to consider what information you collect, and for what purpose, “ says Roer. “You should only use the data you collect for that purpose, and you should delete it when it is no longer being used.”

This, Roer says, needs to be tied into a thorough risk assessment, as well as ensuring that monitoring is legal. “Logging your systems is great. Logging people is not,” he says.

And, although monitoring can help IT departments with both security and performance, automation also has its limits. A human mind will still need to evaluate the information, and decide if any ethical or legal lines are being crossed.

“It’s important that the right tools are deployed. There’s way too much data for humans to process, which is where advanced analytics software comes in,” says Bennett.

“But human expertise will always be required to separate signal from noise. If a tool detects a new pattern, the human expert will know whether this is something worth investigating, or simply a variant of ‘normal’. “

Sensitive business data is being put at risk by the thoughtless behaviour of employees, a report by Trend Micro has found.

The survey of 2,500 UK adults, published in a report entitled Britain’s culture of carelessness with mobile devices, found over a quarter of smartphone users have had up to three work devices lost or stolen, and 63 per cent have no password protection on their phone at all.

The Tube is the most likely place for a phone to be lost or stolen in London (26 per cent), with the District and Circle lines proving to be particular black spots.

A bar is the second most likely place for a smartphone to disappear (22 per cent), followed by a cafe (11 per cent) and a restaurant (8 per cent), according to the report.

At a roundtable to discuss the report’s findings, representatives from Trend Micro, information security consultancy First Base, and

law firm Taylor Wessing said the implications were clear for business.

James Walker, a security specialist at Trend Micro, said: “We talk about a watering hole from the point of view of compromising a website, [but if I were a criminal] I could know a bar where a certain target organisation would drink in after work, I could steal a mobile phone that’s not password protected, send out a lot of phishing emails to lots of contacts within the organisation... and compromise a lot of people.”

Vinod Bange, a partner at Taylor Wessing, added: “[Imagine] if you have an employee within an organisation who kept going to the accounts team and saying ‘can I have £300 from petty cash please?’ and came back the following day saying ‘I lost it, can I have another £300?’ and then the next day said ‘sorry, I did it again, can I have another [£300]?’ – Who would do that?

“That is because cash is treated in

a very particular way and it is about time organisations drew that link to treat information assets, whether it’s personal data, confidential IP, or whatever it happens to be with the same degree of [restrictions].”

The report also examined the potential for data loss when using public Wi-Fi hotspots.

A team of ethical hackers from First Base used apps that were openly available on Google Play to clone a recognised Wi-Fi network, which volunteers’ devices then connected to automatically.

A hacker using this type of attack, known as an ‘evil twin’, is then able to see all the data, including sensitive information and things that would normally be encrypted. The volunteer ‘victims’ involved in these experiments said they felt scared that such an attacking method exists and that their privacy had been violated, even though it was just a simulation. Credit: Jane McCallion

Employee carelessness poses security risk to businesses

From an ethical perspective, it is important to consider what information you collect, and for what purpose. You should only use the data you collect for that purpose, and you should delete it when it is no longer being used.



One of the most-quoted fears about moving to cloud is that the data is not secure. For many

companies, the idea that vital customer data is held in an unspecified place, available for access by unknown people is a big inhibitor to the idea of cloud computing.

Cloud service providers have always been aware of that fear. They have made reassuring noises about the safety of their data and claimed that no unwelcome visitors could help themselves to their customers’ own data. What they didn’t say is that when it came to the US government, they’d roll out a welcome mat and make them a cuppa while the spooks sifted through what they wanted.

PRISM ramifications continueThat’s the shocking implication of reports by both the Washington Post and Guardian relating to the US security services’ access of data from nine IT companies as part of operation PRISM.

The denial of the nine companies is almost irrelevant and has been the subject to much speculation. Does Google’s talk of ‘no back door’ mean the NSA is coming through the front door instead? When Apple said it hadn’t heard of PRISM did that just mean that it wasn’t aware of the operation name the NSA was using? Given the nature of these revelations, these stories

must have been checked and double-checked. And then checked and checked again.

The other option is that the security services have had access to

the providers’ customer data without the providers knowing about it. Scary stuff indeed.

Though that would seem unlikely given that we know, from reports, the dates when companies allegedly gave permission.

Furthermore, James Clapper, the director of National Intelligence, published a statement, saying that some parts of the newspaper reporting were “inaccurate” – but,

Operation PRISM: effect on cloud industry could be good or badThe revelations about the US security services snooping will have a profound impact on the cloud industry, according to Max Cooter.

Feature Cloud: Friend or foe?

Cloud service providers have made reassuring noises about the safety of their data.

Max Cooteris editor of Cloud Pro. He has seen profound changes to the IT landscape during his 20 years as a journalist, but believes cloud computing could be the biggest of them all.




yet, crucially, he did not deny the reporting as being completely without fact.

He claimed that the revelations could also damage security operations. “The unauthorised disclosure of a top secret US court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation,” he said.

He dismissed concerns from privacy campaigners in the statement though. “The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties,” he said.

Excessive or wholly justified?However, it’s not just privacy

campaigners who have been alarmed by the implications of all this. The author of the Patriot Act, James Sensenbrenner, wrote an open letter to the US Attorney General protesting that the FBI’s action in calling for the Verizon phone records were excessive – and that’s before news of the trawl of customer data from the nine big providers was revealed.

Clapper’s general response to people like Sensenbrenner and other protestors is that there’s nothing to worry about. Everything is seemingly alright because it’s only non-US citizens living outside the US who will be affected. But that’s precisely what is worrying many people over this side of the pond. And we just don’t know who to believe anymore.

