New EU regulations on cyber and access

The EU is clearly to be applauded for this new piece of regulation that not only recognises key vulnerabilities, but also the interconnectedness of elements that all use the web. Apart from the obvious – it’s a good thing – for security professionals I think there are 3 key takeaways::

  1. Clearly TalkTalk has convinced anyone in Government that still needed convincing that something needs to be done on cyber and access risk. We had the Chancellor announcing £1.9bn of new funding for cyber in the autumn statement. We’ve also had new “viability statements“ coming into force to asking for the Board’s views on the management of risk to be formally reported to shareholders. And from the EU, what looks like the start of a fair bit of new regulation. I know some of these things have been in the works for a while, but it’s clear – Government is getting involved, and all companies will face increasing workloads on security and access control to meet the new standards.
  1. By linking Amazon and Ebay in with critical infrastructure the EU are showing they recognise that breaches form a continuum and access to banking details and essential services are not completely separate things. Losing personal information is distressing, but losing control of a train would be tragic. Of course critical infrastructure doesn’t have to use the internet, but when contractors are being pushed on price and their components need to talk to each other, the internet is the only viable choice. Remember that in the world of modern automation, a train isn’t necessarily an entity, it could be a collection of components (engine, wheels, brakes) that all communicate with each other via the net.
  1. There’s also a recognition that all the security in the world won’t protect you if your employees are giving away the crown jewels. It’s often not malicious, but staff don’t take as much care with data as they should. Which is why measuring and enforcing “least privilege“ is one of the most effective and cost effective steps a company can take. In case anyone is in any doubt Intermedia’s 2015 Insider Risk Report, reported 32% of IT professionals have given out their login and password to other employees, with 31% saying they would take data from their company if it could positively benefit them.

At Idax, we’re noticing changes already. Senior management want to understand their vulnerability and a quick access rights reviews has immediate benefits. One thing that we’ve done quite a bit is quick reviews of access rights. Using our analytics, we can tell within a few hours who the staff with unusual access are, which is an easy first step on the route to obtaining least privilege and staying there. What’s clear is that any company embarking on a programme to address access risk will not only be one step ahead of the hackers, but get an early start on new legislation too.



Carphone data breach: 2.4m records hacked.

Once again 2015 proves to be the year of the data breach. Or maybe 2.4 million Dixons Carphone records going missing is just an example of the new normal. But then again none of this is new, and data breaches and loss of critical data has been with us for as long as data has. So here’s a bit of historical perspective.

When I started as a consultant back in the 1980s one of the first assignments I worked on was for the old Dixons group. They had found out that at least one competitor had been getting hold of their prize data assets – at that time it was a Sales Report that had all their product lines, what was the cost of each item, the retail price, how many they sold and in which shop they sold them. Remember, in the 80’s retailers did not have good customer information and this Sales Report was the crown jewels.

Of course, it was printed on paper and bound before being distributed, but some things never change. In the end the breach turned out to be an insider who was selling monthly Sales Reports on. As a junior consultant my job was to compile a list of everyone who got the report. But the thing that really struck in my mind was that the majority of people who received the report didn’t really use it. It was more an indication of how important they were. So really a chronic lack of least privilege discipline leading to serious data breaches – nothing new under the sun.

A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? Well at idax towers we believe that traditional manager reviews are failing. What we and an increasingly large numbers of clients think is that manager intervention supported by analytic context and insight is the answer. Of course Dixons in the 1980s had an excuse for data breaches. They didn’t have the tools to enforce least privilege. But in the 2010s there’s really no excuse.

Ashley Madison Data Breach

The Ashley Madison Data Breach again highlights insider threats:

2015 must surely now be officially designated as the year of the data breach. With the news that client data at Ashley Madison, the dating site, compromised there must be a lot of very worried people wondering where their lost data will turn up.

There are many interesting issues with this data breach story – why was data not encrypted? Why was there only single factor authentication to the site? And most importantly why did subscribers need to pay to have their details removed? Of course, also running through the story is a massive dose of schadenfreude – the pleasure we feel that that the subscribers misfortune is in some senses justifiable given what they were up to; the hack then becomes a real Robin Hood crime. But just imagine for a moment that it was your medical or financial records and the story is a little darker.

As a regular data breach watcher there was one thing that struck me about this that was unusual. The first was that Ashley Madison were owning up to the fact that it was an insider “I’ve got their profile right in front of me“ said their CEO. In the past it’s always more convenient to portray the threat as being external. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue. In this case it seems to have been a temporary or contractor who had access. But you have to ask – why did they have access and who was checking it?

Here at Idax we hold the view that managers are capable of managing their staff’s access but they need a little help from analytics to do so. Did the Ashley Madison contractor really have the least privilege required to do their job. If that least privilege enabled them to dump the entire database, there’s a bigger problem. But as we’ve seen over the last couple of years, a lot of companies have poor controls over internal access, don’t do recertification well, and onboard new staff by asking them what they think they need.

Estimates from the Open Source Foundation indicate that the average cost of a data breach is $5.5m per organisation at an average of $194 per compromised record. One suspects that in the case of Ashley Madison the cost may be their whole business model. Against that cost, why wouldn’t you use all the tools at your disposal – analytic and operational – to safeguard your most important asset, your customers’ data?

As a follow up, Read this interesting point of view from another provider, Sailpoint, here

Since this blog was originally posted, Sailpoint Technologies have published an interesting white paper entitled the “7 Tenets of Successful IAM” – read this here



Idax Software v2.0 launch at Infosec 2015

So the last minute – “post implementation, I’ll just do one more check” – testing is finished. Our stand is up with all our artwork and we’re all really excited about InfoSec 2015 which starts tomorrow.

To be honest what I most enjoy about trade shows is the client contact. There’s nothing like real-time feedback from clients and potential clients, and hopefully some validation too. That’s the thing about being part of a small company and being passionate about what we do – I just love listening to peoples real life issues and talking to them about how Idax can address them. Corny, but true – that’s why we’re here.

So come and see us on stand K71 if you’re at Olympia this week. I promise you that in addition to some great software we have a few other surprises in store.

Idax launch identity analytics version 2.0

We’re all very excited here at Idax towers about the launch of version 2.0 of Idax’s identity analytics engine next month. Codename Version “Euclid” we’ll be launching it at Infosec 2015 and really looking forward to showing friends new and old around it.Read More

Improving Access Reviews – 5 things you should consider when you sit down to do your quarterly reviews

Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?Read More

Fast Scalable Analytics – The future of Identity Management

Fast Scalable Analytics – The future of Identity Management. The last few years have seen technology platforms proliferate and with that has come increasing insider access threats. It’s becoming obvious that Identity Management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access.

Those in a corporation, will be familiar with regular access reviews. An email arrives with a long list of staff, an even longer list of privileges, and a thinly veiled threat to take the review very seriously indeed. What is missing is any contextual information that might allow for a good decision. At heart this betrays a misconception about IAM risk. But this is also where analytics can deliver dramatic benefits.Read More