Deloitte: Security underfunded

computer FRAUD & SECURITY ISSN 1361-3723 February 2009

www.computerfraudandsecurity.com

Deloitte: Security underfunded

C

ompanies are getting more competent at involving business executives in their security practice, but security is now underfunded. That’s just one finding of Deloitte’s annual security report. It also found that firms were more concerned about internal breaches than external ones, and that they needed to get a firm handle on security audits.

Deloitte’s Sixth Annual Global Security Survey found that business executives were getting more involved in the security function. In 2008, 58% of business lines provided input into their organisations’ security strategy, with 52% of functional executives doing the same. The combined number for the two groups was just 39% in 2007. In that year, just 10%

Contents

of functional execs and business lines ‘bought in’ to security, compared to 26% and 24% respectively last year. However, respondents to the 2008 survey showed a marked decrease in security projects perceived to be ‘on plan’ – down to around 38% from 50% the previous year. There was also a slight increase in projects said to be falling behind. The report concludes from this that security projects are underfunded this year. Roughly a third of all failed projects this year were attributed to the biggest single cause: a lack of resources. Aside from worries over the economy, part of the problem could be a failure to communicate any benefits from security Continued on page 2...

Featured this month: From culture to disobedience

O

ne of the most prevalent problems when protecting information assets is the apathetic attitude, and resulting actions and behaviour, of employees. Given that the corporate culture of an organisation shapes the beliefs and values of those within it, it becomes essential to address the mindsets of employees and ensure that relevant security knowledge and skills are communicated to them.

However, organisations cannot assume a uniform starting point; employees will have varying degrees of compliance that may evolve to become more compliant

or more disobedient depending on the guidance provided by management. This article examines the levels of security acceptance that can exist amongst employees within an organisation, and how these levels relate to three recognised levels of corporate culture. It then proceeds to identify several factors that could be relevant to the development of culture, from traditional awareness-raising techniques through to context-aware promotion of security. Turn to page 5...

NEWS Deloitte: Security underfunded Events unfold after Heartland breach Ponemon says data breach costs rising

1 2 20

FEATURES From culture to disobedience This article examines the different levels of security awareness and acceptance found within workplace environments, and the influence that these may have upon an organisation’s security culture. Proposals for enhancing culture are offered, from traditional awareness-raising techniques through to context-aware promotion of security. 5 Ethics – a question of right or wrong Catherine Everett explores the thorny issue of ethics in the information security space, looking at what constitutes ethical and nonethical behaviour and where the shades of grey are. 11 In search of secure outsourcing IT security veteran David Lacey was asked to research and compile an in-depth guidelines report into the security strategies involved with outsourcing and offshoring of IT projects for the Cyber Security Knowledge Transfer Network. Steve Gold speaks to him about it. 13 Weaving in the yellow The prevailing view is that businesses need security at the core of their culture. But do they? Wendy Goucher asks whether businesses really ever do more than pay lip service to this idea. 16 War & Peace in Cyberspace: Do encrypted disks spell the end of forensics? About four years after the introduction of software-based file system encryption, there is now talk about achieving analogous results with full disk encryption of the hard drive. Dario Forte provides an overview of what may threaten to be a serious problem for digital investigation. 18 REGULARS Editorial

3

News in brief

4

Calendar

20

ISSN 1361-3723/09 © 2009 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843933 Email: [email protected] Web: www.computerfraudandsecurity.com Editor: Danny Bradbury Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Lin Lucas Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: 1078 for all European countries & Iran US$1170 for all countries except Europe and Japan ¥143 400 for Japan (Prices valid until 31 December 2009) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065 Printed by: Mayfield Press (Oxford) Limited

2

Computer Fraud & Security

Root cause of information systems failure. Source: Deloitte Annual Global Security Survey 2008

Continued from page 1... projects other than the basic protection function. Fewer respondents in 2008 – less than a quarter – were working on formal metrics to calculate a return on investment from security-related projects. 62% are split between ‘do not measure’ and ‘little, if any, measurement’, said the report. And yet access and identity management, which can yield calculable productivity gains if done properly, was the second most popular security initiative in 2008, after regulatory compliance. Internal breaches are still a cause of concern for companies. Over 65% of respondents were extremely confident or very confident about protecting their companies against external cyber-attack. However, that number dropped to just over 35% for internal attacks. Perhaps a regular security review would help. A third of respondents conducted internal penetration testing on an ad hoconly basis.

Events unfold after Heartland breach

A

rrests have been made and lawsuits filed in the wake of the data breach at payment process-

ing company Heartland Payment Systems which occurred last month.

Three men were arrested for using counterfeit Visa cards that had been created using data stolen from the credit card processing firm, which processes payments for 250 000 merchants. Timothy J. Johns, Jeremy A. Frazier and Tony Acreus, all in their early 20s, were arrested while using stolen credit card numbers to make purchases in Leon County, Tallahassee. The group, who had been regularly using forged Visa Gift Cards to make purchases at Wal-Mart stores and then selling on the goods, were arrested after a three-month investigation according to the Leon County Sheriff ’s Office. “This investigation is on-going and will likely produce additional charges and additional arrests,” said the Office in a statement. “Detectives will also attempt to identify and notify any person whose credit card number was comprised by this group.” While Heartland prepares to press charges against the alleged scammers, its customers are also imposing their own punitive measures. Three separate class action suits Continued on page 20... February 2009