Identity

I’ve just watched Prime Minister Rudd address the Australian Parliment (ironically, via the BBC) where I was pleasently suprised to hear, quite early in his speech [Link Available Soon], that the Government will direct its departments to provide assistance to people re-establish their legal identity. Things like passports, birth certificates, marriage certificates and so on are difficult enough to get hold of, but even worse when all of your “identity sources” are destroyed in disasters such as these fires or the floods ravaging Northern Queensland. Being able to provide a positive and trusted identity “token” (drivers license, passport, etc) about yourself is nowadays a virtual prerequisite to living a normal life in todays society. If you have none – how do you identify yourself? PM Rudd paused from reading his speech to convey, in his personal tone, this difficulty to the rest of Parliament. This is the first time I have ever heard a senior politician even understand this difficulty, simplistic as it may sound. Maybe its because he saw The Chasers’ Julian Morrow demonstrate how easy it is at a recent Identity Fraud conference in Sydney.

However – this got me thinking, as of course I work in the Information Security and Identity spaces. What provisions will the Commonwealth put into place to stop those evil people take advatage of this tragedy to assume the identities of victims? How do you prove your identity when your primary sources have been destroyed? There is an excellent case study of an affluent lady in NSW [Citation Needed] who has lost her home (including title deeds), car, digital identities, bank accounts, and so forth after having her identity stolen by a criminal gang whilst she was abroad. (The suspected Russian-based gang proceeded to sell everything she owned, obtained passports and birth certificates in her name,  bankrupted her and racked up massive debts in her name, and she is still fighting to this day to clear her credit record years later – which nobody seems to know how to do, due to the lack of legaslative process in Australia).  And all from stealing mail from her mailbox. Australians – put an unbreakable lock on your mailbox or get a PO Box, is all I can say.

Although its not proof of identity, people born in England and Wales can order as many copies of their birth certificates as they like (well – to be accurate – certified copies of an entry in the register of births and deaths) over the internet. A very useful service. Indeed, I’ve ordered quite a few copies of my own, based on only knowing basic information about my parents and where I was born. What is a scary thought is that this can then be used to apply for an identity elsewhere, for example my Australian Citizenship, my passports in multiple countries and even my French Carte de Sejour (itself a de facto Identity card).  I don’t know what processes there are in place to stop you, or anyone else, doing that with such a copy. I bet you that the various governments around the world don’t check the validity of every birth certificate copy they are presented with.

Whilst digital identity is a complex area, we must also not forget the issues around dealing with the offline world. Identity theft and fraud is a growing crime, not just done by neer-do-wells, but also in a profitable manner by the organised gangs. And they’ve been doing it for years. All we can do as individuals is to protect our own identity as best we can. Something I will blog about in the near future.

Australian National Disaster Support

Many Australians, including myself, have dug deep and already donated well over $15m in less than 24 hours of the appeal fund being set up by the Red Cross and the Victorian Government. Fires also continue to burn in not only Victoria, but also South Australia and New South Wales. With over 173 confirmed dead in the fires, the toll continuing to rise and many more injured, losing loved ones, pets, their homes and/or their businesses. Once the immediate situation has passed it will take a long time for those affected to recover, both physically and psycologically. I urge anybody reading this blog to please donate to this very good cause. As always, Australians, all donations over $2 are tax deductable (they email you a tax receipt) and for those abroad, the relative weakness of the Aussie Dollar at the moment means your donation will go much futher. Thankyou for your support.

Although an interesting debate, I’m not going to go into a rant about this today. What has caught my eye though as an article in todays Australian IT highlighting that a survey reveals that the majority of Australian Organisations are confident in the security of their IT systems, have rarely had that tested and can withstand all types of attacks.

Although I would like to see the details of the survey, this statement scares me. The article describes how:

[...] organisations have reached a level of comfort with security, as most internal security projects have been completed.

“We hear from the security vendors that the end of the world is coming, but businesses just don’t believe it,” Hydrasight analyst Michael Warrilow says.

It’s not surprising that organisations feel that way, as they have invested a lot to improve network security, he says.

As Information Security practitioners this proves to me that we have still failed to get our message across to Businesses Leaders. Even though the IT Industry has spent (and earnt) millions of dollars in implementing nertwork security products, all they do is protect computer networks and boxes. And only then if they are implemented and configured properly. And don’t have any users.

Australian organisations seem to have been consistently told by Software Vendors and IT Consultants that implementing some software or hardware will automagically make you secure. But what this view of the world fails to address is that whilst our technology my be OK, Information Security also needs to encompass securing information in People, Management, Processes and Strategy. Its far more difficult do this – and its not something you can “implement”.

Organisations need to address Information Security proactively, to make it a living, breathing part of their culture, instead of effectively wasting money on “tools” or “products” that do this for you.  Bob Blakely of the Burton Group makes a strong, well-reasoned argument of how the current buzzword of “Governence, Risk and Compliance” products are marketed and sold by the IT vendors (such as here, here, here and here).  He correctly states that buying this stuff will not give you Governence, Risk or Compliance that their salesmen will implicitly promise. At best, all these tools will give you are some pretty pictures of summarised data that an Operations person will find useful when preparing a presentation to his bosses. Information Governence, Risk Management and Compliance Management are all business processes that need to be owned and driven by the Business, but organisations tend to only do so when forced by an external entity (e.g. through Legislation or Commercial Obligations).

Of course, this stuff is hard. It will take time. But the first step, I feel, is for organisations to take the ownership of Information away from the ownership of Technology. Information is a business asset that can be stored and managed using various technologies; but needs to have its own management lifecycle and risk management processes.

Lets face it … fundamentally, if I wanted to get some sort of information out of a company, would it be easier for me to hack through its IT network or web based applications; or would I just pretend to be a consultant and become employed by them and grab it from the inside. Or even better walk into their offices pretending to be a courier, or contractor, or salesman and flirt excessively with the stressed office manager or receptionist. Kevin Mitnick proved that its easier to “hack” the process or the people – but still organisations put all of their eggs into one basket by securing the technology.

As the article correctly states:

“Organisations might think they’ve solved the problem but the threats are increasing and they’re going beyond technology to target people,” he says.

“Complacency is the enemy in this situation.”

I