This fascinating read into the security challenges facing companies and individuals globally and daily, are highlighted in this strategic report from IT Pro and supported by Juniper Networks, who demonstrate the technology and the business advantage that can be taken today, to combat the ever increasing security challenges faced in a digital age.
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
1. A quarterly, IT strategy special report
from the experts at IT Pro
IT PRO
THE
REPORT
AN
PUBLICATION
In association with
SPRING 2014
Is Big Brother
watching you?
The big eye in the sky has us all worried.
Should we be fearful or thankful
it’s watching over us?
3. www.itpro.co.ukBIG BROTHER3
T
he NSA’s PRISM surveillance
programme has changed the world
as we know it. Yes, we’ve always
suspected that the government is
watching over certain people and certain
activities, but we never suspected just how far
such monitoring went.
Some people feel really uneasy about what
they believe is a large and worrying invasion of
their privacy. They don’t agree that a blanket, just
in case, approach to monitoring is justification
enough to snoop on innocent people.
Others feel that if you’ve done nothing wrong
you have nothing to be worried about and that
such actions are necessary for the greater good.
The debate is likely to rumble on for some time
to come about whether the NSA’s programme
was an acceptable use or abuse of power.
However, it has also shone a spotlight on wider
concerns relating to monitoring and security. In a
The NSA’s
PRISM
surveillance
programme
has changed
the world as we
know it.
Prologue Maggie Holland
Maggie Holland
Editor, IT Pro
No-one likes being
watched: Or do they?
For further insight on security, visit
www.itpro.co.uk/security
Let us know your thoughts...
We’re keen to hear your feedback on this report and
find out what you’d like to see included in the next
one. Get in touch at report@itpro.co.uk
world where data volumes continue to grow
and we’re offering up personal information to
the internet and connected devices on a daily
basis, how can we be sure that only those
that need to see it actually do?
What are the key fears in an enterprise context?
How can business and IT decision makers protect
their company’s most-prized assets, while at
the same time avoiding crossing the creepy
and intrusive line?
Khidr Suleman puts forward the arguments
for and against surveillance operations like PRISM,
while Jane McCallion offers advice for businesses
on how to effectively monitor without
being a creep.
Caroline Donnelly looks at things from the
employee’s viewpoint and warns individuals to be
wary of workplace monitoring, while Stephen
Pritchard approaches the issue from the IT
department’s perspective.
We also look at the role cloud plays in all this
and try to decide whether its reputation has been
damaged by operation PRISM.
In addition to some great QA pieces with
industry experts, we also take a look into what the
future holds and ponder whether George Orwell’s
1984 has moved from fiction to fact. The novel
depicted a scary future surveillance state - are we
headed in that very direction?
We hope you find this special report
informative and useful as you navigate the
important but danger-filled world of monitoring.
As always, we welcome your feedback on what
you enjoyed about this report and what you’d like
to see in future issues.
Thanks for reading.
http://www.juniper.net/uk/en/
4.
5. BIG BROTHER5 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
I
s digital privacy dead?
When former NSA analyst
and whistle blower Edward
Snowden outed Project
PRISM during the summer of 2013,
he presented a convincing case that
the US government is watching us.
Following the revelations, the
NSA admitted that it “touches” 1.6
per cent of data which passes
through the internet every day.
However, it claims the collection is
the equivalent of putting a dime on
a basketball court and that just
0.025 per cent of data is
reviewed by analysts.
This may not sound like a lot but
it still means the NSA processes
around 29PB of data per day - more
data than the 20PB web giant
Google handles on a daily basis.
Is this form of indiscriminately
monitoring on such a global scale
simply the price we have to pay for
all the technology we can use in the
modern world? Or is it a giant leap
too far? And can the positives of
such surveillance ever outweigh the
negatives?
Pro surveillance: Sacrifice
for the greater good
Isn’t the whole point of the data
collection to make the world a safer
place? The internet is now critical to
our daily lives. It’s not only the
primary source of information for us
most of the time, it’s also the
cornerstone of our economies -
providing jobs and facilitating the
transfer of goods and services.
Unfortunately, the internet is also
heavily abused. The web is used not
only to plan, but to promote and
execute atrocious actions including
paedophilia and terrorist attacks.
If there is even a remote
possibility that such heinous crimes
can be prevented via some form of
monitoring, isn’t it the duty of
law-abiding citizens to comply?
Even if that means sacrificing digital
privacy? Look across Capitol Hill and
you’ll find plenty of people who will
argue this to be the case.
The NSA claims its surveillance
programmes and solutions, such as
What’s happening to my data?
NSA PRISM surveillance: Necessary evil or a misuse of power? Khidr Suleman
takes a look at the facts and ponders whether monitoring has taken a step too far...
Feature What’s happening to my data?
Khidr Suleman
KhidrSulemanis
technicaleditoratITPro
andhasbeenintherole
sinceMarch2012.Prior
tothatheworkedfor
fellowB2Btech
publicationV3asa
reporter.
6. BIG BROTHER6 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
and Article 8 guarantees a right to
respect for private and family life
– a law which at times is so liberally
applied that it even protects the
rights of known criminals.
By collecting information from
US citizens and foreigners, the NSA
is ignoring fundamental laws that
the US and its allies are built on.
And with the US Congress and
secret FISA Court green lighting this
without input from citizens, who’s
to say that further down the line
these bodies may not choose to
restrict other Constitutional rights.
Freedom of Speech, Freedom of
Religion and even Freedom of the
Press may be curtailed in the future
- all in the name of safety.
In fact, the limiting of Freedom
of Speech already appears to have
started. Google has already tried to
use the first amendment to
challenge bodies such as the DoJ
and allow it to reveal information
about data collection -
unsuccessfully, so far. And the web
giant isn’t the only one to have
been silenced.
Ladar Levison, owner of
encrypted email site Lavabit, made
the decision to shutdown the
service after apparent pressure to
grant access to customer
information. The exact reasons
Feature What’s happening to my data?
its XKEYSCORE analytics tool, are
necessary. The agency claims to
have captured 300 terrorists using
intelligence generated in this way.
In his testimony to a Standing
Committee on Intelligence in June
2013, NSA chief General Keith
Alexander claimed more than 50
terror plots have been foiled since
9/11 because of the programmes in
place. These include plans to attack
the New York Stock Exchange and
the New York City subway system
with possibly devastating
consequences.
So is having emails scanned
and meta data collected from
phone calls really that big a deal, if
there’s a possibility that it could
help save just one life? In that
context, a reasonable person would
likely respond in the affirmative,
especially when you consider that
most emails are spam, the content
of phone calls are not disclosed and
there is no proven impact on the
daily life of innocent people.
You could go further and say
that society has already willingly
consented to monitoring on a daily
basis. We’ve all got smartphones
that can track our locations to
within metres, ISPs have access to
our internet browsing habits and, if
you live in an urban area like
London, the chances are your face is
plastered over CCTV walls on a daily
basis.
With wearable technology such
as Google Glass on the horizon, the
arrival of smart rubbish bins,
and encrypted email services run by
Lavabit in addition to Silent Mail
being shut down, the lack of digital
privacy is perhaps something we’re
going to just have to get used to.
Against surveillance:
It’s a gross misuse of power
Data collection isn’t always illegal.
And many questions most definitely
remain over the effectiveness of this
method. On the face of it, it seems
the NSA can’t be trusted with the
great responsibility of the powers it
has been granted.
In the US, the 4th amendment in
the Constitution protects civilians
from unreasonable searches and
seizures and sets out requirements
for search warrants based on
probable cause. Almost all other
countries have similar laws, which
aim to protect the rights of citizens.
The Human Rights Act 1998 is
used by European member states
Albert Einstein: The world is a
dangerous place to live; not because of
the people who are evil, but because
of the people who don’t do anything
about it.
7. BIG BROTHER7 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature What’s happening to my data?
behind the closure are unclear as
Levison explained.
“I feel you deserve to know
what’s going on - the first
amendment is supposed to
guarantee me the freedom to speak
out in situations like this,” he said.
“Unfortunately, Congress has
passed laws that say otherwise. As
things currently stand, I cannot
share my experiences over the last
six weeks, even though I have twice
made the appropriate requests,”
he noted on the site.
Not enough
Despite the NSA claiming to have
foiled 50 attacks, questions remain
over how and why some of the
world’s deadliest attacks such
as 9/11 and the Boston bombing
slipped through the net.
In the case of 9/11, reports
suggest the NSA started
collecting data in some form
around seven months prior to the
attack and that other agencies,
including the FBI and CIA, knew
of a substantial threat and even
the identities of the hijackers. It
would seem all parties involved
failed to co-operate and act.
Certainly not in time anyway.
Perhaps, more worryingly, was
the failure to prevent the Boston
bombings given the length of time
Dianne Feinstein, the head of the US
Senate intelligence committee, has
switched sides on the NSA spying
scandal, calling for a total surveillance
review.
Feinstein had been one of the NSA’s
strongest supporters in the face of
criticism over reports it monitored
internet and telephone
communications as part of PRISM.
She had been quoted as saying the
mass collection of data did not
constitute surveillance, as “it does not
collect the content of any
communication, nor do the records
include names or locations”.