Effectiveness vs reactivenessThe other aspect of this whole shooting match is how effective this type of process will be at actually catching the bad guys.

If you’re trawling through the customer records of the likes of Facebook and Google, you’re going to have billions of interactions to deal with. That’s not just a big data problem, that’s a massive data problem. And even when the data

The PRISM government spying scandal, in which the US National Security Agency monitored electronic communications, must not be allowed to break up the cloud and restrict data flow.

This was the opinion expressed by the Aaron Levie, the CEO of Box, regarding propositions from the European Commission to alter data protection requirements in a way that could require data to be kept either within the European Union or within the originating countries.

Similar proposals have also been put forward by Brazil.

Speaking to journalists at the organisation’s Business Without Boundaries event in Central London, in November 2013, Levie said: “It is obviously incredibly bad and inappropriate what the NSA has been doing ... it’s not only bad the actions they have taken but it’s also the inaction of not actually creating any transparency or any visibility into what is actually happening.”

However, Levie added: “On the [subject of] EU privacy and data [regulation], the biggest thing that we are worried about ... we want to avoid some of the noise about the balkanisation of the cloud, that would be a very bad outcome – this idea of regionally specific or government specific or country specific clouds. Not only does

it not make technological sense, it’s also bad from an economy standpoint.”

Most of Box’s customers need to collaborate and share information across international boundaries, Levie said. He added that the only way to do so effectively was with an open platform.

Levie also touched on the topic again during his keynote following a question from a delegate.

“We don’t think the current [surveillance] situation is tenable ... and we are optimistic that there will have to be more transparency, have to be more processes created for how this works. We don’t think the internet could blossom and evolve in the appropriate ways if this fear [were to] remain,” he said.

“Fortunately, we are a little bit outside of the whole issue and distanced from it, because the biggest issue has been national security and those are generally ... consumer communication services on the internet. We tend not to fall into the space that is of interest, but we care a lot from a technology company standpoint. We have to have a world that allows us to securely communicate and work and share on a global basis, so that is obviously something that we care about and that we are pushing on,” he concluded. Credit: Jane McCallion

Monitoring scandals must not lead to balkanisation of the cloud, says Box CEO




has been analysed, how accurate is it going to be? Not very accurate at all, according to some researchers.

There would likely be more understanding about the endeavours of the security forces if these efforts were guaranteed to catch the bad guys. Instead, there’s a general understanding that this is not going to be the case.

One side-effect of these goings-on is that we won’t be able to look at cloud computing in the same light. We now know that assurances about data being safe from prying eyes are meaningless.

That’s not to say that cloud providers will suffer. There will be some companies who won’t be at all

fussed that the NSA has access to their data. They’ll happily live with the intrusion as long as they can benefit from the economies of scale, the flexibility and, yes, the security of the large US-based providers.

It’s was also noticeable, at the time of the original revelations, that Amazon wasn’t part of the PRISM programme.

The reasons behind this can be speculated endlessly, but certainly the revelations should not prevent potential Amazon customers going down that route.

Nevertheless, there will be some companies who just won’t be able to view cloud in the way they did before. Just as victims of burglaries

complain that the invasion of privacy is worse than the items being taken, so there will be companies unhappy with this level of intrusion.

If you’re one of these companies, you won’t be happy that someone has been snooping in your metaphorical underwear drawer, whether it’s the CIA, FBI or Harry the Hacker.

The question is: what will these companies do? Are they going stick with on-premise for all its applications and computing needs for ever and a day? Or are they going to go with a European provider?

You can bet that if there’s one group of people rejoicing at this news, it’s the European service provider community.

They will now have a genuine selling point when it comes to taking on the American giants: data held in Europe, run by Europe and accessed only by Europeans - which appears to be exactly what has happened.

With pressure building to tighten up, not loosen, the security rules, the cloud game just got a whole lot more interesting.

A new cloud-based email and social networking site promising better security and less intrusive commercial practices has been launched in Iceland.

Named Vivaldi.net, the service was set up by Opera Software co-founder Jon von Tetzchner and fellow Opera veteran Tatsuki Tomita as an alternative to other cloud-based email services such as Gmail and Outlook.com.

The service claims to offer ad-free email, something that Gmail in particular has been criticised for in the past, and also incorporates social elements such as blogs, cloud-based photo sharing, forums and live chat.

Iceland was selected as its base because many of the people behind

the project are Icelanders. “For the people of Iceland, the rights to freedom of speech and strong consumer protection laws are most important,” according to Tomita.

Iceland is recognised as having some of the strongest privacy and freedom of speech laws in the world and is home to the International Modern Media Institute.

The institute is, according to its website, a “foundation working towards rethinking media regulation, securing free speech and defining new operating principles for the global media in the digital age.”

Tetzchner elaborated on this point in an interview with Reuters, saying: “There has been a lot of focus on safety lately, and it has mainly been

focused on governments. But I think this is just as much an issue for the companies in this business.”

He added: “Our initial focus is on the computer geeks because they usually have higher demands for functionality, safety and privacy. But a lot of ordinary people also worry about these things and we will welcome everyone.”

Commenting on the NSA surveillance scandal, which has caused some disquiet with regard to the cloud, Tetzchnersaid he cannot promise to keep the US spy agency away, but claimed that Vivaldi is “without a doubt” the safest option out there, adding “this is one of the reasons we have chosen to do it from Iceland.” Credit: Jane Mccallion

Secure cloud email service erupts from Iceland

Just as victims of burglaries complain that the invasion of privacy is worse than the items being taken, there will be companies unhappy with this level of intrusion.


www.itpro.co.ukwww.itpro.co.uk

Case study: Mozzart Bet www.juniper.net.uk/en

1

CASE STUDY

Mozzart Bet is a European leader in the sport betting and gaming industry. Recently, it grew its ground operations to over 900 retail betting shops and has seen exponential growth in its online operations. The combination of these two areas of growth created a “new playing field” for Mozzart Bet, one where the focus turned to network stability, availability, and above all a high level of security.

