Is Big Brother watching you? - IT PRO
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A quarterly, IT strategy special report
THE
from the experts at IT Pro
IT PRO
REPORT
SPRING 2014
Is Big Brother
watching you?
The big eye in the sky has us all worried.
Should we be fearful or thankful
it’s watching over us?
AN In association with
PUBLICATION
Contents Spring 2014
nt’s view
departme
g: The IT
Monitorin
Feature
out
tabs with rity
Keeping ng privacy or secu
or fiction?
e: Fact
nce stat
surveilla
The
isi on
comprom eenre
Feature y snooping
and overl
any interests discovers…
tu :cting comp hard
e fu
prote hen Pritc
betw
Therth
line to as Step
e’s a fine
to get up an
e
, will flag if
what they
Welom atching you is watched and analyserelad?x?
for example
empl oyees and application,
employee,
who normall
y accesses
in a
customer records d
half a dozen
w
downloa
We are
y starts to
day, suddenl
ent gs and
every mom with thin thousands. a key
ing is also
our get on
re where
Active monitor
we just defending
against
for a futu aviour or should
for APTs.
ous weapon threats, or
headed beh
are the numer r good. advanced
persistent ,
Are we Yes, there of malware
ate our other forms
greate
it’s for the
that dict
is APTs, unlike .
arguments won’t dispute this d to be stealthy
Should Many people it’s not what are designe
for unusual
network
, many feel Monitoring on, may be
fact. Indeed terms of data exfiltrati
done, in the activity, or APT at work.
has been issue. It’s to spot an
that’s the the only way reasons
monitoring, most. plenty of good
hurts the ess are “There are usage.
deceit that y and openn for IT and network
“Transparenc to monitor ly understanding
ount objectives : obvious the
is
certainly
param ation, “ says Security
on in a network
sing of inform tion what is going the ingress
of
any proces protec preventing
eau, data g. mainstay of of sensitive
Sally Anner Taylor Wessin to the egress
malware and
Contents
at law firm ed the latter to
users,
specialist lly prepar
are genera data. By linking careless
“People order spot and correct
for law and to [firms can] malicious
accept that appropriate and root out
it will be behaviour analyst and
purposes, bodies to Bob Tarzey,
enforcement users,” says
allow law records. Quocirca.
types of rests director at user
SPRING 2014
access certain ve democracy “But it’s also about
effecti ed network
However, kept inform The way the
rate being experience. of
on an electo governments performs is
a key part
bodies and if their actions the end-to-e
nd user
so public t
understanding
to accoun the ly
can be held viewed as experience.
This is especial
can are
what tions that
beyond,
stepentation able use.” for organisa
and instrum of accept necessary to
monitoring, mucharies better as and and services
Snowden’s ents abound er of camer provide on-dem businesses and
S
ince Edward give IT departm s and the numb are
discussions
on way networkWhile tools around us consumers,
other
ds of all
revelations, view of the ing.ring blame is two-thir
have are perform monito n’t always partners, which a
surveillance applications anceg, we should Stephen , resear ch
Pritchard
in Europe.
(see Quocirc
focused ion perform growin Indeed since business
andably Applicat ment. been a journalist
Security
underst business has here)
but also govern
ing. management,
the
by the British
activity 1990. Today his main d research report there is business
ent monitor rely on hed specialismsclaime
on governm , monitoring
is ment,publis ation (BSIA)
are business,
He adds: “Then sure
process manage it
ryhAssoci and finance. Hes ing: making
But, used correctly IT to work – Indust althoug technologysystem
CCTV process monitor s are as efficient
resource for monitoring of owned writes for a number of ities
down to that privately
the level author
a valuable
both in the
battle
need not go what the of local
on those national and international business processe . But
departm ents, and is doingoutnu mber 70:1. and is a contributing as possible nal
and cyber
crime,
monitoring
who titles,
by around editorandcolumniceptio stforITPro. n and secure gain operatio
against hacking IT operations. and police r miscon ies can also
ng network. a popula UK compan beyond
also for improvi is not “There is tion in the intellige nce. This goes cial insights.
though, camera popula
Monitoring, ly that the vital ment. The into commer
ns. Laws, especial A watchfu
l eye a by the govern t security and can monitor
without restrictio protected can also provide record straigh a call centre
have employment
always
Monitoring
is owned
cyber cs set the For example waiting times
fters –on laws,
however,norms
the
both against volumes or
a data
protecti
shopli
s and privacy BSIA statisti is private actual call other
CCTV camer
ts. Now,
practice
interes early warning for all. It
or theft. al correlate with
theirHR not
surveillance. of data leakage once andtools own the materi and see if these
T
here is one in
laws,
has chang
types ofAnd
ed. attacks, and ion (DLP) who custome r type or
11 people limit
allgame some sses the as
for every g fair.r, to Data loss prevent ing, busine of tion, not data, such
to that the ne isinplayin
applies,
particula and Holland both a popula
Britain. Add nt in the everyo
This behaviour Maggierely on monitor camerur. A DLPDay to day, these
employee again
has been a journalist www.itpro.co.uk
human eleme monitoring you knowions.
applicat flows andasuser behavio government. le to the
security
what
of data
know
and a datasince 1999, starting are not availab
l agents, Youuse
their debacbetter use of
le shone editorial assistant
on cameras enforcement
it’s time, and law
form of specia and military and At the
The
PRISM
NSAsame lance and Computing magazine. government are busy workin
g to
ed on surveil editor
guards, police are being watch spotlight we should er.net/uk/en/ She is now group IT Pro. agencies,
they
premises,”
said
you Those that ww.junip of Cloud Pro and owner’s
safe to say monitoring. R http://w itly have protect their om, vice chair of
the
you are. any of 19 BIG BROTHE nment) implic e done
wherever g new about trust (gover us. They’v Pauline Norstr
There’s nothin sses – whether betrayed do, section.
ultimately they didn’t BSIA’s CCTV
h. Busine watch ing they pretended never
that thoug s things ht they .uk
organisation they don’t do, we thoug r broken
. www.itpro.co
commercial shouldn’t is foreve
yees to ensure books or The trust
over emplo the would do.
s or fiddle
trade secret ing down on
clamp
retailers
BROTH ER
33 BIG
Prologue P3
A foreword by Cloud Pro and IT Pro group editor Maggie Holland.
