The security threat: Do you know your real business risk?

Posted on : 31-03-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , , ,

0

We are asked by our clients increasingly to assist in helping them assess the current threats to their organisation from a security perspective. Indeed, this is now a core part of our services portfolio.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate we take a very different approach. It starts with two very simple guiding principles;

  1. What is the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top down lens over these questions and then looks at the various inputs into them. We also consider the threats in real world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  1. Top Down – we start with the board room. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C’Level executives who need the data on which to make informed decisions.
  2. Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the board room.
  3. Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.
  4. Maturity Based – we map the key security standards and frameworks, such as ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.
  5. Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response. At Broadgate we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber attack or data breach and this experience forms a cornerstone of our methodology.

At Broadgate our mantra is “The Business of Technology”. This applies across all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact myself or kerry.housley@broadgateconsultants.com.

Calling the General Election

Posted on : 31-03-2015 | By : richard.gale | In : General News

Tags: , , , , , ,

0

With the General Election now only 37 days away, can we harness new technology and the “wisdom” of social media crowd to help call it?

 

Big Data and Sentiment Analysis

 

In the run up to the election you will hear a lot about the power of big data and sentiment analysis, for example in this announcement from TCS.

The technology behind this and similar projects is undoubtedly clever, although I do think the state of the art in sentiment analysis is being overplayed – I recently attended a talk by a professor of computational linguistics who revealed that it helps with their currently not very effective sentiment analysis of twitter if people include emoticons in their messages!

However this attempt to benefit from the “Wisdom of the Crowd” (often cited as a rationale) is doomed for a reason that is as old as computing itself:

 

“Garbage in, Garbage out”

 

The sample set of political tweets will largely encompass two analytically unhelpful groups; political activists, who are the least likely to change their vote and the young who are least likely to vote in the first place!

Indeed, at the close of the Scottish referendum campaign, the SNP were convinced that they had won by a good margin off the back of analysis based partly on trends in social media.

(This is different to the US Republicans in 2012 who, at the close of the presidential campaign, also thought they had won but based on no data at all from the non-working system that they had built. This is not relevant to the current discussion except that both instances led to a narrative of the vote being “stolen” developing amongst true believers but I include the aside as I think this article is required reading on how not to roll-out a project to non-technical users)

 

Opinion Polls

 

What about the more familiar opinion polls?

As the polling companies are always keen to tell us, polls provide a snapshot and not a predication.  This is true of course but the snapshot itself is not really a snapshot of how people will vote at that moment in time. It is a snapshot of how they answer the question “which party would you vote for if a General Election were held tomorrow”.

They subsequently give different answers when asked specifically about their constituency and different answers again when the local candidates are named. Liberal Democrats have found in their private polling of their stronghold seats (a fast dwindling set!) that naming the local candidate can make a 10-point difference in their favour (the incumbency effect) and indeed this is the glimmer of hope that they cling to this time round.

What opinion polls also cannot factor in is anything more than a rudimentary use of past knowledge of voter behaviour – polling firms do differ on how they allocate “Don’t know”s, either ignoring them altogether or reallocating a proportion of them based on declared past voting.

Of course this gives its own problems as people are inherently unreliable and misremember. For instance, when asked, far more people claim to have voted Liberal Democrat in 2010 than the total number of votes the party actually received.

 

Betting markets

 

Of course the one source that can take all the above and more into account including past knowledge and contemporary analysis is the betting markets.

In pre-internet days, the above was still true but easy access to information and on-line betting has supercharged this in terms of both numbers and overall quality.

In this case, the “Wisdom of the crowd”, often touted for things like sentiment analysis, does actually hold true because the crowd in this case are actually wise (unlike the twitterati), both individually and collectively.

Political betting is a niche pursuit and as such attracts both amateur and professional psephologists along with those with “inside” knowledge. This means that the weight of the money in the market is quite well informed.

 

Past-it First Past the Post

 

The importance of inside knowledge is magnified by a creaking voting system that means that national polls and sentiments are all well and good, but the real result lies in the hands of a hundred thousand odd voters in a handful of marginal constituencies.

This means that those will real insight are those on the ground and this time around, the proliferation of smaller parties eating into each of the main parties’ votes makes the situation even more volatile and local knowledge even more important. The constituency betting markets will be made by political activists on the ground with access to detailed internal canvass data.

So my advice would be to ignore the siren call of the new (social media) and the reassurance of the old (opinion polls) and just follow the money, the informed betting money that is.

 

This article was authored by Andrew Porrer of Heathwest Systems and represents his personal opinions. Andrew can be contacted at Andrew.Porrer@heathwest.com.

Meteor – a next generation web framework

Posted on : 31-03-2015 | By : richard.gale | In : Innovation

Tags: , , , , , , ,

0

Over the years, we’ve gotten used to the idea that a website is something that you only communicate with in short, separate bursts of activity. Highly reactive websites such as Facebook have invested heavily in developing their own proprietary frameworks for delivering an enhanced user experience whereby changes are pushed to the client in real-time.

Meteor (http://www.meteor.com) is part of a new wave of frameworks and technologies that are looking to challenge the status quo by making real-time web applications possible for any organisation.  Formed during the Summer ’11 intake of Y Combinator (www.ycombinator.com) start-ups, the company has released v1.0 of their popular Framework during Q4-14 and is gathering a following among developers worldwide due to its power and ease of use.

Modern web applications server data as opposed to HTML and this forms one of the core tenets of Meteor’s architecture. Typically web servers perform all the processing and then push results down to the client, Meteor flips this paradigm on it’s head and pushes incremental data changes down to a local in-memory database hosted in the clients browser for processing. With a Meteor application, you no longer need a refresh button, as data changes, the user experience reflects these in real-time.

While this may not sound that different to technologies such as  AJAX, which have been around for many years, Meteor takes care of all the internal ‘plumbing’ required to enable real-time updates, without the developer having to worry about coding these themself.

Meteor takes advantage of Node.js (http://www.nodejs.org) and as such enables the developer to write both their client and server-side code a single language – JavaScript. The advantage of this is that your developers do not need to constantly shift between programming languages and can instead focus on the core application functionality. Meteor is currently coupled with the NoSQL database, MongoDB (http://www.mongodb.org) at the back end, which means all client, server and database code is all written in a single, easily maintainable language.

Including existing datasets into your Meteor application could prove challenging at present due to only MongoDB being officially supported, however additional database connectors (i.e MySQL) are currently in development by the community. Given the open-source nature of the project and rapid adoption, support for additional popular databases is highly likely over the coming months.

The result of all this is a platform that manages to be very powerful and very simple by abstracting away many of the usual hassles and pitfalls of web application development. Removing the need to manually handle client and server interactions, Meteor enables rapid application development, while still being scalable into production environments.

One other major advantage of the Meteor platform is their integration with Adobe’s Cordova platform, meaning that your Meteor web application code can be compiled into a mobile (IoS/Android) application without the need for any significant re-work.

While this article only scratches the surface of Meteors capabilities and underlying technology, hopefully it has given you enough of a taster to investigate it’s use further.

This article was authored by one of Broadgates’ consultants, David Sandell. David can be contacted at David.Sandell@broadgateconsultants.com