ChallengeWith retail growth increasing the demands on the network infrastructure, and online traffic

increasing exponentially, security was becoming a major concern, and this posed a major

challenge to Mozzart Bet’s network team as well as its business partners and vendors.

Mozzart Bet needed a data center solution that could grow organically to accommodate

expansion of both its retail footprint and Web operations, without the need for constant

replacing of existing infrastructure. It also needed a network solution that would provide

99.9999% uptime, be easy to manage day-to-day, and ensure a high level of security.

Selection CriteriaMozzart Bet required a high-performance solution that was reliable and would ensure

a network that was always available for both its retail stores and online properties. In

addition, security, particularly of the online properties, was vital, and Mozzart Bet sought

out solutions to add security to its websites and Web applications. The third requirement

was for products that were easy to manage and use, to make the every day operations as

simple as possible.

Once the decision to re-architect its data centers was made, Mozzart Bet undertook a

thorough review of its existing vendors and evaluated many other products. These new

products were examined using exhaustive proof-of-concept testing and evaluation

criteria and took months to complete.

There were five key selection criteria used during the evaluation:

• Stability

• Scalability

• Flexibility

• Security

• Operational effectiveness

In addition to these five selection criteria, Mozzart Bet was looking for the vendor willing

to work hand-in-hand with its inside team on design to create a “best fit” solution. It was

also looking for the solution with the best ROI performance.

SolutionAfter 4-5 months of extensive lab testing, Mozzart Bet chose to install Juniper Networks® MX80 3D Universal Edge Router because nothing compared to its performance. The company also liked the fact that MX Series routers could grow in capability based on software without changing the chassis. Juniper’s EX Series switches were selected based on performance, operational simplicity and rich feature sets. To further streamline

MOZZART BET DEPLOYS DATA CENTER SOLUTION TO SUPPORT ONLINE EXPANSION ACHIEVING 99.9999% UPTIME

Summary

Company: Mozzart Bet

Industry: Retail and Online Gaming and Betting

Challenges:

• Growth placed greater demands

on the network infrastructure, while

exponential increase in online traffic

was a major security concern.

• Data center solution needed to grow

organically and accommodate the

expansion of both retail footprint

and Web operations, without the

need for constantly replacing existing

infrastructure.

• Requirement for creating a stable

and secure network was uptime of

99.9999%.

Selection Criteria: Mozzart Bet

selected Juniper to replace its existing

vendor for ease of management

and ability to expand with the

organization’s changing needs and

enhanced security requirements.

Network Solution:

• WebApp Secure

• Spotlight Secure

• SRX Series Services Gateways

• MX Series 3D Universal Edge Routers

• EX Series Ethernet Switches

• Juniper wireless LAN solutions

• MAG Series Junos Pulse Gateways

Results:

• Since deployment of the Juniper end-

to-end solution, there has not been

any downtime in network services.

• During a 30-day period, Mozzart Bet

detected 2,296 attackers on its Web

applications using WebApp Secure,

and was able to stop them.

http://www.juniper.net/uk/en/BIG BROTHER25



www.itpro.co.ukBIG BROTHER26 www.itpro.co.uk2

3520492-001-EN Nov 2013

Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

APAC and EMEA Headquarters

Juniper Networks International B.V.

Boeing Avenue 240

1119 PZ Schiphol-Rijk

Amsterdam, The Netherlands

Phone: +31.0.207.125.700

Fax: +31.0.207.125.701

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or +1.408.745.2000

Fax: +1.408.745.2100

www.juniper.net

Printed on recycled paper

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at +1-866-298-6428 or

authorized reseller.

network operations, Mozzart Bet deployed multiple EX4200s in a Virtual Chassis configuration, enabling the switches to be managed as a single logical device.

Then the Juniper Networks SRX Series Services Gateways were added to enhance security based on their performance against comparable competitor firewalls. The performance of the new network suffered no downtime, which compared favorably against the previous vendor.

Improving the security of Mozzart Bet’s Web applications was also a key requirement, and the information security team was intrigued by the innovative technique of intrusion deception used by Juniper Networks WebApp Secure. During another three month comparison, an evaluation of three Web Application Firewall (WAF) vendors was completed, and at the end of this test, Mozzart Bet selected WebApp Secure because nothing else compared with the innovative approach of using deception to detect attackers. During the test, the information security team attacked all the solutions themselves and, interestingly, all the WAFs either crashed or were penetrated, while WebApp Secure just kept working. Another major reason why WebApp Secure was chosen was the prevalence of a large amount of false positives encountered while testing the WAFs, compared with WebApp Secure, where false positives were extremely low.

The unique difference of not blocking just IP addresses within WebApp Secure was another factor in Mozzart Bet’s choice. There was concern that blocking IP addresses would end up blocking many real customers behind a shared IP address.

Because of this “beyond the IP” address device identification, the ability to customize a response to a detected attacker was also seen as a key differentiator of WebApp Secure. Allied with an easy to use GUI and dashboard, Mozzart Bet selected WebApp Secure

and Spotlight Secure to protect its website.

“Juniper was willing to partner with us on creating an end-to-end data center solution that would expand to support our growing business, and the security innovation from products like WebApp Secure and Spotlight Secure was in a league of its own. No other vendor offers a similar solution to protecting Web infrastructure.”