What’s happening to my data? P5
Khidr Suleman puts the case for and against surveillance and monitoring.
What are we scared of? P9
We take a look at the key enterprise fears when it comes to
access and security.
Monitoring: The employer’s viewpoint P13
We look at how employers should approach security and monitoring.
Monitoring: The employee’s viewpoint P16
We look at security and monitoring from the individual user’s perspective.
About our sponsor
Juniper Networks is the industry leader Monitoring: The IT department’s viewpoint P19
in network innovation. Our silicon, systems and software How can the IT department monitor and maintain security
transform the economics and experience of networking without invading privacy or locking everything down?
for service providers and enterprises worldwide. Juniper
enables high-performance networks that combine scale Cloud: Friend or foe? P22
and performance with agility and efficiency, so customers What role does cloud play in this new world filled with fear,
can build the best networks for their businesses. uncertainty and doubt?
For more information, please visit: http://www.juniper.net/
uk/en/ Case study: Mozzart Bet P25
The European betting firm worked with Juniper Networks to
enhance security and uptime and achieve 99.9% availability.
EDITORIAL Managing Director
Editor
Maggie Holland
John Garewal
Q&A: John Mancini, AIIM P27
maggie_holland@dennis.co.uk MD of Advertising He stresses the importance of protecting your company’s biggest asset.
020 7907 6837 Julian Lloyd-Evans
Contributors
Steve Cassidy, Max Cooter, Chief Operating Officer Q&A: Rodney Joffe, Neustar P29
Caroline Donnelly, Clare Hopping, Brett Reynolds We talk to the security advisor about the challenges ahead.
Jane McCallion, Rene Millman,
Stephen Pritchard, Khidr Suleman Group Finance Director
Design and layout
Ian Leggett Q&A: Henrik Davidsson, Juniper Networks P31
Sarah Ratcliffe Chief Executive We discuss the fears and uncertainty surrounding security
James Tye and monitoring issues in the enterprise world.
Editorial Director
Tim Danton Chairman
Publisher
Felix Dennis Are we headed towards a surveillance state? P33
Paul Franklin
All material © Dennis Publishing
Will George Orwell’s predictions of the future come true?
ADVERTISING Ltd, licensed by Felden 2013, and
& REPRINTS
Advertising Manager
may not be reproduced in whole
or part without the consent of the
Where next? P36
Paul Lazarra publishers. Rene Millman ponders what the future holds when it comes to monitoring.
paul_lazarra@dennis.co.uk
020 7907 6857
Liability
LICENSING & SYNDICATION While every care has been taken in
International Licensing the preparation of this magazine,
Dharmesh Mistry the publishers cannot be held
+44 20 7907 6100 responsible for the accuracy of the
information herein, or any
MANAGEMENT
consequence arising from it.
Group Managing Director
Ian Westwood
Managing Director
John Garewal Dennis Publishing Ltd
2 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Prologue Maggie Holland
No-one likes being
watched: Or do they?
world where data volumes continue to grow
and we’re offering up personal information to
the internet and connected devices on a daily
basis, how can we be sure that only those
that need to see it actually do?
What are the key fears in an enterprise context?
How can business and IT decision makers protect
their company’s most-prized assets, while at
the same time avoiding crossing the creepy
and intrusive line?
Khidr Suleman puts forward the arguments
for and against surveillance operations like PRISM,
while Jane McCallion offers advice for businesses
on how to effectively monitor without
being a creep.
Caroline Donnelly looks at things from the
T
he NSA’s PRISM surveillance employee’s viewpoint and warns individuals to be
programme has changed the world wary of workplace monitoring, while Stephen
Maggie Holland
as we know it. Yes, we’ve always Pritchard approaches the issue from the IT
suspected that the government is department’s perspective. For further insight on security, visit
www.itpro.co.uk/security
watching over certain people and certain We also look at the role cloud plays in all this
activities, but we never suspected just how far and try to decide whether its reputation has been
such monitoring went. damaged by operation PRISM.
Some people feel really uneasy about what In addition to some great Q&A pieces with
they believe is a large and worrying invasion of industry experts, we also take a look into what the
their privacy. They don’t agree that a blanket, just
in case, approach to monitoring is justification
future holds and ponder whether George Orwell’s
1984 has moved from fiction to fact. The novel The NSA’s
enough to snoop on innocent people.
Others feel that if you’ve done nothing wrong
depicted a scary future surveillance state - are we
headed in that very direction?
PRISM
you have nothing to be worried about and that
such actions are necessary for the greater good.
We hope you find this special report
informative and useful as you navigate the
surveillance
The debate is likely to rumble on for some time
to come about whether the NSA’s programme
important but danger-filled world of monitoring.
As always, we welcome your feedback on what
programme
was an acceptable use or abuse of power. you enjoyed about this report and what you’d like has changed
However, it has also shone a spotlight on wider to see in future issues.
concerns relating to monitoring and security. In a Thanks for reading. the world as we
know it.
Editor, IT Pro
Let us know your thoughts...
We’re keen to hear your feedback on this report and
find out what you’d like to see included in the next
one. Get in touch at report@itpro.co.uk
3 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature What’s happening to my data?
What’s happening to my data?
NSA PRISM surveillance: Necessary evil or a misuse of power? Khidr Suleman
takes a look at the facts and ponders whether monitoring has taken a step too far...
I
s digital privacy dead? data than the 20PB web giant cornerstone of our economies -
When former NSA analyst Google handles on a daily basis. providing jobs and facilitating the
and whistle blower Edward Is this form of indiscriminately transfer of goods and services.
