Doing your basics is a natural given, when you defend your assets. Basics like updating your computers, staying on latest versions, dynamic network zones, incident response, identity management, monitoring etc. etc. – last but not least (or probably first J) is to know your assets and have your data classified so that you understand, which part of your business needs which level of protection.

That's the basic stuff, which almost all companies do on different levels of maturity. But what about intelligence? What about leveraging sources outside your company (and combine it with information inside your company) to be able to look at least a tiny little bit in the future? This rarely happens or – better – I have not seen too many organizations really doing that intensively and successfully. Additionally, there is the question how to behave if you are going to setup something like that up. We are all used to work in a defensive mode but not necessarily in intelligence.

Back during the Cold War, the US had some rules how to move behind enemy lines when you are a spy. These rules were called Moscow Rules. If you look at them, they can really and simply be applied to the Cyberspace as well. Read yourself. It is worth thinking about it and then thinking about how we can start to predict attacks: Moscow Rules: The original protocol for operating in the presence of adversaries can be applied to cyber defense

Roger

This morning, I was reading a very interesting article called Unique in the Crowd: The privacy bounds of human mobility. This is the abstract:

We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.

Before we go deeper into the subject, the situation above reminded me of Monty Phyton's Life of Brian:

<iframe width="420" height="315" src="http://blogs.technet.com//www.youtube.com/embed/jVygqjyS4CA" frameborder="0" allowfullscreen></iframe>

But now back to the subject. The example above, to me, just shows one of the key challenges we face, when we look at all the data, which is generated about us. If this data starts to get analyzed for behavior patterns, even the most innocent data all of a sudden might become very sensitive. If you look at the Big Data scenario, in my opinion it gets even worse as then we start to correlate non-identifiable information and very fast we will run into privacy-related issues.

Let's take the example above: They are able to uniquely identify the individuals based on their pattern how they move. Additionally, you could look at the data to figure out, where they were most – and typically you can fairly easily find out where they work and live. This means, that you can fairly fast (with a little additional effort) not only identify such patterns but even link that pattern to a name and all the doors are now open to "abuse" this data for any kind of purposes.

All these issue do not scare me from a security perspective at the moment but from a privacy approach – and for most consumers, there is no real difference

Roger

I just read another of these studies: Enterprises sitting on security time bomb as office workers compromise company data. Let's briefly look at the findings first:

• 38% of U.S. office workers admit to storing work documents on personal cloud tools and services
• […] almost a fifth (16 percent) of people use Dropbox to store work documents, while Google Drive and Apple iCloud came in second and third place with 15% and 12% respectively
• […] 91% of workers also stating that they use personal devices to store, share, access or work on company documentation […]
• Regarding personal devices, almost two thirds (64 percent) of office workers use external hard drives to store work documents and almost half (46 percent) use USB drives. More than a third (34 percent) of people admit to using USBs to share documentation with others and 43% use external personal hard drives for the same purpose
• Half of U.S office workers want to be able to work from anywhere and almost half (49 percent) wanted to access all of their work documents in one place
• A fifth of U.S. workers also want to use their personal smartphones, laptops and tablets for work

According to the research, technology adds to people's frustrations in the office as key annoyances are:

• Not being able to send large files via email (31 percent)
• Wasting time searching for electronic documents (28 percent)
• Ensuring that you are using the most up to date version of any given document (21 percent)
• Getting documents approved by others (18 percent)
• Figuring out who has specific information about a project or task (17 percent)

In order to share and work on documents with people outside of their company:

• Almost two thirds (65 percent) of office workers continue to revert to sending email attachments
• Nearly a fifth (16 percent) use USB drives
• A similar amount (15 percent) send hard copies of documents via courier
• Eight percent send CDs or DVDs via mail

Shocking, no? Do we need to go out now and start to change the policies and punish the user? Well, this is what happens most of the time. We change the policies and then feel really good. However, I would guess that your user do all these things for a reason. This reason probably is not to feel cool but to do their job. A few weeks ago, I posted on Will the user define security policies in the future? where I quoted a study saying that at least 40% of the sales people had to circumvent security policies to do their job – to get access to information they needed to win a sale.

I guess it is time to re-think. Almost all the scenarios above can be done in a secure way with today's technology like Rights Management Services, Bitlocker To Go etc. So, it is probably more helping the user to do their job – but in a secure and safe way rather than tightening the policies – no? Do you have a different view on that?

Roger

Trustworthy Computing in partnership with Microsoft IT, Microsoft Consulting and the product groups just released a series of videos on targeted attacked and how to defend.

I would definitely urge you to listen to them and make sure you implement the countermeasures: Targeted Attacks Video Series

Roger