However, allegations that the
agency has been spying on leaders of
allied countries has prompted an
about face on Feinstein’s part.
“Unless the United States is
engaged in hostilities against a
country or there is an emergency
need for this type of surveillance, I do
not believe the United States should
be collecting phone calls or emails of
friendly presidents and prime
ministers,” Feinstein said in a
statement.
“With respect to NSA collection of
intelligence on leaders of US allies –
including France, Spain, Mexico and
Germany – let me state unequivocally:
I am totally opposed.”
Feinstein also said it was
“abundantly clear that a total review
of all intelligence programs is
necessary”.
In relation to the revelations, that
German chancellor Angela Merkel may
have had her phone monitored by the
NSA for over 10 years, Feinstein
claimed US president Barack Obama
had no knowledge of such actions.
She added she had been assured
such monitoring would not continue.
On 29 October 2013, in the US, the
author of the 2001 Patriot Act
introduced proposed legislation that
looks to curtail the NSA’s powers,
including the warrantless collection of
bulk phone meta data. The 118-page
bill, dubbed the USA Freedom Act,
was put forward by Congressman Jim
Sensenbrenner and Senate Judiciary
Committee Chairman Patrick Leahy.
“Modest transparency and
oversight provisions are not enough.
We need real reform, which is why I
join today with Congressman
Sensenbrenner, as well as a bipartisan
group of 15 Senators, to introduce
the USA FREEDOM Act,” said Leahy.
The two most senior intelligence
leaders, James Clapper and General
Keith Alexander were due to appear in
front of the House intelligence
committee the same day.
Credit: Jane McCallion
US Intelligence head slams NSA PRISM monitoring
Benjamin Franklin: They who
can give up essential liberty to obtain a
little temporary safety, deserve neither
liberty nor safety.
8. BIG BROTHER8 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature What’s happening to my data?
Cisco and Google claim the PRISM
programme has not only damaged trust
but could also be harmful to American
businesses.
Cisco made the claim in November
2013, as it warned revenue would shrink
by up to 10 per cent in its then most
recent quarter, claiming demand in
China had caused a backlash against
American communications firms.
Indeed, rivals EMC, IBM and Oracle,
were reported to be facing an official
investigation by the Chinese
government that August following
revelations that the NSA had been
carrying out wide-scale monitoring of
global electronic communications.
According to an earnings results
call transcribed by Seeking Alpha, Rob
Lloyd, president of development and
sales at Cisco, said: “This issue has
caused, increasingly, customers to
pause and [it is] another issue for them
to evaluate...it’s certainly causing
people to stop and then rethink
decisions and that is I think reflected in
our results.”
Meanwhile, Google’s law enforcement
and information security director
Richard Salgado became the first
representative of a major technology
company to testify before the US
Congress following the revelations.
Salgado said: “The current lack of
transparency about the nature of
government surveillance in democratic
countries undermines the freedom and
the trust most citizens cherish, it also
has a negative impact on our economic
growth and security and on the promise
of an internet as a platform for
openness and free expression.”
Echoing comments made by Box’s
CEO at a conference in London also in
November 2013, Salgado warned the
scandal could lead to the creation of a
“splinter-net” by putting up barriers.
Post hearing, Salgado told Reuters:
“You can certainly look at the reaction,
both inside the United States and
outside of the United States to these
disclosures, to see the potential of the
closing of the markets through data
location requirements.
“This is a very real business issue, but
it is also a very real issue for the people
who are considering using the cloud and
for those who currently use the cloud
and may have their trust in it rocked by
the disclosures.”
PRISM fallout could damage business, claim
Cisco and Google
the NSA has had its surveillance
procedures in place.
Dzhokhar Tsarnaev, the surviving
suspect, told federal investigators
he downloaded extremist materials
from the internet, including
instructions on how to make
home-made pressure cooker
bombs.
Yet, what appeared to be a
primary source of suspicious
activity was not picked up in the
day-to-day NSA data sweeps. And
no explanation has been
forthcoming.
Justification or an excuse?
Even if we take into account all the
good the NSA does, can it really be
trusted with the information it
gathers? The answer, in the opinion
of many people, is no.
A leaked internal audit
conducted by the NSA from
May 2012 appears to confirm a
gross misuse of power. The audit
uncovered 2,776 incidents of
unauthorised collection, storage
and distribution of legally
protected communications over
a 12-month period.
Serious breaches included a
violation of a court order and
unauthorised use of data of around
3,000 Americans and green-card
holders. Is this evidence that
absolute power corrupts?
Acquiesce or object?
It’s a polarising subject, but
whatever your views on data
collection, the NSA leak did us all
a favour by getting it out in the
open and generating debate.
After all, you can’t change
something if you don’t know it’s
happening in the first place.
People now have two options.
Most will choose to do nothing.
They’ll simply carry on with life,
which will remain unaffected, for
now. Or they may sign up to one
of the many petitions that are
trying to push through reform
and take steps to restore some
semblance of privacy.
Those tasked with dealing with
sensitive information will
certainly have a vested interest in
ensuring they can do their jobs
without invading privacy or
breaking laws.
With the closure of
encrypted email services Lavabit
and Silent Mail, and assertion by
Google that users have “no
legitimate expectation of privacy”,
email appears to be the most
vulnerable type of communication.
But it’s still possible to encrypt
instant messages and phone calls
using services. The Pirate Bay
co-founder has also secured
funding for an anti-snooping app
called Hemlis in response to the
NSA’s data collection.
No doubt more services like this
will also pop-up in the future, so
maybe there is still hope for
privacy yet.
9. BIG BROTHER9 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
T
echnology is a wonderful
thing. When used to
make working and
personal lives easier,
reduce effort and human error and
speed everyday processes up, while
costing less, it’s a glorious asset to
behold.
That’s one side of it. But, there’s a
darker, less happy side too. As IT
becomes ever-more sophisticated in
what it can do for us as workers and
consumers, the number of bad guys
and gals out there ready, willing and
able to make use of it for ill intentions
grows.
In other areas of the IT sphere, we
move forward by sharing use cases
and deployment methodologies.
Without giving away our secrets,
we’re happy to share - on a generic
level at least - the good, bad and ugly
of projects gone by. We’re certainly
not shy about showing our battle
scars when it comes to bog standard
desktop or cloud deployments.
Money talks, security stays quiet
However, when it comes to security,
we’re often rendered speechless with
no-one willing to say anything until
they’ve been outed as having been
hacked.
“As the profile of cyber security
continues to rise in the media,
organisations are more wary of the
bad publicity that goes alongside a
security breach. Many sectors are
intensely competitive and customers
who lack confidence in the ability of
an organisation to protect their
information will not struggle to find
an alternative source of
supply. Enterprises are increasingly
aware of the impact of a security
breach on their bottom line,” says Lee
Newcombe, an expert in information
security at Capgemini.
“At the same time as the profile of
cyber crime and cyber security is on
the rise, enterprises are being offered
new opportunities to deliver their IT
in more flexible and innovative ways
through cloud services or the
adoption of agile development
methodologies. The challenge for the
enterprise decision makers is to find,
Fear and loathing in the
enterprise: What are we scared of?
For every bit of good technology does, there is someone out there trying to exploit
it for less philanthropic intentions. We look at the key fears and issues...
Feature Fear and loathing in the enterprise
10. BIG BROTHER10 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
enforcers must forge closer ties with
industry to plug an IT skills gap that
has the potential to hamper their
investigative powers.
That’s according to Andy
Archibald, head of the Government’s
National Cyber Crime Unit (NCU), who
used his address at the E-Crime
Congress event in central London in
March 2014, to highlight the need for
skilled IT workers to help in the fight
against cyber crime.
“The world and environment we’re
policing is changing and there is an
absolute need to respond,” he said.
To emphasise this point he cited
the different skills law enforcers must
draw on today to tackle bank
robberies that rely on technology to
be carried out, rather than weapons
and getaway cars.
“You can be in a room anywhere
in the world, with access to malware
and the ability to hack into and
intrude into businesses in the
financial sector, and you can commit
crime and fraud and make millions of
pounds,” he added.
During his address, Archibald
admitted the skills law enforcers need
to successfully clamp down on cyber
criminals are in short supply, though.
“We need still to retain the ability,
skills, experience and knowledge
about how to investigate and engage
with the Criminal Justice system, but
the skills we need to recover evidence
and recover intelligence from the
internet are high-end skills and
technical skills that aren’t in high
abundance in law enforcement,” he
said.
In particular, coders, programmers
and people with skills in reverse
engineering are highly valued by law
enforcers. But, it can be a challenge to
attract and retain them, admitted
Archibald.
“It’s a tough marketplace...Not
only does the public sector [and] law
enforcement need these skills, but so
does the private sector,” he said.
“[In] the private sector,
traditionally, the salary packages have
been more attractive. I think that’s a
challenge for law enforcers. How do
you begin to address that particular
Feature Fear and loathing in the enterprise
and then implement, the balance
between innovative IT delivery and
appropriate information risk
management.”
When it comes to security, it
would seem the average enterprise is
stuck between a rock and a hard
place. They do want to up their game
in terms of protection, but they’re not
willing to speak out and necessarily
ask for help from their peers.