Snowden outed Project monitoring on such a global scale Unfortunately, the internet is also
PRISM during the summer of 2013, simply the price we have to pay for heavily abused. The web is used not
he presented a convincing case that all the technology we can use in the Khidr Suleman only to plan, but to promote and
Khidr Suleman is
the US government is watching us. modern world? Or is it a giant leap technical editor at IT Pro execute atrocious actions including
Following the revelations, the too far? And can the positives of and has been in the role paedophilia and terrorist attacks.
NSA admitted that it “touches” 1.6 such surveillance ever outweigh the since March 2012. Prior If there is even a remote
to that he worked for
per cent of data which passes negatives? fellow B2B tech possibility that such heinous crimes
through the internet every day. publication V3 as a can be prevented via some form of
However, it claims the collection is Pro surveillance: Sacrifice reporter. monitoring, isn’t it the duty of
the equivalent of putting a dime on for the greater good law-abiding citizens to comply?
a basketball court and that just Isn’t the whole point of the data Even if that means sacrificing digital
0.025 per cent of data is collection to make the world a safer privacy? Look across Capitol Hill and
reviewed by analysts. place? The internet is now critical to you’ll find plenty of people who will
This may not sound like a lot but our daily lives. It’s not only the argue this to be the case.
it still means the NSA processes primary source of information for us The NSA claims its surveillance
around 29PB of data per day - more most of the time, it’s also the programmes and solutions, such as
5 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature What’s happening to my data?
its XKEYSCORE analytics tool, are privacy is perhaps something we’re and Article 8 guarantees a right to
necessary. The agency claims to going to just have to get used to. respect for private and family life
have captured 300 terrorists using – a law which at times is so liberally
intelligence generated in this way. Against surveillance: applied that it even protects the
In his testimony to a Standing It’s a gross misuse of power rights of known criminals.
Committee on Intelligence in June Data collection isn’t always illegal. By collecting information from
2013, NSA chief General Keith And many questions most definitely US citizens and foreigners, the NSA
Alexander claimed more than 50 remain over the effectiveness of this is ignoring fundamental laws that
terror plots have been foiled since method. On the face of it, it seems the US and its allies are built on.
9/11 because of the programmes in the NSA can’t be trusted with the And with the US Congress and
place. These include plans to attack great responsibility of the powers it secret FISA Court green lighting this
the New York Stock Exchange and has been granted. without input from citizens, who’s
the New York City subway system In the US, the 4th amendment in to say that further down the line
with possibly devastating the Constitution protects civilians these bodies may not choose to
consequences. from unreasonable searches and restrict other Constitutional rights.
So is having emails scanned seizures and sets out requirements Freedom of Speech, Freedom of
Religion and even Freedom of the
Press may be curtailed in the future
- all in the name of safety.
Albert Einstein: The world is a In fact, the limiting of Freedom
of Speech already appears to have
dangerous place to live; not because of started. Google has already tried to
the people who are evil, but because use the first amendment to
challenge bodies such as the DoJ
of the people who don’t do anything and allow it to reveal information
about data collection -
about it. unsuccessfully, so far. And the web
giant isn’t the only one to have
been silenced.
and meta data collected from for search warrants based on Ladar Levison, owner of
phone calls really that big a deal, if probable cause. Almost all other encrypted email site Lavabit, made
there’s a possibility that it could countries have similar laws, which the decision to shutdown the
help save just one life? In that aim to protect the rights of citizens. service after apparent pressure to
context, a reasonable person would The Human Rights Act 1998 is grant access to customer
likely respond in the affirmative, used by European member states information. The exact reasons
especially when you consider that
most emails are spam, the content
of phone calls are not disclosed and
there is no proven impact on the
daily life of innocent people.
You could go further and say
that society has already willingly
consented to monitoring on a daily
basis. We’ve all got smartphones
that can track our locations to
within metres, ISPs have access to
our internet browsing habits and, if
you live in an urban area like
London, the chances are your face is
plastered over CCTV walls on a daily
basis.
With wearable technology such
as Google Glass on the horizon, the
arrival of smart rubbish bins,
and encrypted email services run by
Lavabit in addition to Silent Mail
being shut down, the lack of digital
6 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature What’s happening to my data?
Benjamin Franklin: They who
can give up essential liberty to obtain a
little temporary safety, deserve neither
liberty nor safety.
behind the closure are unclear as over how and why some of the
Levison explained. world’s deadliest attacks such
“I feel you deserve to know as 9/11 and the Boston bombing
what’s going on - the first slipped through the net.
amendment is supposed to In the case of 9/11, reports
guarantee me the freedom to speak suggest the NSA started
out in situations like this,” he said. collecting data in some form
“Unfortunately, Congress has around seven months prior to the
passed laws that say otherwise. As attack and that other agencies,
things currently stand, I cannot including the FBI and CIA, knew
share my experiences over the last of a substantial threat and even
six weeks, even though I have twice the identities of the hijackers. It
made the appropriate requests,” would seem all parties involved
he noted on the site. failed to co-operate and act.
Certainly not in time anyway.
Not enough Perhaps, more worryingly, was
Despite the NSA claiming to have the failure to prevent the Boston
foiled 50 attacks, questions remain bombings given the length of time
US Intelligence head slams NSA PRISM monitoring
Dianne Feinstein, the head of the US need for this type of surveillance, I do On 29 October 2013, in the US, the
Senate intelligence committee, has not believe the United States should author of the 2001 Patriot Act
switched sides on the NSA spying be collecting phone calls or emails of introduced proposed legislation that
scandal, calling for a total surveillance friendly presidents and prime looks to curtail the NSA’s powers,
review. ministers,” Feinstein said in a including the warrantless collection of
Feinstein had been one of the NSA’s statement. bulk phone meta data. The 118-page
strongest supporters in the face of “With respect to NSA collection of bill, dubbed the USA Freedom Act,
criticism over reports it monitored intelligence on leaders of US allies – was put forward by Congressman Jim
internet and telephone including France, Spain, Mexico and Sensenbrenner and Senate Judiciary
communications as part of PRISM. Germany – let me state unequivocally: Committee Chairman Patrick Leahy.
