Jonathan Evans, the head of MI5, has claimed the internet has made the threat of espionage by foreign countries higher than ever before, but insisted it is "relatively straightforward" to block attempts to steal data. "The overall likelihood of any particular entity being the subject of state espionage has probably never been …
If it's so straightforward to beat
So, it's straightforward to beat?
Did that include clamping down on the number of people who "lost" USB drives, CDs, laptops etc.? And clamping down on the access for people to download content to the same?
Make the system smarter, even idiot proof, and you'll just get a better class of idiot.
The real threat isn't really the capability of other agencies, but the incapability of our own...
This idiot needs a thrashing with the Metasploit cluebat.
What would you propose then?
The biggest bang for the buck on security spending are on relatively simple things like:
1.) Data classification and policy - what types of information are allowed where, who can access it, what handling policies apply, and what the consequences are if someone does something stupid in violation of said policies... like copying an entire repository of confidential information to a laptop or thumb drive
2.) User training on data handling policy (1), common data breach scenarios, and common social engineering techniques. This has to include, but usually doesn't, informing the users that they could be held liable, have their employment terminated, or in the case of classified goverment material even face jail for failure to follow policy. That's not to say that you will actually follow through on the threats, but many organizations view data security as an IT-only issue.
I'd guess that, incident wise, probably 95% of data loss is the result of sloppy data handling (putting sensitive information in unsecure, vulnerable locations), intentional mishandling of data, automated social engineering exploits like the "Here You Have" virus from a week or two back, and other types of viruses/malware.
That last 5% - or whatever the real percentage of skilled, intentional, targeted attacks is... like the Aurora attacks against Google - is where things get more difficult and potentially much more expensive. That's where you start talking about enhanced physical security, network segregation, disabling USBs, stateless OS, IDS, advanced encryption, etc... but it still doesn't need to break the bank. Locked down, physically segregated classified networks are as old as networks themselves and can prevent probably 4+ of that last 5%... with the "last mile", so to speak, being physical exploits of classified WAN links.
Of course, that's a vast oversummarization and even with a "bulletproof" architecture data can still get out. The point is that significant gains can be made in an organization's security with relatively simple and cheap methods. Start with A (data security policy), then B (user training on policy), and take it as far as you can reasonably afford to go. Just don't start at Z (quantum encryption), and work your way backwards.
It is straightforward to beat and Britain has done a marvellous job of ensuring that we have nothing worth stealing, thus negating the need for anyone to take the trouble to steal to hack us.
All our information is known to everyone
Why bother hacking us when they can get most of our secrets with a FOI Request or just read The Sun to find out what we spend our military budget on?
There's also Google Earth to find our intelligence agencies and military bases.
We even publically declare exactly how many nukes we have
And everything i've missed gets released in books the last Prime Minister writes after being kicked out of office.
We have nothing worth stealing after all that
> We even publically declare exactly how many nukes we have
That's both normal, expected, required under treaties we've signed and (perhaps counter-intuitively) it enhances our security.
We publicly declare capability (submarine-launched, MIRV, 7500Km range) to execute a counter-city strike on any nation which uses nuclear weapons against us. Critically, that second strike capability is almost completely impossible to defend against.
He's technically right but PR clueless
He should be saying how many cyber attacks there are (invent any number, the higher the better) and what the impacts are likely to be (again the scarier the better) as this will ensure his budget is not hit as hard.
anyone fancy a flutter on how long it will be before this guys name is on the list for an MBE or OBE or a Knighthood,all these civil servants get some medal or other for either knowing fuck all, or for continually stating the bleeding obvious. I would bet a tenner for this year if I didn't think it was a foregone conclusion already.
"relatively straightforward" to block attempts to steal data
This is only too true. Carry out the following steps, prefereably in this order:
1. Uninstall FLASH.
2. Uninstall Acrobat and Acroread.
3. Uninstall Windows.
4. Unplug the internet connection.
5. Unplug the CDROM drive, Floppy drive (if any), plug the keyboard and mouse into internal USB ports and fill the external ones with Araldite.
6. Move the computer to a secure computer room with walls made of lead.
7. Lock the door to the computer room and destroy the key.
8. Cut all cables into and out of the computer room and cover their ends with steel plates.
I'm half expecting a reply from TEMPEST because this sounds like Tempest security :)
Excuse me, but lead walls can be very easily cutted down with a plumber's torch. 19'99€ at yout local hardware or DIY store.