Newcombe offers some sage
advice to help businesses who want
to go it alone to mitigate current risks.
“Know your real-world threats and
concentrate your efforts on the
threats most likely to cause you
harm,” he says.
“Identify the data and services that
your business relies upon and protect
them appropriately.”
He continues: “Adopt an
architectural approach to information
risk management so as to make sure
you get a traceable, consistent and
comprehensive set of security
solutions... Focus on your detection
and incident response mechanisms.
Prevention is a laudable aim, but you
are unlikely to be able to prevent all
potential attack vectors whilst
providing a service that can be used
by your staff or your customers.”
He concludes: “Make sure you
know when you have been
compromised and how you will
handle that scenario.”
Another skills crisis?
Some organisations have recruited
people to the role of chief security
officer (CSO) so they have a more
focused stance on protecting their
most important assets.
However, such skills are often hard to
come by as it remains a field
shrouded in secrecy.
The solution? Cyber crime law
Getting security right and
protecting businesses, government and
the general public against cyber attacks
is vitally important.
11. BIG BROTHER11 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Fear and loathing in the enterprise
issue as we move forward so we can
attract the best, retain the best and
ensure we continue to develop and
protect our environment?”
One way would be for law
enforcers to engage more with the
private sector to gain access to the
skills they need, he said. This is
something the NCU is already doing.
Forging close ties with businesses
in the private sector will also make it
easier to share knowledge about
cyber attacks, he added, which in
turn will make it easier for law
enforcers to gauge the scale of
threats.
“My ambition in the coming
months and coming years is, when
we begin an investigation and try to
work out what’s the best strategy, I
don’t want to just be sitting in a room
with colleagues from law
enforcement having that discussion,”
he said.
“I want to be in the room with
people perhaps from intelligence
services, perhaps from the private
sector, from the banks and from the
retail sector and from the ISPs and
from a multi-national global
institution who can advise us on how
best to take on that investigation.”
Preparing for the worst
The recent Cyber Security Challenge
looked to address skills and expertise
shortages by setting up fake
scenarios to see how people reacted.
Computer student Will Shackleton
was crowned the winner this year.
The event, hosted by intelligence
and security organisation GCHQ in
March 2014, aimed to find skilled
cyber defenders capable of
protecting the country against a
serious cyber attack.
Kevin Williams, partnership
engagement and national cyber
crime capabilities manager at the
National Crime Agency (NCA),
explained how important it is for new
experts to be recruited to deal with
high-level cyber attacks.
“As the UK’s lead on tackling cyber
crime, the National Crime Agency
needs to be in the minds of those
wishing to pursue a career within this
sector. Events such as the Cyber
Security Challenge provide a fantastic
opportunity for us to not only test
the skills of those taking part but also
provide them with pathways which
allow them to exploit their sought-
When we begin an investigation
and try to work out what’s the best
strategy, I don’t want to just be sitting
in a room with colleagues from law
enforcement having that discussion.
One of the biggest security risks for
businesses is tail-gating. This is when an
employee holds the door open for the
person behind them, who hasn’t needed
to use a security device to gain access.
This very common practice
compromises security. It exposes the
building and, more importantly, the
people in it, to everything from petty
theft to computer hacking and
terrorism. It also puts the tailgater at
risk as there is no record of them being
in the building (should it need to be
evacuated).
The best way of preventing this
practice is to integrate the security
systems with the management systems
of the company.
By integrating
systems, only people
who have properly
checked into a building can gain access
to any of its facilities, whether that’s
lights or computers.
As soon as you introduce the system
everyone has to check in properly and
anyone who doesn’t would immediately
be viewed as suspicious.
It also means I can give my clients an
accurate list of people in their building
within minutes.
In addition to increasing employee
safety it also reduces energy costs,
which can be as high as 30 per cent [of
overall spend].”
Chris Percy, founder and president, DSI
Tail-gating: The security problem
not many of us know about
after cyber skills,” Williams said.
Some 42 people took part in the
two-day competition at the Cabinet
War Rooms in Whitehall. They were
kept on their toes throughout with
challenges simulating real-life attack
situations.
The challenge opened with a
breaking news report describing a
cyber attack on London’s financial
district that brought down online
banking platforms. This meant new
stock market flotations could not be
completed and BACS systems were
compromised.
The challenges were conjured up
by cyber security experts from BT,
GCHQ, the NCA, Juniper Networks
and Lockheed Martin.
“Getting security right and
protecting businesses, government
and the general public against cyber
attacks is vitally important,” said Mark
Hughes, CEO of BT Security.
“We at BT understand just how
critical it is to ensure the right people
are found, trained and ready to take
on key roles in the cyber security
profession.”
Credit: Caroline Donnelly, Maggie
Holland and Clare Hopping
12. BIG BROTHER12 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Fear and loathing in the enterprise
Eugene Kaspersky, CEO of Kaspersky
Lab. You’d be hard pushed to find a
more bubbly, cheerful and
occasionally explosive presenter on
the depressing, inescapable and often
implausible field of cyber security.
Then again, I guess he should be
pretty jolly, since he’s in the business
of plugging the leaks, Wiki or
otherwise, in company and home-user
computer networks.
Kaspersky presented at the 2014
CeBIT exhibition in Hannover in early
2014. The event is something of an
annual barometer for trends in
computing and, in line with other
shows, there’s a distinct flavour here
of the recession being well and truly
over and done with.
Lots of crazy robots with little
tethers running back to massive racks
of controlling servers: lots of people
of a rather older sort, who disappear
with great regularity into the
apparently infinite series of private
meeting rooms.
All change
One of the sponsors enlightened me
as to some of the changes that have
occurred. In the old days, it used to be
delegated techies who attended, let
out of their basement offices for a
once-a-year jolly. Now, it’s the CEO
and the CTO walking the halls, very
often arriving so they can sign off a
deal with a supplier that’s been in the
pipeline for months.
It was this audience that Kaspersky
had in mind. He didn’t dive in
especially deep to his topic - not one
slide gave any hard numbers behind
any of his assertions. What he
provided was a rapid-fire tour of the
motivations behind the attacks e
wanted the room full of CXO types
to sit back in shock and think “wait,
this isn’t some crazy nerd talking
here – it’s a chief exec, just like me,
who knows the limits of my beliefs.”
While stories of hackers making
their own petrol station discount
cards by hacking the sales system of
the chain of garages didn’t get much
attention (they were caught within a
month, apparently), the story of a
heist lasting five years, of coal from
Russian automatic loading systems
for coal trains, clearly had a bigger
impact.
An engaging presentation
Incredulity management didn’t
appear on his big screen, or on the
cutesy cartoon board being drawn off
to one side of the stage as he spoke.
But it ran through his whole
presentation. As techies, we all have a
responsibility to figure out what the
bosses are going to understand, given
that they probably won’t want to dive
into the deep details of what makes an
attack work or fail. And, at a certain
level, the attack that gets through is
the one that someone is too
incredulous to spend money
protecting against.
With a room full of CXOs,
Kaspersky wasn’t going to move
much below appeals for international
standardisation and cooperation to
talk specifics about risks to net
neutrality. Nor was he going to go into
the differences between having to
protect a vulnerable machine against
its own security holes, or putting
imperfect machines behind restricting
traffic chokes of some kind. He
wanted other people – largely,
regulators and various forces for
social change – to shoulder the burden
of improving cyber security, mostly by
way of very non-technical initiatives
like education and legal changes to
regulation.
He even had a section on the nature
of cyber espionage, though at this
point I suspect he realised he was
treading on thin ice against his own
preferred fixes for the lower-level
criminals – it’s very hard to co-operate
internationally when your co-
operators are also spying on you.
Right at the end, the master of
Ceremonies blindsided him with a final
question: “Who worries you more – the
cyber criminals, or the NSA?”
Kaspersky hedged his bets with a
90 per cent non-verbal answer. He
spread his arms wide and eventually
shook the MC by the hand, limiting his
words to a carefully non-committal
“Thank you very much” before going
on to say “Every time I use a computer,
I am aware of the possibility that
someone – government, or criminal
– could be watching.”
Credit: Steve Cassidy
Eugene Kaspersky on the cyber jungle
13. BIG BROTHER13 www.itpro.co.ukwww.itpro.co.uk
I
n George Orwell’s novel
Nineteen Eighty-Four, the
people of Great Britain are
under constant surveillance.
‘Telescreens’ in their homes and
workplaces allow them to be
monitored round the clock,
constantly, lest they do or say
anything untoward. Their post is
opened and read before being
passed on. The powers that be know
everything about them.
The book has had such an effect
on us as a society that its themes and
even some of its language –
thoughtcrime, newspeak and Big
Brother – have entered into every day
usage.
Against this background, how is it
possible for organisations to carry out
any form of monitoring without
being perceived as some kind of
dystopian tyrant? Can it ever be done
ethically and is it possible to persuade
employees, partners and clients that
it is necessary?
The good news is yes. All these
things are possible. However,
companies need to be careful how
they tread, because there are plenty
of bear traps to fall into.
Who are you looking at?
Before getting into ‘how’, though,
you first need to answer ‘why’ – why
do you want to carry out any kind of
monitoring activity?
