Social networking tool help drive knowledge sharing

Pass It Along is IBM’s social networking tool, which the company says is aimed at helping organisations to take “a more user-friendly, collaborative approach” to knowledge sharing. Big Blue points out that nearly 22 million workers are set to retire this year in the US alone, exposing serious problems for companies needing to retain industry expertise. Hence the drive for a system designed to help companies, regardless of size, to get their workforces sharing information more easily. IBM says that is tool integrates knowledge management, social networking and Web 2.0 to simplify the way information is shared. It enables users to access, share and rate essential information; while also categorising it, from the web or an intranet. Contributors can also determine how broadly their information is shared and who else can collaborate. “Organizations looking to on-board new resources, conduct business process training, and complement formal education with an informal tool that serves up essential information will find Pass It Along useful,” comments Dr Tony O’Driscoll, professor at Duke University’s Fuqua School of Business. “Software developers in particular can use the technology within their existing IT infrastructure without the typical administration costs associated with traditional knowledge management applications.”

UK Cabinet office published the National Risk Register

As announced in the UK National Security Strategy, the UK Government has published a National Risk Register which sets out our assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK.
The National Risk Register is designed to increase awareness of the kinds of risks the UK faces, and encourage individuals and organisations to think about their own preparedness. The register also includes details of what the Government and emergency services are doing to prepare for emergencies.

http://www.cabinetoffice.gov.uk/reports/national_risk_register.aspx

CPNI published a security assessment of the IP

CPNI has just published a new document on the security of the Internet Protocol.

"Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which 'known' security problems have not always been addressed by all vendors," the report states. "As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past."
http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx

UK: WARP Annual Forum Report now available

On the WARP website is now available the report of the 2008 annual forum. I participated to this event and gave a presentation on Information Sharing from an International perspective. On the website you find copy of my presentation.

http://www.warp.gov.uk/Index/Forum/indexannualforum.htm

"The WARP Annual Forum held on Tuesday 3 June 2008, at The Law Society (photo) was a great success with feedback showing 100% saying yes to the question: Would you attend this event next year or recommend it to a colleague?

Presentations for the 2008 forum are available here.
The event was attended by over 100 delegates and included attendees from Holland, Ireland and Canada with presentations from the US, Italy and Greece. As usual, the Annual WARP Forum offered delegates a unique opportunity to listen to presentations from experts in the field, network with other people active in the area, and to share advice and experiences. For some delegates it was also the first opportunity to learn about WARPS and gave them a chance to talk to people who had had experience of setting up and running WARPs.

The security of energy, water, telecommunications and other vital European infrastructures is set to be strengthened by a new international project no

The pan-European 'Design of an Interoperable European federated Simulation network for critical Infrastructures' (DIESIS) project will develop advanced computer modelling and simulations to find and test points of vulnerability in these infrastructures, and develop ways to address them.
Europe's critical infrastructures, such as transport systems, gas lines, electricity supplies and communications, are becoming increasingly interdependent.

This makes understanding the complex relationships between them important because a breakdown in one can spark severe disruptions across many others, potentially affecting millions of people.