She had been quoted as saying the I am totally opposed.” “Modest transparency and
mass collection of data did not Feinstein also said it was oversight provisions are not enough.
constitute surveillance, as “it does not “abundantly clear that a total review We need real reform, which is why I
collect the content of any of all intelligence programs is join today with Congressman
communication, nor do the records necessary”. Sensenbrenner, as well as a bipartisan
include names or locations”. In relation to the revelations, that group of 15 Senators, to introduce
However, allegations that the German chancellor Angela Merkel may the USA FREEDOM Act,” said Leahy.
agency has been spying on leaders of have had her phone monitored by the The two most senior intelligence
allied countries has prompted an NSA for over 10 years, Feinstein leaders, James Clapper and General
about face on Feinstein’s part. claimed US president Barack Obama Keith Alexander were due to appear in
“Unless the United States is had no knowledge of such actions. front of the House intelligence
engaged in hostilities against a She added she had been assured committee the same day.
country or there is an emergency such monitoring would not continue. Credit: Jane McCallion
7 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature What’s happening to my data?
the NSA has had its surveillance
procedures in place. PRISM fallout could damage business, claim
Dzhokhar Tsarnaev, the surviving Cisco and Google
suspect, told federal investigators
he downloaded extremist materials
from the internet, including
instructions on how to make Cisco and Google claim the PRISM representative of a major technology
home-made pressure cooker programme has not only damaged trust company to testify before the US
bombs. but could also be harmful to American Congress following the revelations.
Yet, what appeared to be a businesses. Salgado said: “The current lack of
primary source of suspicious Cisco made the claim in November transparency about the nature of
activity was not picked up in the 2013, as it warned revenue would shrink government surveillance in democratic
day-to-day NSA data sweeps. And by up to 10 per cent in its then most countries undermines the freedom and
no explanation has been recent quarter, claiming demand in the trust most citizens cherish, it also
forthcoming. China had caused a backlash against has a negative impact on our economic
American communications firms. growth and security and on the promise
Justification or an excuse? Indeed, rivals EMC, IBM and Oracle, of an internet as a platform for
Even if we take into account all the were reported to be facing an official openness and free expression.”
good the NSA does, can it really be investigation by the Chinese Echoing comments made by Box’s
trusted with the information it government that August following CEO at a conference in London also in
gathers? The answer, in the opinion revelations that the NSA had been November 2013, Salgado warned the
of many people, is no. carrying out wide-scale monitoring of scandal could lead to the creation of a
A leaked internal audit global electronic communications. “splinter-net” by putting up barriers.
conducted by the NSA from According to an earnings results Post hearing, Salgado told Reuters:
May 2012 appears to confirm a call transcribed by Seeking Alpha, Rob “You can certainly look at the reaction,
gross misuse of power. The audit Lloyd, president of development and both inside the United States and
uncovered 2,776 incidents of sales at Cisco, said: “This issue has outside of the United States to these
unauthorised collection, storage caused, increasingly, customers to disclosures, to see the potential of the
and distribution of legally pause and [it is] another issue for them closing of the markets through data
protected communications over to evaluate...it’s certainly causing location requirements.
a 12-month period. people to stop and then rethink “This is a very real business issue, but
Serious breaches included a decisions and that is I think reflected in it is also a very real issue for the people
violation of a court order and our results.” who are considering using the cloud and
unauthorised use of data of around Meanwhile, Google’s law enforcement for those who currently use the cloud
3,000 Americans and green-card and information security director and may have their trust in it rocked by
holders. Is this evidence that Richard Salgado became the first the disclosures.”
absolute power corrupts?
Acquiesce or object? sensitive information will breaking laws.
It’s a polarising subject, but certainly have a vested interest in With the closure of
whatever your views on data ensuring they can do their jobs encrypted email services Lavabit
collection, the NSA leak did us all without invading privacy or and Silent Mail, and assertion by
a favour by getting it out in the Google that users have “no
open and generating debate. legitimate expectation of privacy”,
After all, you can’t change email appears to be the most
something if you don’t know it’s vulnerable type of communication.
happening in the first place. But it’s still possible to encrypt
People now have two options. instant messages and phone calls
Most will choose to do nothing. using services. The Pirate Bay
They’ll simply carry on with life, co-founder has also secured
which will remain unaffected, for funding for an anti-snooping app
now. Or they may sign up to one called Hemlis in response to the
of the many petitions that are NSA’s data collection.
trying to push through reform No doubt more services like this
and take steps to restore some will also pop-up in the future, so
semblance of privacy. maybe there is still hope for
Those tasked with dealing with privacy yet.
8 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature Fear and loathing in the enterprise
Fear and loathing in the
enterprise: What are we scared of?
For every bit of good technology does, there is someone out there trying to exploit
it for less philanthropic intentions. We look at the key fears and issues...
T
echnology is a wonderful Without giving away our secrets, intensely competitive and customers
thing. When used to we’re happy to share - on a generic who lack confidence in the ability of
make working and level at least - the good, bad and ugly an organisation to protect their
personal lives easier, of projects gone by. We’re certainly information will not struggle to find
reduce effort and human error and not shy about showing our battle an alternative source of
speed everyday processes up, while scars when it comes to bog standard supply. Enterprises are increasingly
costing less, it’s a glorious asset to desktop or cloud deployments. aware of the impact of a security
behold. breach on their bottom line,” says Lee
That’s one side of it. But, there’s a Money talks, security stays quiet Newcombe, an expert in information
darker, less happy side too. As IT However, when it comes to security, security at Capgemini.
becomes ever-more sophisticated in we’re often rendered speechless with “At the same time as the profile of
what it can do for us as workers and no-one willing to say anything until cyber crime and cyber security is on
consumers, the number of bad guys they’ve been outed as having been the rise, enterprises are being offered
and gals out there ready, willing and hacked. new opportunities to deliver their IT
able to make use of it for ill intentions “As the profile of cyber security in more flexible and innovative ways
grows. continues to rise in the media, through cloud services or the
In other areas of the IT sphere, we organisations are more wary of the adoption of agile development
move forward by sharing use cases bad publicity that goes alongside a methodologies. The challenge for the
and deployment methodologies. security breach. Many sectors are enterprise decision makers is to find,
9 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.uk
Feature Fear and loathing in the enterprise
enforcers must forge closer ties with
industry to plug an IT skills gap that
has the potential to hamper their
investigative powers.