According to George Tziahanas,
vice president of legal and
compliance solutions at HP
Autonomy, the primary reason
companies carry out surveillance is
because they are obliged to do so.
“In certain industries – certainly
financial services and, to a lesser
degree, in the pharmaceutical sector
– the employer is obliged to provide
a layer of supervision or surveillance
over their employees,” Tziahanas says.
Alan Delany, an associate at law
firm Maclay Murray Spens, who
specialises in privacy and monitoring,
explains that in the UK this would
apply to businesses such as those
regulated by the Financial Standards
Authority (FSA).
“Often for them, there will be a
requirement as to the recording of
electronic communications inside
and outside the organisation,” he
says.
Outside of regulated industries,
there are other reasons companies
may wish to introduce monitoring
technology, such as protecting
confidential information or trade
secrets, or ensuring certain levels of
customer service.
These are all valid reasons, but if
organisations want to avoid any
programme coming back to bite
them, there are some serious legal
considerations to take into account as
well.
Breakin’ the law
When it comes to the legal aspects of
carrying out monitoring activities it
can be a bit of a minefield, according
to Delany.
“There are several different legal
restrictions, ranging from the Data
Protection Act to the Regulation of
Investigatory Powers Act (RIPA) to,
potentially, human rights
considerations,” he says.
Striking a balance – how to
monitor without being a creep
Monitoring in the workplace can be helpful and constructive, but it can also
potentially damage workplace relationships and sow the seeds of mistrust.
Feature Monitoring: The employer’s view
http://www.juniper.net/uk/en/
JaneMcCallion
isstaffwriteratCloud
ProandITPro,
followingthe
completionofanMAin
journalism.Priorto
that,JaneworkedinPR
andwasafreelance
journalist.
14. BIG BROTHER14 www.itpro.co.ukwww.itpro.co.uk
The reality is that, irrespective of
what industry you are in, whether
regulated or unregulated, you are
almost certainly not going to need to
monitor every single employee in
your business.
Some businesses - particularly
those in heavily regulated and
scrutinised industries such as the
financial sector - are specifically
concerned about what users are
getting up to on social media sites,
according to Andy Holmes, business
development director at IT
compliance and security firm
Actiance.
“Similarly there are some that
want to look inside their organisation
to find out who are the bad apples.
Frankly, we’re not interested in that
conversation because, ultimately,
there is no point. It’s just more big
data, and organisations already have
enough of that to deal with. It also
breaks the bond of trust between the
individual and the organisation,” he
says.
“The key, then, is a measured,
targeted approach that can be
explained to employees, partners,
customersandregulatorsalike,without
causingalienationorsuspicion.”
Tziahanas adds: “You have to do
some sort of up front analysis before
you start dropping technology in to
go looking for stuff.
“For example, where are the
Feature Monitoring: The employer’s view
“Also, you could run the more
general risk of constructive dismissal
claims if you are snooping on
employees and covertly checking
their emails,” he adds.
So what is to be done?
Helpfully, there are a set of
regulations that fall under RIPA
known as the UK Lawful Business
Practice Regulation, which set out
examples of why an employer might
want to monitor electronic
communications.
According to Delany, if
organisations comply with those
regulations and tell employees
monitoring is going to take place,
they will largely be in the clear.
There are sector-by-sector
variations as well. For example, for
businesses regulated by the FSA,
there will often be a requirement to
record all communications, both
internal and external, and retain them
for a certain period.
However, for many businesses, this
kind of regulation will not apply.
“It comes down to business needs
and transparency, and those are the
themes that run through this whole
area,” says Delany.
Choose your target
Once you have established ‘why?’ you
need to establish ‘who?’.
You could run the more general
risk of constructive dismissal claims
if you are snooping on employees and
covertly checking their emails.
http://www.juniper.net/uk/en/
15. BIG BROTHER15 www.itpro.co.uk
Feature Monitoring: The employer’s view
greatest parts of the risk to the
organisation? Who are the key
parties I might be working with that
present risk? Then keep the
surveillance activities to the
minimum necessary to identify
those risks.”
Winning hearts and minds
Ultimately, a successful monitoring
strategy is one that promotes buy-in
from those who will potentially be
under surveillance, rather than
If you take a hearts and minds
approach and show employees that
it’s to protect both the business and
employees, you should be on solid
ground.
breeding suspicion and resentment.
“We try to encourage our
customers to think ‘Who do we need
to help? Who do we need to
manage? And how can we do that
positively?’,” says Holmes.
“Then it becomes a much more
limited environment where you are
monitoring individuals,” he says.
One way of encouraging
acceptance of new practices, as well
as avoiding blanket coverage, is
engaging HR to promote the
technology as a protection of
the individual.
“We have had a couple of
instances where, because we are able
to determine what kind of activities
people have been engaged in, we
can demonstrate that negative or
damaging things our clients or their
employees have been accused of are
untrue,” says Tziahanas.
Delany adds that there are also
additional third-party considerations
to take into account.
“If you are an employer that has
recognised trade unions, they are
going to want to be consulted and
may well have their own
perspective,” he explains.
“But, ultimately, if you take a
hearts and minds approach and
show employees that it’s to protect
both the business and employees,
you should be on solid ground,” he
concludes.
Keep these regulations in mind to stay
on the right side of the law.
RIPA: A UK law that came into force in
2000, RIPA governs the interception
of phone and email conversations. You
must inform users inside and outside
the company their communications
may be monitored.
Lawful Business Practice
Regulations: A subsection of RIPA,
these guidelines are specific to
businesses, giving examples of how
you can carry out monitoring within
the law.
EU Data Protection Directive: A
European law dating from 1995, this
regulates the processing of personal
data within the EU. However by the
end of 2014 it will be superseded by...
General Data Protection Regulation
(GDPR): The Data Protection
Directive’s successor. Companies
processing more than 5,000 data
subjects in 12 months and all public
authorities must appoint a Data
Protection Officer. Explicit consent
must be given for data collection and
the purpose of collection made clear.
Consent can be withdrawn at any
time. Data breaches must be reported
to the new Data Protection Authority
within 72 hours and any adversely
affected individuals notified.
ECHR: One of the best known pieces
of EU legislation, the European
Convention on Human Rights 1953
provides for the right to privacy
(Article 8). Sufficient effort should be
made to comply with Article 8,
although much of the previously
mentioned legislation covers similar
ground.
Computer Misuse Act: A piece of UK
legislation dating back to 1990, it
forbids anyone from accessing
another person’s computer even if
that person has previously given you
their password and consent.
Ownership of the computer, account
and data should be considered, as well
as ongoing consent.
The seven monitoring virtues
http://www.juniper.net/uk/en/
16. BIG BROTHER16 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
“If you’ve done nothing wrong, you
have nothing to hide,” is a phrase
often uttered by pro-surveillance
types to ease the concerns of people
alarmed at the prospect of having
their actions monitored.
In the workplace, it is
commonplace for employers to keep
tabs on the internet browsing habits
of their staff, and - in some cases - the
content of the emails they send to
others outside the organisation.
After all, employees are often cited
as a major source of cyber security
mishaps within the enterprise. They
are regularly targeted by hackers
looking for a way into the company’s
network, and it’s not unheard of for
disgruntled staff to purposefully
leak data.
For these reasons, Bill Windle,
people and cyber risk expert at PA
Consulting Group, says it’s hardly
surprising companies like to keep a
close eye on what their staff are up to.
“Employers have obligations to
the law, business partners,
shareholders and customers as well
as to the employees themselves to
protect the data they hold (as well as
other valuable assets),” says Windle.
“Monitoring can play an important
part in helping meet these
obligations as part of a coherent,
integrated, defence-in-depth
approach to an organisation’s
protective security.”
From a productivity standpoint,
employee monitoring makes sense to
ensure they’re not whiling away the
hours until clocking off time on social
networking sites, for example.
Or, as Leon Deakin, senior
associate at employment law
specialist Thomas Eggar LLP, points
out, engaging in other activities that
could possibly damage the
company’s reputation.
“The potential for employees to
cause their employer embarrassment
and harm their reputation is probably
justification enough to monitor their
use of the internet and email
facilities,” Deakin says.
“However, when you toss into the
mix the various legal liabilities which
can arise from misuse including, but
not limited to, defamation, breach of
confidentiality, negligence, and
discrimination, it could be seen as a
dereliction of duty [by the company]
to not monitor [staff] to some extent.”
Explaining the risk
Keeping a watchful eye on staff is all
well and good, but it could backfire
on organisations that haven’t taken
the time to explain to their
employees why it’s happening,
warns Windle.
As part of this, he says staff should
be made fully aware of how valuable
the data they have access to is, and
how important their role is in
keeping it safe.
Training can only cover so much,
Keeping watch: Why you should
be wary of workplace monitoring
Monitoring employees for cyber security and productivity purposes is considered
essential by some firms. But what if it goes too far?
Feature Monitoring: The employee viewpoint
CarolineDonnelly
hasbeenatechnology
journalistforseveral
yearsandjoinedtheIT
Proteamasnews
editorinMarch2012.
17. BIG BROTHER17 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
monitoring, particularly if the way it is
expressed is seen as being negative
or critical of the organisation or its
leaders,” he explains.
