April-May 2006  

Special Report on Eurosec 2006 in Paris
Interview: John O'Leary
Director of Educational Programs, CSI
(Computer Security Institute)

Evry year John O'Leary comes to Paris to give a lecture at Eurosec Forum on new topics related to the computer security and the social issues of technology. This year was a very special one, John being awarded a special award for his long standing attendance to the Paris meeting.
Last year John O’Leary told our readers about the upcoming of RFID, for which privacy was the fear. This year is message was much more "polymorphic"  with topics such as Compliance, Access Management, and a new threat which comes to your door, your office and your internet box: Social Engineering ...

Founded in 1973, the Computer Security Institute located in Plano Texas is the first ever membership organisation dedicated specificly to the security of the Information Technology. With about 5000 members worldwide its membership  is open to any individual interested in fostering the cause of IT security. John O’leary, Director of Educational Programmes at CSI is a regular lecturer of Eurosec since the early beginings of the forum. On the evening reception of EUROSEC 2006 John has been awarded by Isabelle Hachin, Director of Communications at XP-Conseil, a special «Fidelity Award» for his long time attendance to the Paris meeting: 17 years...  This year, John O’Leary tells us on new topics such as Compliance, Access Management and  Social Engineering... a few difficult topics but an opportunity for him to steal the show again with his remarquable didactic skills

John, 17 years of attendance and constant devotion to the european forum held in Paris sounds like a personal Jubilee. You really deserved thi special Fidelity Award that Isabelle Hachin was so pleased to give you. Congratulations. Last year we met to dicuss the RFID opportunities and the many drawbacks that come with it,  and according to your comments we are starting now to observe this technology uprise with its good and dark sides. So my introductory question for this year would then be something like:  What’s new today in IT that is alredy coming at our door and  going to strongly impact our businesses and our evry day lives in the short term?

John O’Leary : First I would mention «Compliance». Today in the US there is an extremly heavy emphasis on compliance, a word wich means making sure that your organisation is following all applicable laws and industry agreements... And the newest element of this is people ready to question wether security compliance is actually hurting security !..  Somehow the effect is being spent on insuring 1) Sarbanes Oxley compliance  and  keeping in line with the other laws and regulations, knowing that companies are unable to spend energy on their actual security issues. So the problem is that things they really need in term of security may be left while other things are getting done.  The legal matter are supposed to be in place to prevent fraud and privacy debacles. 2) is Amphasis on Identity and Access Management, partly as a result of the compliance initiatives. Companies and agencies are trying to insure that they have strengthened architectures and rigourous record keeping to anable them to demonstrate what has occured and who did what when !.. But they are actually seeing business benefits to implementing I&AM (Identity and Access Management). Business benefits because the strucure helps benefit all applications such as manufacturing...

Compliance, Access Management... all that is perfect on a local basis but as we do outsource evrything today ... are we going to withstand some kind of Standing Knock Out?

John O’Leary : I think that for a period of significant adjustment, Outsourcing is not going to go away !   It’s here to stay. Here as part of our environment, and going to stay  because it is to continue being part of the business... So it is here to stay and has shown significant benefits and that is to continue. However, workers today must have to understand that their work are not going to tend for life. And with Outsourcing comes security concerns. 

Which brings us to the topic related to your second lecture at Eurosec 2006 on Outsourcing Security

John O’Leary : Yes but the matter is not «how to manage the security of what we do outsource » but it is «how can we securely outsource security». Do you really know the appropriate firewalls setting for you ? Are you aware of the special customer concerns that you have and can your subcontractors treat your customers appropriatly ?Are the laws in the venue where the security management services are performed similar to laws in your own regions ?

Which put the issue in term of responsability. Doesnt’it?

John O’Leary : Not only because  responsabilty stays within the firm, but because firms are responsible to see that the appropriate things are getting done by the outsourcer, and you cannot walk away from that responsability. Let’s fill up a whole list of responsabilities :

- Protecting informations given by customers and parties in confidence
- Personnaly indentify all information regarding employees or customers
- Performance upraisal, continue improving of employees performance
- Plans for marketing campains
- Clients information (CRM...)
- Purchasing history
- ...

Does it mean that one have to perform audits within the subcontactor’s organisation?

John O’Leary : Absolutly, but not only. You also have to insure that you legaly support your obligation to your customer. You dont have to perform the audits yourself. You can contract an outsource for that. And for evrything you outsource you maintain your reponsability.

Compliance, Access Management and Responsability in the Outsourcing. So far we have been dealing with management issues. But your also talked at Eurosec of Social Engineering. That is not management at all but a new kind of stress applied to the organization as well as a new behaviour for hackers and intruders. Can you develop on that topic?

John O’Leary : Social Engineering. It is the process of trying to convince people to give informations that they should not give or to do things that they might not want to or ought to do. It is not always high level: we try to convince our children not to talk to kids, try to train them to be sckeptical engineer during their childhood. All of us do this social engineering. So it is an attitude and an activity. But merly it is an activity wherin an attacker says he is someone he realy is not. Sometime he for help and may create false time pressure or say «the CEO want this» and use flatery to get your guard down then. Generaly people practicing social engineering ask for sensitive information that your realy should not give out. They build trust : a bad person builds trust in the target.

You seems to consider that it is only a «one man» method. Is it only reserved to individuals acting alone?

John O’Leary : No, il they target individual people, they get all the information from peaces. One prime target are high level officers : the higher you go the higher you get. And they can maintain contacts that last long when they meet again : multiple interaction with one person on multiple times.

What can we do to prevent the effects of Social Engineering?

John O’Leary : Social amphasis must be on policy and delivering training. People understand that a violation of policy is not something they owe to someone just because he is or she was nice to them. Amphasis must also be on the fact that people try to get information and while we want to give them good services to legitimate the customer care we must make sure that they are legitimate customers. So make sure you know your customers and qualify your prospects. And trainig can help.

Certainly but we can imagine that professionnal social engineers are not so easy to detect. Are company keen to use some kind of social profilers?

John O’Leary : No because they are too good at it and because their inquiries sound like legitimate requests. So you dont have to profile them but to avoid their attack.

Sounds wise. So now we gonna watch out our customers differently and very much take care of the requests that comes throught  the internet. In this frightening world what comes next?

John O’Leary : 1) Well first point, lets’ remind last year advice on RFID. This technology is now growing rapidly in more and more things and security and privacy concerns are becoming increasingly visible. 2) Second point, Outsourcing which is rapidly developing will become much more closely managed from a security perspective. 3) Defense against Social Engineering must beacome a mandatory activity. 4) And finaly about the dangers from the inside that we talked much about during the forum, it might be stressed that the people inside the country are now outside. So the question is now who is an insider ? We are going to see more and more Social Engineering attack and we must be ready to defend. But prevention of terrorism really is the next topic, expecially because of Cyber Terrorism.

Words collected by Bertrand Villeret
Editor in chief
Partner of Eurosec 2006

To know more :
Computer Security Institute, Covington Lane, Plano Texas

Whoswoo: John O'Leary

Copyright Quantorg  2006
pour ConsultingNewsLine
All rights reserved
Reproduction interdite

John O'Leary

 XP Conseil