About Jimmy

James 'Jimmy' Blake is the Chief Security Officer for Mimecast,  a leading cloud services company based in London.  James has overall responsibility for risk management for the organisation's internal IT infrastructure and service delivery platforms spread across four continents.  James also manages the security of platforms deployed within partners such as Cable & Wireless and Iron Mountain.

James is also one of the founders of eyeCompli, a company providing Software-as-a-Service standards-based risk assessment and security program management solutions.

He holds a PhD in Information Security Management and is a Certified Information Security Systems Professional. James has nearly two decades of commercial experience in information security, business continuity and storage.

James has a love of loud Harley Davidson motorcycles, real ale, role playing games and even louder heavy metal.  He lives in rural Kent with his partner, Sonia, and stepson, Rafael.

Follow Jimmy
Search
Monday
Jul192010

App and Add-on culture - the breeding ground for a new type of malware?

I've just been reading on the Mozilla blog that they've removed a Firefox add-on called "Mozilla Sniffer" that intercepted the details of all Web logins and sent them to a remote site.  Mozilla's metrics state that Mozilla Sniffer was downloaded approximately 1,800 times and had 334 active daily users - ouch.

This is hot on the heals of spoof banking applications for Android targeting users of the First Tech Credit Union and Travis Credit Union US banks.  SMobile also released a report last month that estimated up to 20% of the then 48,000 Android apps on the Google Marketplace could contain spyware (although their definition of spyware is a little open).

The interesting point to note is that both Android and Firefox are extolled by the geekerati for their 'open' approach, while Apple is criticised for its walled-garden approach to development for their platforms.

The reality is that we live in a dangerous world.  As information security professionals, we've banged on for years about only downloading from trusted sources and the check the integrity of the downloads.  Websites like Download.com built their reputation on being a trusted source of downloads for IT professionals in a sea of malware.  

Now the same technical people are hailing the fact that Android 'can install an app from any Website, rather than having to go to a controlled marketplace' or the 'openness of the Google Marketplace' as if it is a good thing.

Now I'm not saying that everything about the Apple AppStore is all sweetness and light.  They have made some pretty arbitrary decisions on approval and they will, inevitably, let some malicious applications through.  

I can tell you, however, as someone who owns both platform and develops for both Android and iOS - I feel a lot safer downloading from the AppStore than I do the Google Marketplace.

Friday
Jul162010

Response to Jay Heiser from Gartner's "Why I’m ambiguous about SaaS email"

I read Jay Heiser from Gartner's "Why I’m ambiguous about SaaS email" post.  He brings up some interesting points in his posting, especially with regards the suitability of existing security standards and certifications to evaluate vendors utilising what is a fairly new and evolving delivery model.

The work by Cloud Security Alliance and Cloud Audit are making good progress in delivering a set of recommended controls specific for the cloud, along with a mechanism for third-party evaluation of conformance but in the mean time customers just have to exercise caveat emptor on a case-by-case basis.

Customer due diligence is the key in choosing to outsource your email to a third-party, but this due diligence has to take into account what you actually do on-premise as a baseline and not have some utopian expectation.

I work as the CSO for a leading email management SaaS vendor and I can't tell you the number of 300 - 400 hundred question RFPs we receive from customers who've searched for them on the Internet.  On closer inspection of the customer's current solution you find PST files scattered across their network, unencrypted archive databases, countless email and archive administrators, single points of failure and fragmented inconsistent administration across the multiple platforms that form their email infrastructure.

In these instances moving to the cloud is going to instantly deliver improvements over their existing security, but still these customers hold irrational fears because they are nervous about moving their data from a data centre where they can touch and feel the hardware to a service that abstracts it all away.  They deliberately build a level of expectation that far exceeds their currently level of security as a mechanism to justify not moving to the cloud.

Security breaches are bad for cloud service providers, they elongate the sales cycle increasing the cost-to-sell; they impact renewal revenue, which is the means of survival for must cloud vendors; and breaches play into the hands of on-premise vendors using FUD to put customers off considering the cloud. Cloud vendors cannot get away with throwing a bunch of hardware and software into a customer data centre and disappearing for three years until the next upgrade is due. 
Cloud vendors are judged day-in day-out by the performance, and the security, of their services.  Due to this, most cloud providers take considerable effort to ensure their environments, platforms and services are secure. 