“Nevertheless, with careful
handling there are a number of
practical steps open to employees if
they feel the level of monitoring is
bordering on the intrusive.”
Deakin says the first step for
employees should be to ask their
employer for explicit clarification
about how their time at work will
be monitored.
“Even if the employer has
informed the employee that certain
aspects of their work will be
monitored and has a clear policy on
this, it’s is not always apparent what
this actually means in practice,”
Deakin explains.
“For example, how many of us are
actually aware of what our IT team
can and can’t see? As such, it is not
surprising that some employees may
be left feeling rather helpless or
just bemused.”
Employees may also feel their
company has crossed a privacy line
by monitoring the content of their
private posts on social networking
sites, such as Facebook and Twitter.
This is usually done to clampdown
on employees that might use these
Feature Monitoring: The employee viewpoint
though, and there is always a risk that
employees may not realise their
actions could have dire consequences
for the company later down the line.
As an example, Windle cites
employees that take classified data
off-site on removable storage devices
or by emailing it to a personal web
address in order to meet an urgent
work deadline.
In that situation, the employee
may not realise the risks they’re
taking because making sure their
work is in on time takes precedence.
“This is where monitoring can play
a constructive and supportive part in
helping spot where employees take
well-intentioned initiatives without
understanding the real risks involved,
nor thinking through who owns
those risks,” he adds.
Employee education
Taking the time to explain to staff
why they’re being monitored can also
help allay any fears they may have
about how workplace surveillance
procedures square with their own
rights to privacy.
However, if employees start to
feel their company’s monitoring
processes are bordering on the
intrusive, they are well within their
rights to speak up.
That being said, Sol Cates, chief
security officer at infosecurity vendor
Vormetric, admits this is an issue
that’s not always easy for staff to raise
with the powers that be.
“It can be tricky for an employee
to voice concern about employee
If you’ve done nothing wrong, you
have nothing to hide.
18. BIG BROTHER18 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Monitoring: The employee viewpoint
sites to write disparaging comments
about their place of work or co-
workers.
Deborah West, an employment
law partner at legal firm Temple
Bright, says this type of monitoring
might put people’s noses out of joint
but there are legitimate business
reasons for doing it. “Employees must
appreciate that things they post on
such sites can be damaging to
employers, both in terms of exposure
Monitoring can play a
constructive and supportive part
in helping spot where employees
take well-intentioned initiatives
without understanding the real
risks involved.
to claims from colleagues of
discrimination,” she says.
“In the event an employer
undertakes any such monitoring, this
can only be lawfully done within
certain limits. The difficulty is that as
the use of different web-based
platforms develops so quickly, the
law is not always as quick to react to
the evolving use of technology as it
should be.”
If employees want to lodge a
formal complaint about their
workplace’s monitoring procedures,
Windle recommends they swot up on
the latest guidance first.
“Assemble the facts on specific
areas of concern and benchmark
these against published best
practice,” he says, advising
employees to seek out a copy of the
Holistic Management of Employee
Risk (HoMER) guidance.
The document details how
employees can check their own
organisation’s approach to
monitoring. It also provides guidance
as to who and what may be
legitimately monitored.
“By placing any concerns they
have in the context of national best
practice, employees can place their
questions or challenge in a positive
frame, seeking improvements
for the organisations,” Windle
concludes.
In light of the fact some employees have
been caught using company resources
to ‘mine’ for Bitcoins, perhaps
employers should be paying more
attention to what employees do...
Changes taking place in the
underground market operated by cyber
criminals, such as the increasing use of
new technologies like Bitcoin, are making
hacking attacks more dangerous than
ever before.
The investigation, carried out on
behalf of Juniper Networks, found the
cyber crime black market is steadily
growing in sophistication.
Online crime has become increasingly
sophisticated to the point where it now
mirrors very closely the type of organised
crime seen offline, the research found.
“Historically, 80 per cent of hackers
were ‘freelance’ and just 20 per cent
were part of organised crime,” says Mark
Quartermaine, Juniper Network’s vice
president of the UK and Ireland.
“Now, that has been flipped on its head
as this hacking market matures and 80
per cent are working as part of organised
groups.”
The researchers found a distinct
hierarchy operating in these groups with
‘mules’, who carry out most of the
groundwork, ‘vendors’, who provide
services such as botnets for hire or
money laundering, through to highly
skilled ‘administrators’, who develop
malware and exploit kits. The members of
this elite top level are also the ones who
make the most profit from the cyber
crime economy.
The research also discovered the use
of crypto currencies is increasing. While
some transactions can still be carried out
using traditional means, many criminal
sites now only accept payment in the
form of Bitcoin, Litecoin or Pecunix,
because of their anonymity and security
characteristics.
However, Quartermaine does not
believe that cracking down on these
types of digital currencies would destroy
the cyber crime black market.
“If they disappeared, these criminals
would find some other way of
transacting,” he says.
The ability to carry out attacks is likely
to outstrip our ability to defend very
quickly, particularly as the number of
everyday transactions carried out online
increases, according to the research.
“By 2020, the number
of connected devices is predicted to be
greater than the population of the world,”
adds Quartermaine.
“Every way you look at it, networking
is going to increase so vulnerabilities are
also going to increase, which means it is
something we have to get our head
around now.”
Credit: Jane McCallion
Professionalisation of cyber crime poses new risks
19. BIG BROTHER19 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
S
ince Edward Snowden’s
revelations, discussions on
surveillance have
understandably focused
on government monitoring.
But, used correctly, monitoring is
a valuable resource for IT
departments, both in the battle
against hacking and cyber crime, and
also for improving IT operations.
Monitoring, though, is not
without restrictions. Laws, especially
data protection laws, employment
laws, HR practices and privacy norms
all limit some types of surveillance.
This applies, in particular, to
monitoring employee behaviour and
their use of data and applications.
At the same time, better use of
monitoring, and instrumentation, can
give IT departments a much better
view of the way networks and
applications are performing.
Application performance
management, but also business
process management, rely on activity
monitoring to work – although it
need not go down to the level of
monitoring who is doing what on the
network.
A watchful eye
Monitoring can also provide a vital
early warning both against cyber
attacks, and of data leakage or theft.
Data loss prevention (DLP) tools
again rely on monitoring, both of
data flows and user behaviour. A DLP
application, for example, will flag if an
employee, who normally accesses
half a dozen customer records in a
day, suddenly starts to download
thousands.
Active monitoring is also a key
weapon for defending against
advanced persistent threats, or APTs.
APTs, unlike other forms of malware,
are designed to be stealthy.
Monitoring for unusual network
activity, or data exfiltration, may be
the only way to spot an APT at work.
“There are plenty of good reasons
to monitor IT and network usage.
Security: obviously understanding
what is going on in a network is the
mainstay of preventing the ingress of
malware and the egress of sensitive
data. By linking the latter to users,
[firms can] spot and correct careless
behaviour and root out malicious
users,” says Bob Tarzey, analyst and
director at Quocirca.
“But it’s also about user
experience. The way the network
performs is a key part of
understanding the end-to-end user
experience. This is especially
necessary for organisations that
provide on-demand services to
consumers, other businesses and
partners, which is two-thirds of all
business in Europe. (see Quocirca
research report here)
He adds: “Then there is business
process monitoring: making sure
business processes are as efficient
and secure as possible. But
companies can also gain operational
intelligence. This goes beyond
security and into commercial insights.
For example a call centre can monitor
actual call volumes or waiting times
and see if these correlate with other
data, such as customer type or
Keeping tabs without
compromising privacy or security
There’s a fine line between protecting company interests and overly snooping on
employees and what they get up to as Stephen Pritchard discovers…
Feature Monitoring: The IT department’s view
StephenPritchard
hasbeenajournalistsince
1990.Todayhismain
specialismsarebusiness,
technologyandfinance.He
writesforanumberof
nationalandinternational
titles,andisacontributing
editorandcolumnistforITPro.
20. BIG BROTHER20 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
log files and other system data across
devices and sources, including
applications, servers, PCs, mobile
devices, or websites,” she says.
“Capturing and analysing data
provides the basis for more efficient
management of the infrastructure.
That’s because you’re looking at all
your systems data on a single
console, rather than trying to make
sense of the content of separate log
files… More importantly, it allows for
faster identification of root causes,
and hence [it takes] less time to fix
them.”
Issues remain unresolved
Two challenges, though, remain:
security and privacy. There’s also the
proliferation of data sources in the
business. In particular, the growth in
the number of mobile devices needs
to be monitored as such devices are
often personal in origin.
“Increasingly IT is not in complete
control of the endpoints: they are
increasingly diverse,” says Quocirca
analyst Rob Bamforth.
“Most of these devices are
multiply wireless - Bluetooth, Wi-Fi,
cellular and NFC - and increasingly
seamlessly connecting. Wearables
only add to the challenge. They will
all be carried together. This means
that having more smarts in the
network to monitor will be even
more important.”
Feature Monitoring: The IT department’s view
geographic location.”
This is another example, Tarzey
says, of monitoring acting as an early
warning system. But extracting
business value from a wealth of data
remains a challenge. In fact, some IT
teams might view the ever-growing
volume of operational statistics a
burden, rather than a source of
intelligence that can improve
enterprise operations overall.