These failures can also spread quickly across many different countries, as happened in November 2006 when 13 countries including France, Italy, Germany, Portugal and Morocco lost electricity supplies after a high-voltage power line in Germany was temporarily shut without proper preparations.
Similarly, in 2002 Cyclone Ilse caused 12 billion euros of damage after flooding disrupted electricity, water supplies and waste water systems across regions of Germany, Austria and the Czech Republic.
Unravelling the complex interactions and interdependencies of cross-European infrastructures demands highly developed simulation tools. While simulators currently exist for certain infrastructures, none are capable of simulating the interaction of multiple interdependent systems. This severely limits how effectively nations can prepare for and respond to threats to their infrastructures ranging from natural disasters and IT failures to human error and acts of terrorism.
DIESIS aims to tackle this by developing advanced computer models and simulators that can test the robustness of these interdependent infrastructures, identifying weak spots where a failure in one could begin a catastrophic domino effect.
Professor Erol Gelenbe of Imperial College London's Department of Electrical and Electronic Engineering, one of the leaders of DIESIS, explains:
"Systems have weak spots and when they go down the costs and impact on people's lives are huge. These are highly complicated systems in their own right, so understanding the many ways in which they interrelate requires extremely complex modelling. Our aim is to come up with a simulation facility for constant study that can find weaknesses in systems and address them."
The project will also tackle smaller failures, which may go largely unnoticed but are nevertheless costly. Professor Gelenbe adds:
"If the internet system in Westminster is down for an hour because it has been attacked by hackers it won't make the headlines but it's very expensive for government and business. Those kinds of attacks happen very frequently. This project will help to make our entire critical infrastructure much more secure."
DIESIS is funded by 1.5 million euros over two years by the European Union under the Seventh Framework Programme. It will carry out the initial work that will pave the way for the establishment of a European Infrastructures Simulation and Analysis Centre.
The project sees Imperial College London working with large European public sector research organisations, including the Fraunhofer-Institute for Intelligent Analysis and Information Systems, Germany, Consorzio Campano di Ricerca per l'Informatica e l'Automazione Industriale, Italy, Ente per le Nuove Tecnologie, l'Energia e l'Ambiente, Italy, and the Netherlands Organisation for Applied Scientific Research.
More information on DIESIS is available at http://www.diesis-eu.org/

UK: Government racks up 100 data breaches

Government racks up 100 data breaches - Public Sector - Breaking Business and Technology News at silicon.com: "Whitehall has suffered a further 30 data breaches since it lost 25 million people's details last November.
There have been 30 data losses in central government, 50 in public sector organisations and 17 in local government, the Information Commissioner's Office (ICO) confirmed.
The figures were revealed by justice minister Michael Wills in a written answer to Parliament in response to a question by shadow minister for the cabinet office Francis Maude." [...]

UK: 4 reports available on HMRC incident

Yesterday PwC released the long- attended report on HMRC incident. Poynter, chairmanf of PwC, reported that there was a general "lack of awareness amongst staff of the existence of security policies" and that "large amounts of data have transferred both within HMRC and to external government bodies with insufficient regard to risk and security". In addition there was a lack of training and an absence of accountability for the ownership and guardianship of data.
Part 2 of the report provides 45 recommendations and management actions, all in line with ISO27001 standard.

Here are the links to the reports:
PricewaterhouseCoopers' full Report: download (a briefing from out-law.com is available here)
Sir Gus O'Donnell0s full Report: download (a briefing from out-law.com is available here)
IPCC Report: download
Sir Edmund Burton's Report: download (+ MOD Action plan in response to Burton's report available here)

CIP Report - new International Issue

On this month CIP report, published by George Mason University School of Law, you find an article I wrote on Protecting the Critical Infrastructure in Europe.
You can access the report on the GMU CIP website: http://cipp.gmu.edu
Or directly here

UK Ministry of Defence to bolster internet intelligence

Ministry of Defence to bolster internet intelligence - SC Magazine UK: "The Ministry of Defence is aiming to increase its online intelligence gathering in a growing realisation of the threat to the UK from international cybercrime activity.

Air Commodore Graham Wright, a senior information professional from the Ministry of Defence said it is placing great focus on analysing the internet threats to the UK and being able to compromise the data of enemy countries.

'Computer Network Defence is something we take a great deal of interest in. There is a huge shift towards holding information on networks,' Wright told a conference in Westminster yesterday organised by the government-funded Cyber Security Knowledge Transfer Network."

UK CPNI: new SCADA guidelines available

SCADA: CPNI has recently updated their guidelines on SCADA protection. I find these are among the best guidelines I have never read on the subject, as they mainly focus on the Strategy, Processes, Organization and People.

Here is the list of the 8 available guidelines (the Title is also the link to the Guideline):

Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents

Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.

Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.

Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.

Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.

Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.

Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.

Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.

Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.

'Connected' UK vulnerable in face of cyber attack

'Connected' UK vulnerable in face of cyber attack - Public Sector - Breaking Business and Technology News at silicon.com:
The government has said it is engaged in tackling ongoing state-sponsored cyber attacks on UK national infrastructure.
Security minister Lord West told the House of Lords that the UK continues to be targeted by a "large number of attacks" and that the government is "taking action" to deal with those backed by hostile regimes.

Lord West refused to confirm the nature or origin of these attacks but said cyber security is a "very dangerous area" and that the UK has become "more vulnerable as we become more connected".