That’s according to Andy
Archibald, head of the Government’s
National Cyber Crime Unit (NCU), who
used his address at the E-Crime
Congress event in central London in
March 2014, to highlight the need for
skilled IT workers to help in the fight
against cyber crime.
“The world and environment we’re
policing is changing and there is an
absolute need to respond,” he said.
To emphasise this point he cited
the different skills law enforcers must
draw on today to tackle bank
robberies that rely on technology to
be carried out, rather than weapons
and getaway cars.
“You can be in a room anywhere
and then implement, the balance you get a traceable, consistent and in the world, with access to malware
between innovative IT delivery and comprehensive set of security and the ability to hack into and
appropriate information risk solutions... Focus on your detection intrude into businesses in the
management.” and incident response mechanisms. financial sector, and you can commit
When it comes to security, it Prevention is a laudable aim, but you crime and fraud and make millions of
would seem the average enterprise is are unlikely to be able to prevent all pounds,” he added.
stuck between a rock and a hard potential attack vectors whilst During his address, Archibald
place. They do want to up their game providing a service that can be used admitted the skills law enforcers need
in terms of protection, but they’re not by your staff or your customers.” to successfully clamp down on cyber
willing to speak out and necessarily He concludes: “Make sure you criminals are in short supply, though.
ask for help from their peers. know when you have been “We need still to retain the ability,
Newcombe offers some sage compromised and how you will skills, experience and knowledge
advice to help businesses who want handle that scenario.” about how to investigate and engage
to go it alone to mitigate current risks. with the Criminal Justice system, but
the skills we need to recover evidence
and recover intelligence from the
internet are high-end skills and
Getting security right and technical skills that aren’t in high
protecting businesses, government and abundance in law enforcement,” he
said.
the general public against cyber attacks In particular, coders, programmers
and people with skills in reverse
is vitally important. engineering are highly valued by law
enforcers. But, it can be a challenge to
attract and retain them, admitted
“Know your real-world threats and Another skills crisis? Archibald.
concentrate your efforts on the Some organisations have recruited “It’s a tough marketplace...Not
threats most likely to cause you people to the role of chief security only does the public sector [and] law
harm,” he says. officer (CSO) so they have a more enforcement need these skills, but so
“Identify the data and services that focused stance on protecting their does the private sector,” he said.
your business relies upon and protect most important assets. “[In] the private sector,
them appropriately.” However, such skills are often hard to traditionally, the salary packages have
He continues: “Adopt an come by as it remains a field been more attractive. I think that’s a
architectural approach to information shrouded in secrecy. challenge for law enforcers. How do
risk management so as to make sure The solution? Cyber crime law you begin to address that particular
10 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Fear and loathing in the enterprise
Tail-gating: The security problem
issue as we move forward so we can
attract the best, retain the best and
ensure we continue to develop and not many of us know about
protect our environment?”
One way would be for law
enforcers to engage more with the One of the biggest security risks for By integrating
private sector to gain access to the businesses is tail-gating. This is when an systems, only people
skills they need, he said. This is employee holds the door open for the who have properly
something the NCU is already doing. person behind them, who hasn’t needed checked into a building can gain access
Forging close ties with businesses to use a security device to gain access. to any of its facilities, whether that’s
in the private sector will also make it This very common practice lights or computers.
easier to share knowledge about compromises security. It exposes the As soon as you introduce the system
cyber attacks, he added, which in building and, more importantly, the everyone has to check in properly and
turn will make it easier for law people in it, to everything from petty anyone who doesn’t would immediately
enforcers to gauge the scale of theft to computer hacking and be viewed as suspicious.
threats. terrorism. It also puts the tailgater at It also means I can give my clients an
“My ambition in the coming risk as there is no record of them being accurate list of people in their building
months and coming years is, when in the building (should it need to be within minutes.
we begin an investigation and try to evacuated). In addition to increasing employee
work out what’s the best strategy, I The best way of preventing this safety it also reduces energy costs,
don’t want to just be sitting in a room practice is to integrate the security which can be as high as 30 per cent [of
with colleagues from law systems with the management systems overall spend].”
enforcement having that discussion,” of the company. Chris Percy, founder and president, DSI
he said.
“I want to be in the room with
people perhaps from intelligence protecting the country against a after cyber skills,” Williams said.
services, perhaps from the private serious cyber attack. Some 42 people took part in the
sector, from the banks and from the Kevin Williams, partnership two-day competition at the Cabinet
retail sector and from the ISPs and engagement and national cyber War Rooms in Whitehall. They were
from a multi-national global crime capabilities manager at the kept on their toes throughout with
institution who can advise us on how National Crime Agency (NCA), challenges simulating real-life attack
best to take on that investigation.” explained how important it is for new situations.
experts to be recruited to deal with The challenge opened with a
Preparing for the worst high-level cyber attacks. breaking news report describing a
The recent Cyber Security Challenge “As the UK’s lead on tackling cyber cyber attack on London’s financial
looked to address skills and expertise crime, the National Crime Agency district that brought down online
banking platforms. This meant new
stock market flotations could not be
completed and BACS systems were
When we begin an investigation compromised.
The challenges were conjured up
and try to work out what’s the best by cyber security experts from BT,
strategy, I don’t want to just be sitting GCHQ, the NCA, Juniper Networks
and Lockheed Martin.
in a room with colleagues from law “Getting security right and
protecting businesses, government
enforcement having that discussion. and the general public against cyber
attacks is vitally important,” said Mark
Hughes, CEO of BT Security.
shortages by setting up fake needs to be in the minds of those “We at BT understand just how
scenarios to see how people reacted. wishing to pursue a career within this critical it is to ensure the right people
Computer student Will Shackleton sector. Events such as the Cyber are found, trained and ready to take
was crowned the winner this year. Security Challenge provide a fantastic on key roles in the cyber security
The event, hosted by intelligence opportunity for us to not only test profession.”
and security organisation GCHQ in the skills of those taking part but also
March 2014, aimed to find skilled provide them with pathways which Credit: Caroline Donnelly, Maggie
cyber defenders capable of allow them to exploit their sought- Holland and Clare Hopping
11 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Fear and loathing in the enterprise
Eugene Kaspersky on the cyber jungle
Eugene Kaspersky, CEO of Kaspersky
Lab. You’d be hard pushed to find a
more bubbly, cheerful and
occasionally explosive presenter on
the depressing, inescapable and often
implausible field of cyber security.