“Most clients are already
performing basic networking
monitoring but are struggling with
correlation and analysis,” cautions
William Beer, managing director for
cyber security at consulting firm
Alvarez Marsal.
“Clients who have managed to set
up comprehensive monitoring often
fail to see its value as their incident
response and crisis management
processes are weak. While monitoring
definitely adds value, it becomes
much more compelling when data is
combined with [tools such as] threat
intelligence. If not, all you are seeing
is the aftermath of the problem.”
Although security is a key focus for
monitoring – and some areas remain
controversial – improvements in
analytics technologies are helping IT
teams to extract more information
from operational data.
“Using analytics, IT professionals
can support, or even improve, the
smooth running of an organisation,”
says Martha Bennett, principal
analyst at Forrester Research.
“Going beyond traditional log
management, there are tools
available that support the capture of
There are plenty of good reasons
to monitor IT and network usage.
21. BIG BROTHER21 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Monitoring: IT department’s view
Ultimately, this cannot be
separated from the privacy
challenges around monitoring – and
anything that might be seen as
surveillance.
“Monitoring, logging and event
management is a vital part of any
network and computer system,” says
Kai Roer, partner in consulting firm
The Roer Group. The reason is simple:
it allows for detecting anomalies
which then can be dealt with.
“Logging system access is
particularly useful in systems where a
lot of different users are handling
sensitive data, such as in a bank, or in
health care. But from an ethical
perspective, it is important to
consider what information you
collect, and for what purpose, “ says
Roer. “You should only use the data
you collect for that purpose, and you
should delete it when it is no longer
being used.”
This, Roer says, needs to be tied
into a thorough risk assessment, as
well as ensuring that monitoring is
legal. “Logging your systems is great.
Logging people is not,” he says.
And, although monitoring can
help IT departments with both
security and performance,
automation also has its limits. A
human mind will still need to
evaluate the information, and decide
if any ethical or legal lines are being
crossed.
“It’s important that the right tools
are deployed. There’s way too much
data for humans to process, which is
where advanced analytics software
comes in,” says Bennett.
“But human expertise will always
be required to separate signal from
noise. If a tool detects a new pattern,
the human expert will know whether
this is something worth investigating,
or simply a variant of ‘normal’. “
Sensitive business data is being put
at risk by the thoughtless behaviour
of employees, a report by Trend Micro
has found.
The survey of 2,500 UK adults,
published in a report entitled Britain’s
culture of carelessness with mobile
devices, found over a quarter of
smartphone users have had up to
three work devices lost or stolen, and
63 per cent have no password
protection on their phone at all.
The Tube is the most likely place for
a phone to be lost or stolen in London
(26 per cent), with the District and
Circle lines proving to be particular
black spots.
A bar is the second most likely
place for a smartphone to disappear
(22 per cent), followed by a cafe (11
per cent) and a restaurant (8 per
cent), according to the report.
At a roundtable to discuss the
report’s findings, representatives
from Trend Micro, information
security consultancy First Base, and
law firm Taylor Wessing said the
implications were clear for business.
James Walker, a security specialist
at Trend Micro, said: “We talk about a
watering hole from the point of view of
compromising a website, [but if I were
a criminal] I could know a bar where a
certain target organisation would
drink in after work, I could steal a
mobile phone that’s not password
protected, send out a lot of phishing
emails to lots of contacts within the
organisation... and compromise a lot
of people.”
Vinod Bange, a partner at Taylor
Wessing, added: “[Imagine] if you have
an employee within an organisation
who kept going to the accounts team
and saying ‘can I have £300 from
petty cash please?’ and came back
the following day saying ‘I lost it, can I
have another £300?’ and then the
next day said ‘sorry, I did it again, can I
have another [£300]?’ – Who would
do that?
“That is because cash is treated in
a very particular way and it is about
time organisations drew that link to
treat information assets, whether it’s
personal data, confidential IP, or
whatever it happens to be with the
same degree of [restrictions].”
The report also examined the
potential for data loss when using
public Wi-Fi hotspots.
A team of ethical hackers from
First Base used apps that were openly
available on Google Play to clone a
recognised Wi-Fi network, which
volunteers’ devices then connected to
automatically.
A hacker using this type of attack,
known as an ‘evil twin’, is then able to
see all the data, including sensitive
information and things that would
normally be encrypted. The volunteer
‘victims’ involved in these experiments
said they felt scared that such an
attacking method exists and that their
privacy had been violated, even
though it was just a simulation.
Credit: Jane McCallion
Employee carelessness poses security risk to businesses
From an ethical perspective, it is important
to consider what information you collect, and for
what purpose. You should only use the data you
collect for that purpose, and you should delete it
when it is no longer being used.
22. BIG BROTHER22 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
O
ne of the most-quoted
fears about moving to
cloud is that the data is
not secure. For many
companies, the idea that vital
customer data is held in an
unspecified place, available for access
by unknown people is a big inhibitor
to the idea of cloud computing.
Cloud service providers have
always been aware of that fear. They
have made reassuring noises about
the safety of their data and claimed
that no unwelcome visitors could
help themselves to their customers’
own data. What they didn’t say is that
when it came to the US government,
they’d roll out a welcome mat and
make them a cuppa while the spooks
sifted through what they wanted.
PRISM ramifications continue
That’s the shocking implication of
reports by both the Washington
Post and Guardian relating to the US
security services’ access of data from
nine IT companies as part of
operation PRISM.
The denial of the nine
companies is almost irrelevant and
has been the subject to much
speculation. Does Google’s talk of ‘no
back door’ mean the NSA is coming
through the front door instead?
When Apple said it hadn’t heard of
PRISM did that just mean that it
wasn’t aware of the operation name
the NSA was using? Given the nature
of these revelations, these stories
must have been checked and
double-checked. And then checked
and checked again.
The other option is that the
security services have had access to
the providers’ customer data without
the providers knowing about it. Scary
stuff indeed.
Though that would seem unlikely
given that we know, from reports, the
dates when companies allegedly
gave permission.
Furthermore, James Clapper, the
director of National Intelligence,
published a statement, saying that
some parts of the newspaper
reporting were “inaccurate” – but,
Operation PRISM: effect on
cloud industry could be good or bad
The revelations about the US security services snooping will have a profound
impact on the cloud industry, according to Max Cooter.
Feature Cloud: Friend or foe?
Cloud service providers have
made reassuring noises about the
safety of their data.
MaxCooter
iseditorofCloudPro.
Hehasseenprofound
changestotheIT
landscapeduringhis20
yearsasajournalist,but
believescloud
computingcouldbethe
biggestofthemall.
23. BIG BROTHER23 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
Feature Cloud: Friend or foe?
yet, crucially, he did not deny the
reporting as being completely
without fact.
He claimed that the revelations
could also damage security
operations. “The unauthorised
disclosure of a top secret US court
document threatens potentially
long-lasting and irreversible harm to
our ability to identify and respond to
the many threats facing our nation,”
he said.
He dismissed concerns from
privacy campaigners in the statement
though. “The article omits key
information regarding how a
classified intelligence collection
program is used to prevent terrorist
attacks and the numerous safeguards
that protect privacy and civil
liberties,” he said.
Excessive or wholly justified?
However, it’s not just privacy
campaigners who have been alarmed
by the implications of all this. The
author of the Patriot Act, James
Sensenbrenner, wrote an open letter
to the US Attorney General protesting
that the FBI’s action in calling for the
Verizon phone records were
excessive – and that’s before news of
the trawl of customer data from the
nine big providers was revealed.
Clapper’s general response to
people like Sensenbrenner and other
protestors is that there’s nothing to
worry about. Everything is seemingly
alright because it’s only non-US
citizens living outside the US who will
be affected. But that’s precisely what
is worrying many people over this
side of the pond. And we just don’t
know who to believe anymore.
Effectiveness vs reactiveness
The other aspect of this whole
shooting match is how effective this
type of process will be at actually
catching the bad guys.
If you’re trawling through the
customer records of the likes of
Facebook and Google, you’re going
to have billions of interactions to deal
with. That’s not just a big data
problem, that’s a massive data
problem. And even when the data
The PRISM government spying scandal, in
which the US National Security Agency
monitored electronic communications,
must not be allowed to break up the cloud
and restrict data flow.
This was the opinion expressed by the
Aaron Levie, the CEO of Box,
regarding propositions from the European
Commission to alter data protection
requirements in a way that could require
data to be kept either within the European
Union or within the originating countries.
Similar proposals have also been put
forward by Brazil.
Speaking to journalists at the
organisation’s Business Without
Boundaries event in Central London, in
November 2013, Levie said: “It is
obviously incredibly bad and
inappropriate what the NSA has been
doing ... it’s not only bad the actions they
have taken but it’s also the inaction of not
actually creating any transparency or any
visibility into what is actually happening.”
However, Levie added: “On the [subject
of] EU privacy and data [regulation], the
biggest thing that we are worried about ...
we want to avoid some of the noise about
the balkanisation of the cloud, that would
be a very bad outcome – this idea of
regionally specific or government specific
or country specific clouds. Not only does
it not make technological sense, it’s also
bad from an economy standpoint.”