No need to open the door.
Alternatively, 3 consecutive steel reinforced concrete walls, with some steel and sand sandwitches between them are harder to break.
my 2 security cents.
Easy? Of course!
Stop the dingbat Gov IT managers from overuling the poor IT admins and allowing clueless fuckwitt users from "borrowing" our personal data, copying it to USB sticks and laptops, then handing said devices to other clueless fuckwitts who work for other Gov depts!
This can't right!
Shouldn't he have been demanding millions and millions of pounds and removal of some of those pesky freedoms?
It almost sounds like he is promoting better user education, rather than state intervention.
That can't be right can it?
Crikey, as of my time of reading the comments left on this thread, is there 100% agreement that Jonathan Evans is a tool and as a Head of Intelligence with any notion of the Cyber domain, mistitled ..... although he is very careful not to divulge the real dangers that the Virtual Space presents, and against which their traditional forces and tradecrafts are as powerless spectators, although they are not averse to trying to use them, very badly, to try and further their own causes and screw out some additional off the record, slush funds.
Bravo, sir, and an excellent plan, especially whenever flash cash can so easily renders the clean skins the spooky services need in the new genre.
Wow, that almost says that MI5 might be doing things right and they might just be testing new protocols. Softly softly, catchee Monkey, for some Serious IT Business which will Supply a Steady Intelligence Stream for Unlimited Fortunes?
I get it!
I was going to type "so go on then oh cyber-security god, tell us how we do it cos nobody else has remotely a clue" then i re-read his comment:
"the internet has made the threat of espionage by foreign countries higher than ever before, but insisted it is "relatively straightforward" to block attempts to steal data."
The answer - disconnect your sh1t from the internet!
Why didn't we think of that before.... doh
MI5 are clueless.
"vulnerabilities exploited both in cyber espionage and traditional espionage are relatively straightforward to plug if you are aware of them"
So is he admitting MI5 were completely unaware of the BT/Phorm trials (wherein Russian supplied surveillance kit was used to engage in covert nationwide industrial espionage), and completely unaware of the TalkTalk/Huawei escapade (wherein Chinese supplied surveillence kit was used to engage in covert nationwide industrial espionage), and even clueless about the use of the Experience Hitwise system?
This man has no clue, and urgently needs to be replaced by someone who does.
There is no Answer .... just a Smart Accommodation Service
"The answer - disconnect your sh1t from the internet!" .... Death_Ninja Posted Friday 17th September 2010 14:19 GMT
Then you can't deal in good sh1t and have everyone looking the other way while you make a killing on the markets, Death_Ninja. IT, and the Internet is all about the spooky battle for Absolute Control and Overall Power with IT and Media Mogul Controls, and the taking down and taking over of Rich Corrupted Systems, which is why the Financial and Banking Sectors are such a Juicy Lucy target for Virgin Soldiers who just appear out of nowhere ..... for their crimes pay trillions, and that makes keeping their Systemic Vulnerabilities and Modi Operandi/Vivendi off the Webs and Networks InterNetworking Sensitive and Strategic Information, such a winner for them.
Isn't MI5 talking about simple measures?
My immediate reaction to the title was that MI5 wanted you to encrypt your data. It makes it pesky to encrypt things for every data move, but it works.
If everything is encrypted, how can anyone steal the data, unless they DOS/hijack (so you don't get it)?
I don't think that it is much more than that.
If he's so good, better go and show the Americans how it is done!
It's statements like this particular idiot is credited with that drives those very talented hackers - just to prove he's wrong/
Gloating like that is so dumb he will likely regret it.
Just to think the nations security is in the hands like this troll. Time to immigrate.
So can we assume from the comments so far, you'd all be happier if the MI5 Chief had instead stood up and started wailing in between flurries of tears "Help! Help! We've got Top Secret data leaking out of every orifice and there's nothing we can do!"?
A talk on data loss to this audience has to be high level, and whilst you might be hiding under your tinfoil hat because the latest release of Metasploit is stealing your Shreddies, the fact is the controls you need to protect sensitive data from theft, in most cases, is straightforward.
Implementing those straightforward controls however...
(Black helicopters for the tinfoil hat brigade)