- Cedomir Novakovic

Senior System/Network Engineer, Mozzart Bet

Results Prior to deploying the Juniper solutions, Mozzart Bet had been experiencing network downtime and this was causing a loss of real revenue. In the first months after deployment of Juniper’s end-to-end solution, Mozzart Bet has not encountered any downtime on its network, and this has helped maximize revenues. In addition, 2,643 attackers have been detected by WebApp Secure during six weeks of live deployment. This means 0.3% of Mozzart Bet’s Web traffic was identified as malicious and stopped before any damage could be done.

As summed up by Cedomir Novakovic, senior system/network engineer, “Juniper was willing to partner with us on creating an end-to-end data center solution that would expand to support our growing business, and the security innovation from products like WebApp Secure and Spotlight Secure was in a league of its own. No other vendor offers a similar solution to protecting Web infrastructure.”

Next Steps and Lessons LearnedMozzart Bet is continuing to expand its network, and Juniper is a valued partner in helping it maintain the critical infrastructure and enhanced security needed to power its popular online gaming and

betting services.

For More InformationTo find out more about Juniper Networks products and solutions,

please visit www.juniper.net.

About Juniper NetworksJuniper Networks is in the business of network innovation. From

devices to data centers, from consumers to cloud providers,

Juniper Networks delivers the software, silicon and systems that

transform the experience and economics of networking. The

company serves customers and partners worldwide. Additional

information can be found at www.juniper.net.


Case study: Mozzart Bet www.juniper.net.uk/en



www.juniper.net

www.itpro.co.ukBIG BROTHER27 http://www.juniper.net/uk/en/ www.itpro.co.uk

What topics dominate the conversations you have with organisations around information management and monitoring? Why do you think these concerns remain front of mind?The good news is that there is more information in more forms available to help organisations understand what is in the heads of their customers and satisfy their needs than ever before.

Unfortunately, this is also the bad news, because the volume, velocity and variety of this information is on the verge of eclipsing the ability of organisations to effectively manage it.

What are the main fears enterprises face from a privacy, security and monitoring perspective?Organisations are worried that their old “Maginot Line” approaches to privacy and security (set up barriers around the perimeter) are proving woefully inadequate in a mobile and cloud era.

The very nature of mobile means that information is leaking out of the organisation at every turn, on devices that are so portable they are lost or stolen in tens of thousands every week.

Organisations have seen that often the threat can come from the inside - from a “trusted” employee armed with something no more sophisticated than a USB stick. Fortress approaches to security do not match the current threats.

What is driving these fears and have they changed in recent times? If so why?

Q&A: John Mancini, AIIM

The quantity of personally attributable information generated merely by mobile or web data “exhaust”, coupled with new and sophisticated analytic techniques creates enormous opportunities - but also enormous risk.

Think of it this way - lots more data, plus way better analytic techniques is increasingly blurring the line between what is cool and convenient for customers - and what is just plain creepy for them.

This line will be increasingly difficult to navigate in the next few years.

What role does AIIM play in both keeping data safe and secure and putting customers’ minds at rest? At the core, organisations need to think seriously and strategically about information governance.

Information governance has been

viewed for too long by the C-suite as a tactical nuisance promulgated by Chicken Little records managers and legal types.

It’s time to make the management of information assets just as important as the management of

John Mancini, AIIM

We speak to the CEO of AIIM about the importance of information management against the backdrop of increased threats and end user and business fears.

ProfileJohn Mancini is an author, speaker and respected leader of the AIIM global community of information professionals. As a visionary, his predictions include that we will see more change in the way enterprise technologies – and who we trust with that task - are deployed in the next few years than ever before. www.aiim.org

The volume, velocity and variety of information is on the verge of eclipsing the ability of organisations to effectively manage it.


www.aiim.org

www.itpro.co.ukBIG BROTHER http://www.juniper.net/uk/en/28

financial assets. AIIM provides education and skills development to help organisations meet this challenge.

What advice can you offer businesses to mitigate those risksSimilarly what advice can you offer IT decision makers and managers?This is not just a legal issue. This is not just an IT issue. This is not just a records management issue. This is a business issue and should be treated accordingly.

What are the key rules and regulations to bear in mind? The number and variety of rules, regulations and directives related to information is going to continue to grow, especially relative to the management of information in the cloud.

It’s hard enough to meet these

Q&A: John Mancini, AIIM

challenges when information management is automated. Organisations that insist on manually

managing this ever-increasing volume and variety will find it impossible to do so and will put their organisation at risk.

Is the threat landscape likely to become a scarier and more dangerous place in the future? Are we all doomed?We’re not doomed, but we do need to dramatically and realistically reassess what we are trying to protect and why.

It’s time to make the management of information assets just as important as the management of financial assets.


www.itpro.co.ukBIG BROTHER29 http://www.juniper.net/uk/en/ www.itpro.co.uk

What topics dominate the conversations you have with customers? Why do you think these concerns remain front of mind?First and foremost is the issue of breaches and compromises of customer information, especially in light of the Target events. Second is the issue of DDoS. Third is Intellectual Property theft.

You work very closely with the US government in an advisory capacity to help protect against cyber crime and cyber terrorism. Certain levels of monitoring (PRISM et al) is considered a necessity to protect the majority. What would you say to those who feel the lines have been blurred or worried their every move is being monitored?I have to say that people forget a fundamental fact - the Intelligence Community (IC), who are the branch of government being held responsible, have absolutely no interest in watching and looking at the private lives of the public.

They couldn’t care less if you sunbathed in the nude, viewed pornography, used foul language, or exercised all of your constitutional rights. To a man, or woman, their mission is the defence of the sanctity of the US from foreign attackers. That is more than a full time job.