Most of Box’s customers need to
collaborate and share information across
international boundaries, Levie said. He
added that the only way to do so
effectively was with an open platform.
Levie also touched on the topic again
during his keynote following a question
from a delegate.
“We don’t think the current
[surveillance] situation is tenable ... and we
are optimistic that there will have to be
more transparency, have to be more
processes created for how this works. We
don’t think the internet could blossom and
evolve in the appropriate ways if this fear
[were to] remain,” he said.
“Fortunately, we are a little bit outside
of the whole issue and distanced from it,
because the biggest issue has been
national security and those are generally
... consumer communication services on
the internet. We tend not to fall into the
space that is of interest, but we care a lot
from a technology company standpoint.
We have to have a world that allows us to
securely communicate and work and
share on a global basis, so that is
obviously something that we care about
and that we are pushing on,” he
concluded. Credit: Jane McCallion
Monitoring scandals must not lead to
balkanisation of the cloud, says Box CEO
24. BIG BROTHER24 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Cloud: Friend or foe?
has been analysed, how accurate is it
going to be? Not very accurate at all,
according to some researchers.
There would likely be more
understanding about the endeavours
of the security forces if these efforts
were guaranteed to catch the bad
guys. Instead, there’s a general
understanding that this is not going
to be the case.
One side-effect of these goings-
on is that we won’t be able to look at
cloud computing in the same light.
We now know that assurances about
data being safe from prying eyes are
meaningless.
That’s not to say that cloud
providers will suffer. There will be
some companies who won’t be at all
fussed that the NSA has access to
their data. They’ll happily live with
the intrusion as long as they can
benefit from the economies of scale,
the flexibility and, yes, the security of
the large US-based providers.
It’s was also noticeable, at the time
of the original revelations, that
Amazon wasn’t part of the PRISM
programme.
The reasons behind this can be
speculated endlessly, but certainly
the revelations should not prevent
potential Amazon customers going
down that route.
Nevertheless, there will be some
companies who just won’t be able to
view cloud in the way they did
before. Just as victims of burglaries
complain that the invasion of privacy
is worse than the items being taken,
so there will be companies unhappy
with this level of intrusion.
If you’re one of these companies,
you won’t be happy that someone
has been snooping in your
metaphorical underwear drawer,
whether it’s the CIA, FBI or Harry the
Hacker.
The question is: what will these
companies do? Are they going stick
with on-premise for all its
applications and computing needs
for ever and a day? Or are they going
to go with a European provider?
You can bet that if there’s one
group of people rejoicing at this
news, it’s the European service
provider community.
They will now have a genuine
selling point when it comes to taking
on the American giants: data held in
Europe, run by Europe and accessed
only by Europeans - which appears to
be exactly what has happened.
With pressure building to tighten
up, not loosen, the security rules, the
cloud game just got a whole lot more
interesting.
A new cloud-based email and social
networking site promising better
security and less intrusive commercial
practices has been launched in
Iceland.
Named Vivaldi.net, the service was
set up by Opera Software co-founder
Jon von Tetzchner and fellow Opera
veteran Tatsuki Tomita as an
alternative to other cloud-based email
services such as Gmail and Outlook.
com.
The service claims to offer ad-free
email, something that Gmail in
particular has been criticised for in
the past, and also incorporates social
elements such as blogs, cloud-based
photo sharing, forums and live chat.
Iceland was selected as its base
because many of the people behind
the project are Icelanders. “For the
people of Iceland, the rights to
freedom of speech and strong
consumer protection laws are most
important,” according to Tomita.
Iceland is recognised as having
some of the strongest privacy and
freedom of speech laws in the world
and is home to the International
Modern Media Institute.
The institute is, according to its
website, a “foundation working
towards rethinking media regulation,
securing free speech and defining
new operating principles for the global
media in the digital age.”
Tetzchner elaborated on this point
in an interview with Reuters, saying:
“There has been a lot of focus on
safety lately, and it has mainly been
focused on governments. But I think
this is just as much an issue for the
companies in this business.”
He added: “Our initial focus is on
the computer geeks because they
usually have higher demands for
functionality, safety and privacy. But
a lot of ordinary people also worry
about these things and we will
welcome everyone.”
Commenting on the NSA
surveillance scandal, which has
caused some disquiet with regard to
the cloud, Tetzchnersaid he cannot
promise to keep the US spy agency
away, but claimed that Vivaldi is
“without a doubt” the safest option
out there, adding “this is one of the
reasons we have chosen to do it from
Iceland.” Credit: Jane Mccallion
Secure cloud email service erupts from Iceland
Just as victims of burglaries complain that
the invasion of privacy is worse than the items
being taken, there will be companies unhappy
with this level of intrusion.
25. www.itpro.co.ukwww.itpro.co.uk
Case study: Mozzart Bet www.juniper.net.uk/en
1
CASE STUDY
Mozzart Bet is a European leader in the sport betting and gaming industry.
Recently, it grew its ground operations to over 900 retail betting shops and
has seen exponential growth in its online operations. The combination of
these two areas of growth created a “new playing field” for Mozzart Bet, one
where the focus turned to network stability, availability, and above all a high
level of security.
Challenge
With retail growth increasing the demands on the network infrastructure, and online traffic
increasing exponentially, security was becoming a major concern, and this posed a major
challenge to Mozzart Bet’s network team as well as its business partners and vendors.
Mozzart Bet needed a data center solution that could grow organically to accommodate
expansion of both its retail footprint and Web operations, without the need for constant
replacing of existing infrastructure. It also needed a network solution that would provide
99.9999% uptime, be easy to manage day-to-day, and ensure a high level of security.
Selection Criteria
Mozzart Bet required a high-performance solution that was reliable and would ensure
a network that was always available for both its retail stores and online properties. In
addition, security, particularly of the online properties, was vital, and Mozzart Bet sought
out solutions to add security to its websites and Web applications. The third requirement
was for products that were easy to manage and use, to make the every day operations as
simple as possible.
Once the decision to re-architect its data centers was made, Mozzart Bet undertook a
thorough review of its existing vendors and evaluated many other products. These new
products were examined using exhaustive proof-of-concept testing and evaluation
criteria and took months to complete.
There were five key selection criteria used during the evaluation:
• Stability
• Scalability
• Flexibility
• Security
• Operational effectiveness
In addition to these five selection criteria, Mozzart Bet was looking for the vendor willing
to work hand-in-hand with its inside team on design to create a “best fit” solution. It was
also looking for the solution with the best ROI performance.
Solution
After 4-5 months of extensive lab testing, Mozzart Bet chose to install Juniper Networks®
MX80 3D Universal Edge Router because nothing compared to its performance. The
company also liked the fact that MX Series routers could grow in capability based on
software without changing the chassis. Juniper’s EX Series switches were selected
based on performance, operational simplicity and rich feature sets. To further streamline
MOZZART BET DEPLOYS DATA CENTER
SOLUTION TO SUPPORT ONLINE
EXPANSION ACHIEVING 99.9999% UPTIME
Summary
Company: Mozzart Bet
Industry: Retail and Online Gaming
and Betting
Challenges:
• Growth placed greater demands
on the network infrastructure, while
exponential increase in online traffic
was a major security concern.
• Data center solution needed to grow
organically and accommodate the
expansion of both retail footprint
and Web operations, without the
need for constantly replacing existing
infrastructure.
• Requirement for creating a stable
and secure network was uptime of
99.9999%.
Selection Criteria: Mozzart Bet
selected Juniper to replace its existing
vendor for ease of management
and ability to expand with the
organization’s changing needs and
enhanced security requirements.
Network Solution:
• WebApp Secure
• Spotlight Secure
• SRX Series Services Gateways
• MX Series 3D Universal Edge Routers
• EX Series Ethernet Switches
• Juniper wireless LAN solutions
• MAG Series Junos Pulse Gateways
Results:
• Since deployment of the Juniper end-
to-end solution, there has not been
any downtime in network services.
• During a 30-day period, Mozzart Bet
detected 2,296 attackers on its Web
applications using WebApp Secure,
and was able to stop them.
http://www.juniper.net/uk/en/BIG BROTHER25
26. www.itpro.co.ukBIG BROTHER26 www.itpro.co.uk
2
3520492-001-EN Nov 2013
Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and
QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the
right to change, modify, transfer, or otherwise revise this publication without notice.
APAC and EMEA Headquarters
Juniper Networks International B.V.
Boeing Avenue 240
1119 PZ Schiphol-Rijk
Amsterdam, The Netherlands
Phone: +31.0.207.125.700
Fax: +31.0.207.125.701
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or +1.408.745.2000
Fax: +1.408.745.2100
www.juniper.net
Printed on recycled paper
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at +1-866-298-6428 or
authorized reseller.
network operations, Mozzart Bet deployed multiple EX4200s
in a Virtual Chassis configuration, enabling the switches to be
managed as a single logical device.
Then the Juniper Networks SRX Series Services Gateways were
added to enhance security based on their performance against
comparable competitor firewalls. The performance of the new
network suffered no downtime, which compared favorably against
the previous vendor.