"He said: 'It ranges from individual hackers right through to state sponsored issues. It is something we should be worried about. We discussed the issue in a Cabinet meeting two months ago, I think we are going in the right direction.'
National and international bodies are in place to defend against these cyber attacks, and cyber attacks occupied recent G8 discussions in Tokyo, he said.
He said there are several layers of defence on the domestic front, ranging from computer emergency response teams protecting the public sector, to the Centre for the Protection of National Infrastructure (CPNI) security response teams defending the private sector. The national response to cyber attacks is co-ordinated by the Central Sponsor for Information Assurance, which is part of the Cabinet Office.
West was unable to give guarantees of total security for data held on the National Identity Register and large NHS databases, saying he did not have the relevant information but added that 'if a system is connected then there is a possibility of getting into a system'.
He admitted past failings in the public sector security due to delays in issuing patches in time but said that the government is committed to continuing to improve response times."

UK: Secret terror files left on train

Secret terror files left on train: "Police are investigating a 'serious' security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda.
The unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train."

BERR Information Security Breaches Survey 2008 - PwC UK

BERR Information Security Breaches Survey 2008 - PwC UK: "BERR Information Security
has published the Information Security Breaches Survey 2008, managed by PricewaterhouseCoopers on behalf of the UK Department of Business, Enterprise and Regulatory Reform (BERR). This survey of UK businesses, carried out every two years, is the UK's leading source of information on security incidents suffered by businesses, both large and small.
The 2008 survey results were launched at the Infosecurity Europe exhibition on 22nd April 2008. There are two reports available:
A two page Executive Summary, downloadable here (0.5MB)
A 32 page Technical Report, downloadable here (1.1MB)"

Counterterrorism Blog: Virtual Assassination as a Counterterrorism tool

Counterterrorism Blog: Virtual Assassination as a Counterterrorism tool

In this article the author Roderick Jones, a former member of the UK Counter-Terrorism Command, describes how a Virtual assasination could bring to similar effects as a real assasination.

I decided to publish this article because it is in line with what I think about Cyberwar, Cybercrime and Cyberterrorism. Most of the actual definitions used to set the context for Cyberterrorism and Cyberwar are based on the equivalent definition used for the "Kinetic" (or real) world. But cyberspace does not follow the rules of the real world, so I doubt we can simply translate the traditional definition, adapting them to the Cyberspace.

Home Office plans surveillance of all online activity | 22 May 2008 | ComputerWeekly.com

Home Office plans surveillance of all online activity 22 May 2008 ComputerWeekly.com
The Home Office is considering radical plans to develop a centralised surveillance system to track in real-time every kind of electronic activity undertaken by citizens.
The project, driven by intelligence services, would require the development of a surveillance system unprecedented in its scope and technical sophistication.
The work is still at the discussion stage and has not been agreed by ministers. But if the project goes ahead as expected, it would require the development of untried technology to tap into phone lines and the internet, retrieve details on every individual's browsing and communications traffic, and store it in a central database.
The envisaged database would not record the content of telephone calls, e-mails or other internet messages. However, it could hold records of telephone and interent traffic data, which would enable investigators to build up a proile of an individual and identify their network of contacts.

The information gathered, for example, could include the time an individual sent an e-mail or instant message, and who received it. It could also record details of websites visited by members of the public, and even who had used which online computer game or video clip, when and for how long.
The project represents a major esclation in the government's powers and the speed at which electronic surveillance can be undertaken.

European Data Protection Supervisor condemns data protection legislation >>
Government plans database to connect every citizen record >>

WARP annual forum

WARP annual forum: "Annual Forum 2008"
The next WARP (Warning, Advice and Reporting Point) Annual Forum will be held on Tuesday 3 June 2008, at The Law Society, 113 Chancery Lane, London WC2A 1PL


This year’s Annual WARP Forum will explore the expansion of the WARP model from purely electronic ICT related Warnings, Advice and Reporting into the related areas of physical and personnel security. This is a logical development, but needs to be tested, and if successful it will increase the utility and appeal of WARPs.

In the afternoon, I will manage the session entitled "Information Sharing accross Systems", that I will introduce during the morning panel. I will publish soon an abstact of the session.