But if data exists that will allow the IC to identify those foreign attackers, they want to find a way to get that data without violating US citizens’ constitutional rights.

And, if that data is tied up with a US citizen’s unsavoury online habits, the same thing holds - they don’t care

Q&A: Rodney Joffe, Neustar

about the habits or what the citizen’s activities are. They want to get the bad guys.

Additionally, if data can be found in two places, and one of them does not involve personal information about an innocent US citizen, they will go to extraordinary lengths to use an alternative source that does not involve the US citizen.

So I would say: Your life is not that interesting compared to what goes on with the real enemy. The IC realises that, and so they are long past the point where they want to look at you. If you turn out to be part of the foreign misbehaviour, then that’s a different story. But they’ll identify from specifically developed information, not general snooping.

What are the main fears enterprises face from a privacy, security and monitoring perspective?First, I think enterprises fear lawsuits

from employees or customers who believe that an enterprise assisted in the snooping.

Second, fears may also come from a concern that the monitoring may identify inappropriate activity that the company itself was unaware of, but which may actually result in sanctions against them. Third, concerns that the systems that may be monitoring may be usurped by malicious actors, who then choose to use the capabilities against the company.

What is driving these fears and have they changed in recent times? If so why?I think that current events related a) to Snowden and WikiLeaks and b) Target type breaches are driving it.

I think that over time, logic will prevail and fears will lessen and become more realistic.

What role does Neustar play in both keeping data safe and secure

Rodney Joffe, Neustar

We speak to the SVP of Neustar who also serves as a US government security and industry advisor about whether people should be worried about being watched.

ProfileRodney Joffe is a senior vice president and senior

technologist at Neustar. He has been a sought-after

cyber security expert who, among other notable

accomplishments, leads the Conficker Working Group to

protect the world from the Conficker worm.

www.neustar.biz

Your life is not that interesting compared to what goes on with the real enemy.


www.neustar.biz

www.itpro.co.ukBIG BROTHER http://www.juniper.net/uk/en/30

and putting customers’ minds at rest?Neustar has developed systems and protocols to keep data safe and to ensure that if any form of snooping or compromise does breach the defences, the infrastructure and systems are monitored well enough so that alarms are tripped and any damage can be mitigated. So much so that we have created commercial services around the capabilities we developed to protect ourselves and our customers, and the largest companies in the world now use our services for that.

What advice can you offer businesses to mitigate those risksObviously use best practices to protect yourself. Then make sure you invest in training, so that every employee understands the risks, the methods, and how to recognise breaches. Finally ensure that you have systems in place that will tell you when your systems have failed, like the canaries in the old coal mines. And make sure you have a plan in

Q&A: Rodney Joffe, Neustar

place to react promptly.

Similarly what advice can you offer IT decision makers and managers?Security is never a priority until you have a failure. And then everyone becomes a believer. Accept the fact that breaches and attacks are inevitable. Look at investments in the same way you look at your other business practices - respect the field, hire the best staff you can, acquire the best defensive systems you can, train your entire staff to appreciate the effects of failure, and no matter what, accept the fact that outside specialist third-party consultants have seen much more than you before, and will help save you pain in the long term.

How can end users help protect themselves, their data and their company’s assets?Follow the directions of your info security co-workers. Don’t try and find ways around their restrictions, don’t trust your neighbour kid down the road more than your coworkers, be vigilant, have a healthy level of

paranoia, and know that somewhere out there, there is someone out to get you.

Is the threat landscape likely to become a scarier and more dangerous place in the future? Are we all doomed?It will get tougher, but only in response to our own efforts to get better at protecting. The bad guys will continue to work at being able to overcome the barriers, no matter what we do (it really is an arms race). So in general things will remain equivalently equal. We are not doomed, but we will have to expend more and more effort to stay above water.

Anything else you would like to add on this subject?Anyone who tells you that you can block all attacks is either a fool, or a liar. It can’t be done. Businesses need to embrace this, accept the inevitable, and do their best to mitigate the damage. It’s no longer about security, it’s about risk management.


www.itpro.co.ukBIG BROTHER31 www.itpro.co.uk

There’s lots of fear, uncertainty and doubt (FUD) among both end users and organisations when it comes to security and, in particular, the idea of the surveillance state. What’s Juniper’s take on this? Are such concerns unfounded or do we have something to be potentially worried about?Security is a critical component and concern in any organisation, even more so today given the evolution of threats .

We’ve moved from young hackers seeking fame, to financial exploits to “hacktivism” and loss of data privacy/ attacks.

Inertia is the generic standpoint many individuals and organisations take on security today. Juniper’s standpoint is to take action and that active defence is the solution.

How has the security landscape changed? And what challenges and issues are leading the conversations you have with customers when it comes to security?The key concerns today are around protecting the corporate ‘crown jewels’ that reside in the data centre (applications, content, data etc). It’s also about mitigating malware that comes into the end-user device and into the branch (where the end user “lives”) as well as how to solve the BYOD dilemma, both from content (data in motion/data at rest) and access control perspective.

The sophistication of attacks

Q&A: Henrik Davidsson, Juniper Networks

and cleverness of malware has increased significantly and DDoS attacks can be launched for just a few dollars.

The motivation behind these type of attacks can be either financial or political. Less and less often, hacking is carried out for simple notoriety.

Have these concerns/trends changed in recent years or largely stayed the same? What has prompted such changes/stability of issues?With the uptake of smartphones and people’s lives moving more and more online, it is also becoming one of the primary attack vectors for malware today. (see Juniper’s Mobile Threat Report 2013 for more information on this topic).

Some 54 per cent of attacks are

targeting the data centre today, as that is where the most valuable network resources reside. DDoS attacks have moved increasingly towards low and slow attacks, away from pure volumetric attacks.