Then again, I guess he should be
pretty jolly, since he’s in the business
of plugging the leaks, Wiki or
otherwise, in company and home-user
computer networks.
Kaspersky presented at the 2014
CeBIT exhibition in Hannover in early
2014. The event is something of an
annual barometer for trends in
computing and, in line with other
shows, there’s a distinct flavour here
of the recession being well and truly
over and done with.
Lots of crazy robots with little cards by hacking the sales system of its own security holes, or putting
tethers running back to massive racks the chain of garages didn’t get much imperfect machines behind restricting
of controlling servers: lots of people attention (they were caught within a traffic chokes of some kind. He
of a rather older sort, who disappear month, apparently), the story of a wanted other people – largely,
with great regularity into the heist lasting five years, of coal from regulators and various forces for
apparently infinite series of private Russian automatic loading systems social change – to shoulder the burden
meeting rooms. for coal trains, clearly had a bigger of improving cyber security, mostly by
impact. way of very non-technical initiatives
All change like education and legal changes to
One of the sponsors enlightened me An engaging presentation regulation.
as to some of the changes that have Incredulity management didn’t He even had a section on the nature
occurred. In the old days, it used to be appear on his big screen, or on the of cyber espionage, though at this
delegated techies who attended, let cutesy cartoon board being drawn off point I suspect he realised he was
out of their basement offices for a to one side of the stage as he spoke. treading on thin ice against his own
once-a-year jolly. Now, it’s the CEO But it ran through his whole preferred fixes for the lower-level
and the CTO walking the halls, very presentation. As techies, we all have a criminals – it’s very hard to co-operate
often arriving so they can sign off a responsibility to figure out what the internationally when your co-
deal with a supplier that’s been in the bosses are going to understand, given operators are also spying on you.
pipeline for months. that they probably won’t want to dive Right at the end, the master of
It was this audience that Kaspersky into the deep details of what makes an Ceremonies blindsided him with a final
had in mind. He didn’t dive in attack work or fail. And, at a certain question: “Who worries you more – the
especially deep to his topic - not one level, the attack that gets through is cyber criminals, or the NSA?”
slide gave any hard numbers behind the one that someone is too Kaspersky hedged his bets with a
any of his assertions. What he incredulous to spend money 90 per cent non-verbal answer. He
provided was a rapid-fire tour of the protecting against. spread his arms wide and eventually
motivations behind the attacks e With a room full of CXOs, shook the MC by the hand, limiting his
wanted the room full of CXO types Kaspersky wasn’t going to move words to a carefully non-committal
to sit back in shock and think “wait, much below appeals for international “Thank you very much” before going
this isn’t some crazy nerd talking standardisation and cooperation to on to say “Every time I use a computer,
here – it’s a chief exec, just like me, talk specifics about risks to net I am aware of the possibility that
who knows the limits of my beliefs.” neutrality. Nor was he going to go into someone – government, or criminal
While stories of hackers making the differences between having to – could be watching.”
their own petrol station discount protect a vulnerable machine against Credit: Steve Cassidy
12 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employer’s view
Striking a balance – how to
monitor without being a creep
Monitoring in the workplace can be helpful and constructive, but it can also
potentially damage workplace relationships and sow the seeds of mistrust.
Autonomy, the primary reason
companies carry out surveillance is
because they are obliged to do so.
“In certain industries – certainly
financial services and, to a lesser
degree, in the pharmaceutical sector
– the employer is obliged to provide
a layer of supervision or surveillance
over their employees,” Tziahanas says.
Alan Delany, an associate at law
firm Maclay Murray & Spens, who
specialises in privacy and monitoring,
explains that in the UK this would
apply to businesses such as those
regulated by the Financial Standards
Authority (FSA).
“Often for them, there will be a
requirement as to the recording of
electronic communications inside
and outside the organisation,” he
says.
Outside of regulated industries,
there are other reasons companies
may wish to introduce monitoring
technology, such as protecting
confidential information or trade
I
n George Orwell’s novel any form of monitoring without secrets, or ensuring certain levels of
Nineteen Eighty-Four, the being perceived as some kind of customer service.
people of Great Britain are dystopian tyrant? Can it ever be done These are all valid reasons, but if
under constant surveillance. ethically and is it possible to persuade organisations want to avoid any
‘Telescreens’ in their homes and employees, partners and clients that programme coming back to bite
workplaces allow them to be it is necessary? Jane McCallion them, there are some serious legal
monitored round the clock, The good news is yes. All these is staff writer at Cloud considerations to take into account as
Pro and IT Pro,
constantly, lest they do or say things are possible. However, following the
well.
anything untoward. Their post is companies need to be careful how completion of an MA in
opened and read before being they tread, because there are plenty journalism. Prior to Breakin’ the law
that, Jane worked in PR
passed on. The powers that be know of bear traps to fall into. and was a freelance
When it comes to the legal aspects of
everything about them. journalist. carrying out monitoring activities it
The book has had such an effect Who are you looking at? can be a bit of a minefield, according
on us as a society that its themes and Before getting into ‘how’, though, to Delany.
even some of its language – you first need to answer ‘why’ – why “There are several different legal
thoughtcrime, newspeak and Big do you want to carry out any kind of restrictions, ranging from the Data
Brother – have entered into every day monitoring activity? Protection Act to the Regulation of
usage. According to George Tziahanas, Investigatory Powers Act (RIPA) to,
Against this background, how is it vice president of legal and potentially, human rights
possible for organisations to carry out compliance solutions at HP considerations,” he says.