Not all cloud vendors are created equal however, many aren't true cloud services.  They are the latest incarnation of what were application service provider or management service provider platforms, re-purposing on-premise appliances or software by just creating a web front-end to these products which are often ill-suited to run in multi-tenant environments.  Customer due diligence must identify these kinds of 'cloud' offerings and the risks that are inherent to these environments (for instance client separation; end-to-end encryption; chains-of-custody of data that may need to be used as evidence at a later date).

Email is a critical business tool, but a commodity, which makes it prime candidate to outsourcing to a cloud provider.  Cloud providers will often deliver immediate benefits in security, but potential customers must exercise the appropriate due diligence and weigh the results against their current environments as a baseline.  Many customers will find themselves pleasantly surprised by decreased cost, increased functionality and increased security.

Wednesday
Jun302010

Interesting cloud security points from the Cloud Computing World Forum

I've been attending the Cloud Computing World Forum in London this week and I enjoyed the Cloud Security session yesterday afternoon.  Two points specifically stood out:

Firstly, Jason Hart, SVP Europe for CRYPTOCard pointed out that too many cloud services rely on a weak method of authentication - passwords.  Cloud service providers need to up their game and implement stronger authentication mechanisms.

Then during the panel session, the topic of whether 'the cloud' had inherent security weaknesses came up.  The conclusion drawn was that "the cloud doesn't have a security problem, it has a trust problem".

This is a topic that is close to my heart as I believe companies are taking a totally different approach to the due diligence of cloud services providers which is often unrealistic. I've stressed over-and-over that due diligence is a critical part of selecting the right cloud services provider but the due diligence framework has to be realistic and based on fact.

Organisations wanting to move from an in-house solution to one that is cloud-based need to baseline their security against what they are doing at the moment, and what they need to protect the particular data in question.  I've had more than one 40 page security due diligence questionaire that they've downloaded from the Internet from a 100 seat organisation, who themselves have their entire email infrastructure in a comms room in a single office, with an Exchange administrator who has never been backgrouded screen and have never performed a penetration test.

The entire discipline of information security revolves around working out which data is sensitive and critical to the business; assessing risk exposure to that data; doing a gap analysis to work out whether you're handling the risk accordingly at present; assessing controls for the areas you're not handling sufficiently well on a cost/benefit analysis basis; then deploying the controls; and managing them on an ongoing basis.

During the conference Klaus Bartosch, the EVP of Sales and Marketing for Virtual Ark, made a good case for a due diligence methodology involving these steps for cloud service providers which mimics the approach above - the title of his presentation?: "Cloud security isn't bad - it's just different".  After listening to his presentation I'd say, it isn't different, it needs the same risk assessment approach that the information security community has built up over decades - the difference is instead of deploying the controls, you make it a mandatory requirement that the service provider implements them.  If they don't move to the next provider, its a competitive market out there.

The critical thing is to remember that the level of protection needs to be proportionate to the sensitivity and criticality of the data involved.  More often than not organisations achieve a better level of protection for their data by moving to a cloud service, they are just nervous because they cannot physically walk into a server farm and touch the storage arrays containing the data any more. 

Appropriate due diligence cannot be based on irrational fears and prejudices, it has to be based on fact.

Friday
Jun112010

Adobe patches critical vulerabilities in Flash

Adobe Systems has released a patch today for all platforms to plug over 30 vulnerabilities, including a critical one that hackers were actively exploiting to install malware on user's machines. 

This vulnerability let attackers to take complete control of vulnerable machines after viewing websites that contained specially crafted Flash content - you can start to see why Steve Jobs doesn't like it.  We've had been seeing a lot of emails recenty being sent out attempting to direct users to sites containing such content.

Adobe also announced that a patch for a related vulnerability in Acrobat won't be available until June 29, but has published some interim workarounds, including deleting the autoplay.dll (Windows), AuthPlayLib.bundle (Mac OS X) or libauthplay.so.0.0.0 (Linux) files or disabling JavaScript within Acrobat.

The patch can be downloaded from the Adobe site.

Friday
Jun112010

Preparing for my CISM exam tomorrow

I have been studying for several weeks to take my ISACA Certified Information Security Manager (CISM) exam on Saturday morning, at 7:30 AM I may add! 

I have really enjoyed this course. I was expecting to have ISACA's COBIT framework rammed down my throat, but the course material took a surprisingly agnostic ad pragmatic view of security programe frameworks.  The main complaint from CISSPs is that the Certified Information Systems Security Professional exam is a mile wide and an inch thick.  The CISM on the other hand is totally focused on the area of strategic management of security within the organisation, especially on the governance side of things.

I wish all of the security professionals swotting hard for the exam tomorrow all the best, good luck!