It is very rare for web apps to have security thought through from the beginning, hence the easiest way for hackers to exploit these apps is to identify weaknesses in them.

Identifying hackers in the recognisance phase is therefore critical for organisations to regain control of the situation and change the economics of the hacker’s transaction (i.e. waste their time with spoof data, break their tools and so on).

Security and unauthorised access is a particular concern for those with

Henrik Davidsson Director of security sales EMEA, Juniper Networks

We talk to Henrik Davidsson about the fears and uncertainty surrounding security and monitoring issues in the enterprise world.

Inertia is the generic standpoint many individuals and organisations take on security today.

ProfileHenrik is responsible for Juniper’s security offerings go-to-market strategy and specialist teams. Prior to joining Juniper, he led Cisco’s EMEA security business development team and its security business in Northern Europe. He also built up the IronPort business in the Nordic and Baltics prior to the Cisco acquisition. Henrik has founded several companies and has worked in many start-ups. http://www.juniper.net/uk/en/





www.itpro.co.ukBIG BROTHER32

remote and field workers. What advice would you offer to allay such concerns? Is it a case of common sense plus strategy and solutions or is there more to it?Juniper’s point of view is that in five years from now, it is likely that there will be significantly fewer corporate-owned devices. The push from end users to work with the devices they choose is too great to ignore.

We also tend to see three significant factors when enabling BYOD for our customers. 1) A high increase in network traffic 2) A decrease in mobile IT support calls and 3) An increase in productivity per employee on average.

Our advice is therefore to not trust the device, but rather the applications the end users are leveraging.

Furthermore, ensure you have the right identity in place that follows the flows from the end point to the data centre through an enforcement point (such as the firewall, NAC etc).

It’s also very important to think about how to secure the data in motion and, more importantly, the data at rest. Mobile device management (MDM) vendors are trying to solve the end point problem, but it proves difficult when users are bringing their own devices to work.

What advice would you offer end users when it comes to security? Should they be resisting the temptation to bypass IT (the department of ‘no’)?First, ensure you understand the policies in place at your workplace. Then, ask your IT department to provide you with an easy to use, yet effective security solution for mobility that helps increase your productivity and maintains performance

Q&A: Sponsor

What advice would you offer the IT department/IT manager in terms of security? How can they avoid the knee-jerk reaction of just locking everything down?Think more about how you can move into a world of active defence that increases the cost and risk for attackers to target your company.

To reach 100 per cent security is a utopia, so strive to become more active on the defence front.

Think per-app VPNs to remove all end-point device traffic coming into your network – only the traffic that you need to come in (have a look at Juniper’s per-App VPN solution), and think multi layer security.

Many organisations are employing CISOs/CSOs. Do you think this is the right move or is it something that should be part of everyone in the organisation’s (not just the IT department) remit?Security is not just an IT problem – it should be everyone’s responsibility.

Indeed, in a house, it is the shared concern of everyone living there to keep the front door locked, not just one person. We have seen through various surveys that even CEOs are highly involved in security projects as it affects the company’s reputation and integrity.

IT is just a means or a tool to help protect the valuable assets. Continuing to invest in awareness and education for all employees is valuable. Businesses should consider running a half-day security awareness training session on a quarterly basis, or even every six months to increase awareness.

Juniper focuses on security from three core perspectives: 1) Connectivity, 2) Platforms and 3) Applications and Content.

Could you expand on what each umbrella term means to you and provide some real-world context?Connectivity means either mobility or enterprise edge of the network - how an end user connects to the company and the applications/assets they need to do their work. The end point is what the individual uses to connect and the enterprise is normally where they “live.”

Platforms are the data centre and, in an extension the cloud, basically where all the applications and assets reside that end users wants to access.

Applications and content is effectively the apps and the data that reside in the data centre that attackers are trying to exploit, and what the end users need to do their work.

How do you see the security landscape and associated concerns changing in the coming months and years? Can you paint a picture of the office of the future from an access and security standpoint?At Juniper we believe BYOD is likely to continue prevailing and become the de facto standard in five or so years from now.

We would see the usability from an end user perspective to be extremely easy and completely transparent, but with security built in.

The way we see that come together is by not trusting the device, but to protect and trust the application on the device, hence our focus on per-app VPN to segregate the device. We also see the future including local encryption of data to protect corporate data at rest on the device that is separate from any private data an end user has on the device. The border for an employee will evaporate more and more as employees become more flexible in work place location etc. Threats are prone to adapt and evolve (as they always have) so we expect the market to continue to develop, particularly with the adoption of cloud.

Our advice is to not trust the device, but rather the applications the end users are leveraging.




There is one CCTV camera for every 11 people in Britain. Add to that the human element in the

form of special agents, security guards, police and military and it’s safe to say you are being watched wherever you are.

There’s nothing new about any of that though. Businesses – whether commercial organisations watching over employees to ensure they don’t trade secrets or fiddle the books or retailers clamping down on

shoplifters – have always protected their interests. Now, however, the game has changed. And not everyone is playing fair.

You know what you knowThe NSA PRISM debacle shone a spotlight on surveillance and monitoring. Those that we should trust (government) implicitly have ultimately betrayed us. They’ve done things they pretended they didn’t do, shouldn’t do, we thought they never would do. The trust is forever broken.

Yes, there are the numerous arguments it’s for the greater good. Many people won’t dispute this is fact. Indeed, many feel it’s not what has been done, in terms of monitoring, that’s the issue. It’s the deceit that hurts the most.

“Transparency and openness are certainly paramount objectives for any processing of information, “ says Sally Annereau, data protection specialist at law firm Taylor Wessing.