13 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employer’s view
The reality is that, irrespective of
what industry you are in, whether
regulated or unregulated, you are
almost certainly not going to need to
monitor every single employee in
your business.
Some businesses - particularly
those in heavily regulated and
scrutinised industries such as the
financial sector - are specifically
concerned about what users are
getting up to on social media sites,
according to Andy Holmes, business
development director at IT
compliance and security firm
Actiance.
“Similarly there are some that
want to look inside their organisation
to find out who are the bad apples.
Frankly, we’re not interested in that
conversation because, ultimately,
You could run the more general there is no point. It’s just more big
risk of constructive dismissal claims data, and organisations already have
enough of that to deal with. It also
if you are snooping on employees and breaks the bond of trust between the
individual and the organisation,” he
covertly checking their emails. says.
“The key, then, is a measured,
targeted approach that can be
“Also, you could run the more “It comes down to business needs explained to employees, partners,
general risk of constructive dismissal and transparency, and those are the customers and regulators alike, without
claims if you are snooping on themes that run through this whole causing alienation or suspicion.”
employees and covertly checking area,” says Delany. Tziahanas adds: “You have to do
their emails,” he adds. some sort of up front analysis before
Choose your target you start dropping technology in to
So what is to be done? Once you have established ‘why?’ you go looking for stuff.
Helpfully, there are a set of need to establish ‘who?’. “For example, where are the
regulations that fall under RIPA
known as the UK Lawful Business
Practice Regulation, which set out
examples of why an employer might
want to monitor electronic
communications.
According to Delany, if
organisations comply with those
regulations and tell employees
monitoring is going to take place,
they will largely be in the clear.
There are sector-by-sector
variations as well. For example, for
businesses regulated by the FSA,
there will often be a requirement to
record all communications, both
internal and external, and retain them
for a certain period.
However, for many businesses, this
kind of regulation will not apply.
14 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employer’s view
greatest parts of the risk to the breeding suspicion and resentment. technology as a protection of
organisation? Who are the key “We try to encourage our the individual.
parties I might be working with that customers to think ‘Who do we need “We have had a couple of
present risk? Then keep the to help? Who do we need to instances where, because we are able
surveillance activities to the manage? And how can we do that to determine what kind of activities
minimum necessary to identify positively?’,” says Holmes. people have been engaged in, we
those risks.” “Then it becomes a much more can demonstrate that negative or
limited environment where you are damaging things our clients or their
Winning hearts and minds monitoring individuals,” he says. employees have been accused of are
Ultimately, a successful monitoring One way of encouraging untrue,” says Tziahanas.
strategy is one that promotes buy-in acceptance of new practices, as well Delany adds that there are also
from those who will potentially be as avoiding blanket coverage, is additional third-party considerations
under surveillance, rather than engaging HR to promote the to take into account.
“If you are an employer that has
recognised trade unions, they are
going to want to be consulted and
If you take a hearts and minds may well have their own
perspective,” he explains.
approach and show employees that “But, ultimately, if you take a
it’s to protect both the business and hearts and minds approach and
show employees that it’s to protect
employees, you should be on solid both the business and employees,
you should be on solid ground,” he
ground. concludes.
The seven monitoring virtues
Keep these regulations in mind to stay processing more than 5,000 data the purpose of collection made clear.
on the right side of the law. subjects in 12 months and all public Consent can be withdrawn at any
authorities must appoint a Data time. Data breaches must be reported
RIPA: A UK law that came into force in Protection Officer. Explicit consent to the new Data Protection Authority
2000, RIPA governs the interception must be given for data collection and within 72 hours and any adversely
of phone and email conversations. You affected individuals notified.
must inform users inside and outside
the company their communications ECHR: One of the best known pieces
may be monitored. of EU legislation, the European
Convention on Human Rights 1953
Lawful Business Practice provides for the right to privacy
Regulations: A subsection of RIPA, (Article 8). Sufficient effort should be
these guidelines are specific to made to comply with Article 8,
businesses, giving examples of how although much of the previously
you can carry out monitoring within mentioned legislation covers similar
the law. ground.
EU Data Protection Directive: A Computer Misuse Act: A piece of UK
European law dating from 1995, this legislation dating back to 1990, it
regulates the processing of personal forbids anyone from accessing
data within the EU. However by the another person’s computer even if
end of 2014 it will be superseded by... that person has previously given you
their password and consent.
General Data Protection Regulation Ownership of the computer, account
(GDPR): The Data Protection and data should be considered, as well
Directive’s successor. Companies as ongoing consent.
15 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employee viewpoint
Keeping watch: Why you should
be wary of workplace monitoring
Monitoring employees for cyber security and productivity purposes is considered
essential by some firms. But what if it goes too far?
other valuable assets),” says Windle.
“Monitoring can play an important
part in helping meet these
obligations as part of a coherent,
integrated, defence-in-depth
approach to an organisation’s
protective security.”
From a productivity standpoint,
employee monitoring makes sense to
ensure they’re not whiling away the
hours until clocking off time on social
networking sites, for example.
Or, as Leon Deakin, senior
associate at employment law
specialist Thomas Eggar LLP, points
out, engaging in other activities that
could possibly damage the
company’s reputation.
“The potential for employees to
cause their employer embarrassment
and harm their reputation is probably
justification enough to monitor their
use of the internet and email
facilities,” Deakin says.
