Information risks in the enterprise

Ian Whiting is the CEO Titania, a developer of security auditing and testing software. In this interview he discusses managing information-related risks in the enterprise, Titania Labs free tools, current information security threats, and more.

What do you see as today’s biggest information security threats?
Today’s biggest information security threats have not changed from yesterday or even last year. There are still attacks from organized groups, insider threats, intellectual property theft and the threat of a lone hacker. However I believe the largest problem is one of our own making, rather than that provided by the attacker. Companies are increasingly choosing to defend against security threats using the minimum security standards level dictated by one of the many compliance standards.

Compliance standards are important and do raise the base security level for those organizations that would otherwise not have a security policy in place. Non-compliance can also carry a significant financial or operational penalty within some industries, which means that organizations are highly motivated to achieve compliance. Additionally they provide mechanism for calculating a score, so that business leaders can see progress being made without having to see any of the detail. However compliance does not equal security; it only means you have met the specified standard.

To adequately fight the cyber war, security teams need to be versatile and adapt to new technologies and defend against the ever evolving arsenal that cyber criminals are able to deploy. To be compliant with a static set of security policy settings may be good enough for the risk managers, but it is simply not good enough to be secure.

This is not to say that compliance is a negative thing; it does mean that everyone is at least at a minimum security level. However I have often seen struggles within organizations to justify the expense of going further than those minimum levels, and as a result the biggest information security threat could be one that we have made for ourselves.

Based on your discussions with clients and peers, what are the most challenging aspects of managing information-related risks in the enterprise in a time where everyone’s budgets are shrinking?
Just like with security threats of today, the problem of managing risks remains largely the same. The problem comes from identifying more cost effective solutions to achieve the same target and sometimes this means passing some of the burdens on to suppliers. Although risk management and security management are not the same, it is generally agreed that a multi-layered approach to system security is the best approach for both lowering risks and increasing system security. However the problem that emerges from this is that the more complex the defences, the more expensive and complex they become to manage.

Repeatedly surveys have shown that one of the biggest challenges for employers is the lack of experienced and qualified staff to manage all those defences, studies have shown that employing a manager in this area could significantly reduce cyber security related costs. In March 2011 the “Cost of Data Breach Study” found that US organizations which hired a chief information security officer with enterprise wide responsibility for data protection lowered the cost of the data breach by an average of 35% per compromised record (Symantec, 2011). The study averaged cyber breaches at 5.5 million, so the investment in a trained and experienced member of staff to manage security is easily justified.

The problem surrounding the lack of experts in the industry is being tackled in the UK with funding from central government in order to help create the next generation of security specialists. This has started with the first eight universities being awarded the “Centre of Excellence in Cyber Security” status and the funding that it brings. There has also been a closer tie between government and industry in order to identify security weakness areas that we can develop together. This is something that I am proud to say that Titania is deeply involved in and have found very worthwhile.

Titania Labs released a variety of free tools. Which ones do you find security professionals using the most?
We provide a number of different free tools on our site, mostly with a security theme. They are typically used to help an auditor quickly identify useful information during an audit. SSLScan is probably the most popular of these tools. It queries SSL services, such as encrypted web services, and provides details of what cryptographic ciphers are supported by the service. It is useful for highlighting where weak cryptographic ciphers are used.

What are your flagship products and who are your clients?
Our flagship product is Nipper Studio which produces a variety of expert level reports on network infrastructure devices such as Firewalls, Switches and Routers. Nipper Studio has recently won a variety of awards, and gained glowing independent reviews. This is largely because it is easy to use and yet provides a detailed report similar to that custom written by an auditor. The level of assessment Nipper Studio provides is normally only achievable via costly external audits and is vastly greater than results that can be found by scanning based solutions.

The software highlights potential vulnerabilities with specific findings, how they impact the systems security and how easy they would be for an attacker to exploit. Nipper Studio also produces detailed mitigation recommendations with device specific commands. Essentially it allows companies to reduce risk while saving time and money.

Extensive customizable settings and the support for over 100 different network device types means that Nipper Studio is flexible enough to adapt to organizations individual networks and security priorities. Change tracking functionality, compliance & the ability to integrate Nipper Studio into other tools can aid with continuous monitoring and because Nipper Studio is non-intrusive, it is perfect for secure environments.

We provide Nipper Studio to organizations of ranging sizes and is currently used in over 40 countries worldwide. Our customers are not only serious about compliance but also about security. They include some of the world’s largest banks, IT auditors, telecommunications & critical national infrastructure organizations. Our licensing is fully scalable from our starter pack which covers up to 25 devices right through to global licence arrangements.

Our largest customer base can be found in the government and defence industries including the US Department of Defence, US Treasury, Department of Energy, Homeland Security & FBI but we are also used by device manufacturers such as Cisco and Crossbeam and leading online retailers.

What challenges do you face in the marketplace? What do you see as your advantages?
The cyber security marketplace is a dynamic and exciting one to be trading in. Hackers are constantly evolving new tools and actively share exploits and vulnerabilities. Developers of solutions must follow suit or find their solutions rendered useless. As an SME we interact directly with our customers and can respond quickly to the changing marketplace in a way that a larger organization would find difficult. Our dedicated team of developers are constantly advancing the functionality of our tools and are creating new products to meet the demand for focussed cyber security toolkits.