“People are generally prepared to accept that for law and order purposes, it will be appropriate to allow law enforcement bodies to access certain types of records. However, effective democracy rests on an electorate being kept informed so public bodies and governments can be held to account if their actions step beyond what are viewed as the boundaries of acceptable use.”

While the number of cameras and monitoring tools around us are growing, we shouldn’t always blame the government. Indeed, research published by the British Security Industry Association (BSIA) claimed that privately owned CCTV systems outnumber those of local authorities and police by around 70:1.

“There is a popular misconception that the camera population in the UK is owned by the government. The BSIA statistics set the record straight once and for all. It is private businesses who own the material camera population, not the government. Day to day, these cameras are not available to the government and law enforcement agencies, they are busy working to protect their owner’s premises,” said Pauline Norstrom, vice chair of the BSIA’s CCTV section.

Welome to the future: We are watching youAre we headed for a future where our every moment is watched and analysed? Should that dictate our behaviour or should we just get on with things and relax?


Maggie Holland has been a journalist since 1999, starting as editorial assistant on Computing magazine. She is now group editor of Cloud Pro and IT Pro.




“It is only when a major crime occurs that the police ask business owners if they have captured any footage of criminals passing through the private cameras’ field of view.”

Norstrom added: “Without the help of businesses investing into their privately owned systems, the police would only have access to the one publicly owned camera per 1,000 head of population. Far too few to be useful and certainly not the surveillance society, which could be portrayed.”

Simon Adcock, chairman of the BSIA’s CCTV Section, added: “Effective CCTV schemes are an invaluable source of crime detection and

evidence for the police. For example in 2009, 95 per cent of Scotland Yard Murder cases used CCTV footage as evidence. The public are supportive


There is a popular misconception that the camera population in the UK is owned by the government. The BSIA statistics set the record straight once and for all.

As long as someone can make money out of it, cyber crime will be a part of our digital lives. Unfortunately, we’re only human and can only remember so many passwords, not all of them as different or strong as they should be. Biometrics seems to be the perfect answer. We are unique, so are our various physical and biological attributes. What could possibly go wrong?

It doesn’t matter how well they could solve the problem though - if they’re not cheap, easy and foolproof, most firms won’t bother. Unless, that is, the risk and costs of doing so far outweigh the risks of not doing so. Even if the risks warrant it,

what happens to the very personal data stored? Are we heading to a vision on the world as foreseen in the film Gattaca where everyone has to provide DNA samples? I would want to see a lot more checks and balances in place before having to rely on biometrics as the single sign-on method for anything less mundane than logging onto my work computer.

Edward Snowden has ensured we’ll all be asking a lot more questions before this becomes common place across all our digital lives.Liam Quinn, IT director, Richmond

Events

PRISM shines a spotlight on all aspects of security

of CCTV with 62 per cent wanting to see more in their local area and it is important that we retain their trust and confidence.”

In the business world, it’s understood that those using company email will be monitored. While this isn’t on a constant basis, it’s something the employer reserves the right to inspect should they so wish. Once employed, having read the T&Cs, we forever after use email knowing this to be the case. Therefore we really shouldn’t say anything using that medium we wouldn’t want our boss to know about.

What we know vs what we doThat’s the theory. The reality is that many use work email for personal communication. It’s the elephant in the room. However, it generally poses no issue at all provided company confidentiality is ensured and reputation remains intact. Most employers tell employees they are monitoring what they send via email but they’ll actually then give the worker a heads up that they’re about to access specific messages. There was no such courtesy paid in the recent revelations.

“If you want to keep a secret, you must also hide it from yourself,” claimed George Orwell’s book 1984, which depicted a very bleak future indeed – with surveillance at its core.

So then, are we headed to a world where trust is gone forever? You’re guilty until proven innocent and if you want something to be truly



BIG BROTHER35


private you must conduct an after-dark face-to-face conversation or use a piece of paper that self destructs after reading?

“Increasingly sophisticated technologies pose greater risks for joined-up surveillance of people going about their daily lives. Yet, just because the technology exists, does not mean its use will be proportionate and lawful. If we consider CCTV for example, the Information Commissioner (ICO) took action in July 2013, forcing Hertfordshire Constabulary to review its ring of Automatic Number Plate Cameras placed around the town of Royston. This ‘ring of steel’ meant it became almost impossible for a driver to enter or leave the town without a record being kept of their journey,” says Annereau.

“The ICO’s action was a direct result of intervention by concerned

privacy rights groups, which supports an argument that both society and the law define the boundaries around what is or is not

an acceptable use of our information. In the cases where those boundaries are ignored, then public and legal intervention will follow.”

Some say that those with nothing to hide won’t mind being monitored. This is largely true, however, even the most innocent person in a room will feel somewhat awkward and behave differently once they know they’re being watched.

“My personal view is that there is and remains a private zone that can and should be protected. The solution and proposed changes to the EU data protection law will enhance the rights, obligations and penalties around the use of our personal information,” Annereau adds.

“In addition, the public play a part in defining acceptable boundaries and the public reaction to PRISM as well as the wider activities of privacy groups demonstrating there is still a public desire to protect the private space.”

So, the Orwellian idea of a surveillance state hasn’t totally become a reality just yet. But it remains as much for us to stand up and fight that happening as it does for the government to try to protect us as citizens.

Vote carefully though as once we get there, we can’t go back to the future. Not yet, anyway.

This is a one sided argument. The scale of state security success can never be revealed. When they are successful it has to be kept quiet and the methods used have to remain a secret. It’s only when the state fails, when there’s an issue, that the whole process is made incredibly visible.