“However, when you toss into the
mix the various legal liabilities which
can arise from misuse including, but
not limited to, defamation, breach of
confidentiality, negligence, and
discrimination, it could be seen as a
dereliction of duty [by the company]
“If you’ve done nothing wrong, you are regularly targeted by hackers to not monitor [staff] to some extent.”
have nothing to hide,” is a phrase looking for a way into the company’s
often uttered by pro-surveillance network, and it’s not unheard of for Explaining the risk
types to ease the concerns of people disgruntled staff to purposefully Keeping a watchful eye on staff is all
alarmed at the prospect of having leak data. well and good, but it could backfire
their actions monitored. For these reasons, Bill Windle, Caroline Donnelly on organisations that haven’t taken
In the workplace, it is people and cyber risk expert at PA has been a technology the time to explain to their
journalist for several
commonplace for employers to keep Consulting Group, says it’s hardly years and joined the IT
employees why it’s happening,
tabs on the internet browsing habits surprising companies like to keep a Pro team as news warns Windle.
of their staff, and - in some cases - the close eye on what their staff are up to. editor in March 2012. As part of this, he says staff should
content of the emails they send to “Employers have obligations to be made fully aware of how valuable
others outside the organisation. the law, business partners, the data they have access to is, and
After all, employees are often cited shareholders and customers as well how important their role is in
as a major source of cyber security as to the employees themselves to keeping it safe.
mishaps within the enterprise. They protect the data they hold (as well as Training can only cover so much,
16 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employee viewpoint
monitoring, particularly if the way it is
expressed is seen as being negative
or critical of the organisation or its
leaders,” he explains.
“Nevertheless, with careful
handling there are a number of
practical steps open to employees if
they feel the level of monitoring is
bordering on the intrusive.”
Deakin says the first step for
employees should be to ask their
employer for explicit clarification
about how their time at work will
be monitored.
“Even if the employer has
informed the employee that certain
aspects of their work will be
monitored and has a clear policy on
this, it’s is not always apparent what
this actually means in practice,”
Deakin explains.
If you’ve done nothing wrong, you “For example, how many of us are
have nothing to hide. actually aware of what our IT team
can and can’t see? As such, it is not
surprising that some employees may
though, and there is always a risk that intrusive, they are well within their be left feeling rather helpless or
employees may not realise their rights to speak up. just bemused.”
actions could have dire consequences That being said, Sol Cates, chief Employees may also feel their
for the company later down the line. security officer at infosecurity vendor company has crossed a privacy line
As an example, Windle cites Vormetric, admits this is an issue by monitoring the content of their
employees that take classified data that’s not always easy for staff to raise private posts on social networking
off-site on removable storage devices with the powers that be. sites, such as Facebook and Twitter.
or by emailing it to a personal web “It can be tricky for an employee This is usually done to clampdown
address in order to meet an urgent to voice concern about employee on employees that might use these
work deadline.
In that situation, the employee
may not realise the risks they’re
taking because making sure their
work is in on time takes precedence.
“This is where monitoring can play
a constructive and supportive part in
helping spot where employees take
well-intentioned initiatives without
understanding the real risks involved,
nor thinking through who owns
those risks,” he adds.
Employee education
Taking the time to explain to staff
why they’re being monitored can also
help allay any fears they may have
about how workplace surveillance
procedures square with their own
rights to privacy.
However, if employees start to
feel their company’s monitoring
processes are bordering on the
17 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukFeature Monitoring: The employee viewpoint
sites to write disparaging comments to claims from colleagues of formal complaint about their
about their place of work or co- discrimination,” she says. workplace’s monitoring procedures,
workers. “In the event an employer Windle recommends they swot up on
Deborah West, an employment undertakes any such monitoring, this the latest guidance first.
law partner at legal firm Temple can only be lawfully done within “Assemble the facts on specific
Bright, says this type of monitoring certain limits. The difficulty is that as areas of concern and benchmark
might put people’s noses out of joint the use of different web-based these against published best
but there are legitimate business platforms develops so quickly, the practice,” he says, advising
reasons for doing it. “Employees must law is not always as quick to react to employees to seek out a copy of the
appreciate that things they post on the evolving use of technology as it Holistic Management of Employee
such sites can be damaging to should be.” Risk (HoMER) guidance.
employers, both in terms of exposure If employees want to lodge a The document details how
employees can check their own
organisation’s approach to
Monitoring can play a monitoring. It also provides guidance
as to who and what may be
constructive and supportive part legitimately monitored.
“By placing any concerns they
in helping spot where employees have in the context of national best
take well-intentioned initiatives practice, employees can place their
questions or challenge in a positive
without understanding the real frame, seeking improvements
for the organisations,” Windle
risks involved. concludes.
Professionalisation of cyber crime poses new risks
In light of the fact some employees have per cent are working as part of organised sites now only accept payment in the
been caught using company resources groups.” form of Bitcoin, Litecoin or Pecunix,
to ‘mine’ for Bitcoins, perhaps The researchers found a distinct because of their anonymity and security
employers should be paying more hierarchy operating in these groups with characteristics.
attention to what employees do... ‘mules’, who carry out most of the However, Quartermaine does not
Changes taking place in the groundwork, ‘vendors’, who provide believe that cracking down on these
underground market operated by cyber services such as botnets for hire or types of digital currencies would destroy
criminals, such as the increasing use of money laundering, through to highly the cyber crime black market.
new technologies like Bitcoin, are making skilled ‘administrators’, who develop “If they disappeared, these criminals
hacking attacks more dangerous than malware and exploit kits. The members of would find some other way of
ever before. this elite top level are also the ones who transacting,” he says.
The investigation, carried out on make the most profit from the cyber The ability to carry out attacks is likely
behalf of Juniper Networks, found the crime economy. to outstrip our ability to defend very
cyber crime black market is steadily The research also discovered the use quickly, particularly as the number of
growing in sophistication. of crypto currencies is increasing. While everyday transactions carried out online
Online crime has become increasingly some transactions can still be carried out increases, according to the research.
sophisticated to the point where it now using traditional means, many criminal “By 2020, the number
mirrors very closely the type of organised of connected devices is predicted to be
crime seen offline, the research found. greater than the population of the world,”
“Historically, 80 per cent of hackers adds Quartermaine.
were ‘freelance’ and just 20 per cent “Every way you look at it, networking
were part of organised crime,” says Mark is going to increase so vulnerabilities are
Quartermaine, Juniper Network’s vice also going to increase, which means it is
president of the UK and Ireland. something we have to get our head
“Now, that has been flipped on its head around now.”
as this hacking market matures and 80 Credit: Jane McCallion
18 BIG BROTHER http://www.juniper.net/uk/en/ www.itpro.co.ukYou can also read