Improving the security of Mozzart Bet’s Web applications was
also a key requirement, and the information security team was
intrigued by the innovative technique of intrusion deception
used by Juniper Networks WebApp Secure. During another three
month comparison, an evaluation of three Web Application
Firewall (WAF) vendors was completed, and at the end of this
test, Mozzart Bet selected WebApp Secure because nothing else
compared with the innovative approach of using deception to
detect attackers. During the test, the information security team
attacked all the solutions themselves and, interestingly, all the
WAFs either crashed or were penetrated, while WebApp Secure
just kept working. Another major reason why WebApp Secure was
chosen was the prevalence of a large amount of false positives
encountered while testing the WAFs, compared with WebApp
Secure, where false positives were extremely low.
The unique difference of not blocking just IP addresses within
WebApp Secure was another factor in Mozzart Bet’s choice. There
was concern that blocking IP addresses would end up blocking
many real customers behind a shared IP address.
Because of this “beyond the IP” address device identification, the
ability to customize a response to a detected attacker was also
seen as a key differentiator of WebApp Secure. Allied with an easy
to use GUI and dashboard, Mozzart Bet selected WebApp Secure
and Spotlight Secure to protect its website.
“Juniper was willing to partner with us on
creating an end-to-end data center solution that
would expand to support our growing business,
and the security innovation from products
like WebApp Secure and Spotlight Secure
was in a league of its own. No other vendor
offers a similar solution to protecting Web
infrastructure.”
- Cedomir Novakovic
Senior System/Network Engineer, Mozzart Bet
Results
Prior to deploying the Juniper solutions, Mozzart Bet had been
experiencing network downtime and this was causing a loss of real
revenue. In the first months after deployment of Juniper’s end-to-
end solution, Mozzart Bet has not encountered any downtime on
its network, and this has helped maximize revenues. In addition,
2,643 attackers have been detected by WebApp Secure during
six weeks of live deployment. This means 0.3% of Mozzart Bet’s
Web traffic was identified as malicious and stopped before any
damage could be done.
As summed up by Cedomir Novakovic, senior system/network
engineer, “Juniper was willing to partner with us on creating an
end-to-end data center solution that would expand to support
our growing business, and the security innovation from products
like WebApp Secure and Spotlight Secure was in a league of its
own. No other vendor offers a similar solution to protecting Web
infrastructure.”
Next Steps and Lessons Learned
Mozzart Bet is continuing to expand its network, and Juniper is a
valued partner in helping it maintain the critical infrastructure and
enhanced security needed to power its popular online gaming and
betting services.
For More Information
To find out more about Juniper Networks products and solutions,
please visit www.juniper.net.
About Juniper Networks
Juniper Networks is in the business of network innovation. From
devices to data centers, from consumers to cloud providers,
Juniper Networks delivers the software, silicon and systems that
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
http://www.juniper.net/uk/en/
Case study: Mozzart Bet www.juniper.net.uk/en
27. www.itpro.co.ukBIG BROTHER27 http://www.juniper.net/uk/en/ www.itpro.co.uk
What topics dominate the
conversations you have with
organisations around information
management and monitoring?
Why do you think these concerns
remain front of mind?
The good news is that there is more
information in more forms available
to help organisations understand
what is in the heads of their
customers and satisfy their needs
than ever before.
Unfortunately, this is also the bad
news, because the volume, velocity
and variety of this information is on
the verge of eclipsing the ability of
organisations to effectively manage it.
What are the main fears
enterprises face from a privacy,
security and monitoring
perspective?
Organisations are worried that their
old “Maginot Line” approaches to
privacy and security (set up barriers
around the perimeter) are proving
woefully inadequate in a mobile and
cloud era.
The very nature of mobile means
that information is leaking out of the
organisation at every turn, on devices
that are so portable they are lost or
stolen in tens of thousands every
week.
Organisations have seen that often
the threat can come from the inside
- from a “trusted” employee armed
with something no more
sophisticated than a USB
stick. Fortress approaches to security
do not match the current threats.
What is driving these fears and
have they changed in recent times?
If so why?
QA: John Mancini, AIIM
The quantity of personally
attributable information generated
merely by mobile or web data
“exhaust”, coupled with new and
sophisticated analytic techniques
creates enormous opportunities - but
also enormous risk.
Think of it this way - lots more
data, plus way better analytic
techniques is increasingly blurring the
line between what is cool and
convenient for customers - and what
is just plain creepy for them.
This line will be increasingly
difficult to navigate in the next few
years.
What role does AIIM play in both
keeping data safe and secure and
putting customers’ minds at rest?
At the core, organisations need to
think seriously and strategically about
information governance.
Information governance has been
viewed for too long by the C-suite as a
tactical nuisance promulgated by
Chicken Little records managers and
legal types.
It’s time to make the management
of information assets just as
important as the management of
John Mancini, AIIM
We speak to the CEO of AIIM about the importance of information management
against the backdrop of increased threats and end user and business fears.
Profile
John Mancini is an author, speaker and respected leader
of the AIIM global community of information
professionals. As a visionary, his predictions include that
we will see more change in the way enterprise
technologies – and who we trust with that task - are
deployed in the next few years than ever before.
www.aiim.org
The volume, velocity and variety of
information is on the verge of eclipsing
the ability of organisations to effectively
manage it.
28. www.itpro.co.ukBIG BROTHER http://www.juniper.net/uk/en/28
financial assets. AIIM provides
education and skills development to
help organisations meet this
challenge.
What advice can you offer
businesses to mitigate those risks
Similarly what advice can you offer
IT decision makers and managers?
This is not just a legal issue. This is not
just an IT issue. This is not just a
records management issue. This is a
business issue and should be treated
accordingly.
What are the key rules and
regulations to bear in mind?
The number and variety of rules,
regulations and directives related to
information is going to continue to
grow, especially relative to the
management of information in the
cloud.
It’s hard enough to meet these
QA: John Mancini, AIIM
challenges when information
management is automated.
Organisations that insist on manually
managing this ever-increasing
volume and variety will find it
impossible to do so and will put their
organisation at risk.
Is the threat landscape likely to
become a scarier and more
dangerous place in the future? Are
we all doomed?
We’re not doomed, but we do need
to dramatically and realistically
reassess what we are trying to protect
and why.
It’s time to make the
managementofinformationassets
just as important as the
management of financial assets.
29. www.itpro.co.ukBIG BROTHER29 http://www.juniper.net/uk/en/ www.itpro.co.uk
What topics dominate the
conversations you have with
customers? Why do you think these
concerns remain front of mind?
First and foremost is the issue of
breaches and compromises of
customer information, especially in
light of the Target events. Second is
the issue of DDoS. Third is Intellectual
Property theft.
You work very closely with the US
government in an advisory
capacity to help protect against
cyber crime and cyber terrorism.
Certain levels of monitoring
(PRISM et al) is considered a
necessity to protect the majority.
What would you say to those who
feel the lines have been blurred or
worried their every move is being
monitored?
I have to say that people forget a
fundamental fact - the Intelligence
Community (IC), who are the branch
of government being held
responsible, have absolutely no
interest in watching and looking at
the private lives of the public.
They couldn’t care less if you
sunbathed in the nude, viewed
pornography, used foul language, or
exercised all of your constitutional
rights. To a man, or woman, their
mission is the defence of the sanctity
of the US from foreign attackers. That
is more than a full time job.
But if data exists that will allow the
IC to identify those foreign attackers,
they want to find a way to get that
data without violating US citizens’
constitutional rights.
And, if that data is tied up with a
US citizen’s unsavoury online habits,
the same thing holds - they don’t care
QA: Rodney Joffe, Neustar
about the habits or what the citizen’s
activities are. They want to get the
bad guys.
Additionally, if data can be found
in two places, and one of them does
not involve personal information
about an innocent US citizen, they will
go to extraordinary lengths to use an
alternative source that does not
involve the US citizen.
So I would say: Your life is not that
interesting compared to what goes
on with the real enemy. The IC realises
that, and so they are long past the
point where they want to look at you.
If you turn out to be part of the
foreign misbehaviour, then that’s a
different story. But they’ll identify
from specifically developed
information, not general snooping.
What are the main fears
enterprises face from a privacy,
security and monitoring
perspective?
First, I think enterprises fear lawsuits
from employees or customers who
believe that an enterprise assisted in
the snooping.
Second, fears may also come from
a concern that the monitoring may
identify inappropriate activity that the
company itself was unaware of, but
which may actually result in sanctions
against them. Third, concerns that the
systems that may be monitoring may
be usurped by malicious actors, who
then choose to use the capabilities
against the company.
What is driving these fears and
have they changed in recent times?
If so why?
I think that current events related a) to
Snowden and WikiLeaks and b) Target
type breaches are driving it.
I think that over time, logic will
prevail and fears will lessen and
become more realistic.
What role does Neustar play in
both keeping data safe and secure
Rodney Joffe,
Neustar
We speak to the SVP of Neustar who also serves as a US government security and
industry advisor about whether people should be worried about being watched.
Profile
Rodney Joffe is a senior vice president and senior
technologist at Neustar. He has been a sought-after
cyber security expert who, among other notable
accomplishments, leads the Conficker Working Group to
protect the world from the Conficker worm.
www.neustar.biz
Your life is not that interesting
compared to what goes on with the real
enemy.