This attracts public criticism. This contrasts sharply with commercial success and failure, where commercial success is open and celebrated, failure kept quiet.

That said, I think you can safely assume that the threats which exist today are continuous. They aren’t getting

any smaller. Does this mean it’s OK for governments to monitor us, even if we don’t know they’re doing it? I think the answer is connected to a related question: do we trust the people we elect? If not, we have the power of the vote and the power of political lobby, to elect officials we do trust. If yes, then we have to pay the price required by security, one necessary to help limit the reality of these ever-growing threats. That price, in this case, is a loss of privacy.Dr. Peter Cochrane, independent

analyst and futurologist, ex-CTO of BT.

Should we really be worried about the future?

If you want to keep a secret, you must also hide it from yourself.

www.itpro.co.ukhttp://www.juniper.net/uk/en/


www.itpro.co.uk36 http://www.juniper.net/uk/en/ www.itpro.co.uk

In light of the PRISM scandal it can be all too easy to think that privacy is dead.

Ever since Edward Snowden copied thousands of NSA documents onto a flash

drive, everyone thinks that they are being watched. But no one is quite sure who is watching (apart from the vague notion that it might be an anonymous government employee) or why they’d spy on them in particular.

There are concerns over the government’s ability to access data and this has ramifications for the industry. Companies look set to keep more of their data closer to them, possibly eschewing the public cloud (with the US cloud industry bearing the brunt of that). But in our evermore-interconnected world, is that a possibility?

Since the scandal broke, organisations have asked themselves about how they can improve data privacy and security. The weekly drip-drip of information coming out of the revelations has battered certainty at every turn.

Data privacy is dead. Long live data privacy!Is it worth improving when the general feeling is that data privacy is all but dead? It is hard to believe that spy agencies only have the “bad guys” in their sights when the likes of Belgian telco Belgacom is

hacked into, despite no evidence of any terrorist links. The NSA also spied on Brazilian oil firm Petrobras as well. It would seem that for any individual or organisation protecting your data becomes evermore difficult when there now so few hiding places.

Despite calls by various European governments to set up infrastructure that can’t be touched by the US, it can be argued that it doesn’t matter where you put data in the world because the US government and its allies can still get their hands on it if they want to.

But let’s not ignore the fact that it is not just the US that is spying on everyone. Many other countries are also engaging in exactly the same sort of activities as the NSA. It’s just that the US has by far the biggest budget to do it.

So where are we heading with data privacy? At the recent TrustyCon conference in San Francisco, security expert Bruce Schneier said that the security industry would be well advised to study what NSA did with PRISM. The reason for this? He believes it will help inform and shape strategy for the type of attacks we will soon be facing on a local or global scale. Forewarned is forearmed, after all.

This means that organisations have to expect that others will actively engage in finding out what

Monitoring and security: Where next?

Column Where next?

Rene MillmanFor further comment and insight on security, go to www.itpro.co.uk/security

What does the future hold when it comes to monitoring, security and surveillance? Rene Millman takes a look...

36

Let’s not ignore the fact it is not just the US that is spying on everyone.

BIG BROITHER


http://www.itpro.co.uk/security

www.itpro.co.ukhttp://www.juniper.net/uk/en/BIG BROITHER

data you have and what you intend doing with it. There is a rush to encrypt everything

regardless of the nature of the data. But as other revelations have come to light, this may be a fool’s errand. The NSA and allies have cracked most online encryption algorithms.

ConsequencesThere are other ramifications as well. The increasingly global nature of data where information knows no bounds could very rapidly lead to balkanisation, where data is siloed in individual jurisdictions.

This lock down of data to protect may also do more harm than good as it will stop the free transfer of data.

Some would argue that this is a good thing. Data is precious and shouldn’t be flung around willy-nilly. However, it is the free nature of the internet that has given us enormous economic benefits.

Some would say that in joining up to services such as Facebook and a multitude of others we have given up large parts of our privacy already. The PRISM disclosure has made us all uncomfortably aware that in connecting with the internet we have built a panopticon of our own making.

Despite the best efforts of some in the security industry, we still don’t take it - or indeed privacy and data confidentiality - seriously enough to really get to grips with what it means. Other than remembering a few passwords or just buying a load of products and then implementing them so badly that anyone can get in and access our data, that is.

Following Schneier’s rules should help those wanting to protect their data from the prying eyes of any government agencies or malicious

intent. These can be briefly surmised as; using services such as Tor to hide in the network, using communication encryption, assume your computer can be compromised and use one that has never been connected to the internet to encrypt/decrypt data, be suspicious of commercial encryption software (that may have back doors put in on the behest of intelligence agencies) and use public domain encryption that is compatible with other implementations.

But it is not impossible to keep private things private.

As Schneier has pointed out, the NSA is not a magical organisation and is constrained by economics as much as anyone else (although admittedly they are incredibly well funded). The new reality is that if you want your firm’s data to stay private, it will cost. In essence, making it harder to break into means surveillance can get very expensive indeed.

Perhaps, in the future, organisations, people and governments will take bold steps to preserve the privacy and security of data. Furthermore, let’s hope they will strive to act to ensure that spying is more focused on the bad guys and not just an exercise in scooping up larges amount of data on everyone because they can and there is a small possibility that something interesting lies within.

“The price of freedom is eternal vigilance” is often quoted in this area (who actually said this is a question in itself), but what it means to us nowadays is that we all have to take responsibility if we are to keep private things private.

To paraphrase another quote, those who trade a little privacy for a little service, probably deserve neither and will eventually lose both.

This lock down of data to protect may also do more harm than good as it will stop the free transfer of data. Some would argue that this is a good thing. Data is precious and shouldn’t be flung around willy-nilly.

37

Column Where next?
