University of Birmingham CISO: "I have severe doubts about the security of Facebook, and LinkedIn is going the same way"

The University of Birmingham faces security challenges from the local to the international level

Security has been seen as a business blocker for many years, throwing problems in the way of perfectly sensible solutions on spurious grounds like risk exposure, data corruption and identity theft.

David Deighton, CISO at the University of Birmingham, is making an effort to turn his team into the department of ‘Yes, but'. Speaking at Computing's Enterprise Security and Risk Management Live event, he told attendees that he wants security to be thought of as, ‘Yes, you can do that', or, ‘Yes, you can do it this way if'. "You have to take these precautions."

Security is particularly important for Deighton's team, which protects information including high-value IP (a prime target for nation state attackers); sensitive research; personal data; and live academic papers (mostly from student hackers).

As well as securing this critical information, being known for strong security helps the University to secure funding and win business.

The vulnerabilities that Deighton faces every day will be familiar to many security teams, not just those in academia. He has major concerns around hyper-connectivity, mostly down to the Internet of Things: "Everything is connected to everything else, often in unforeseen ways. There is the risk of emerging interactions that nobody has thought of."

He also referred to "anti-security," or security controls that actually increase risk: placing more value on password complexity than length (the University currently enforces eight character-passwords but is considering increasing it to 12); overuse of encryption, which can hide attacks ("Encrypting everything is completely misguided, because you're also encrypting the spam and the malware"); and the much-beloved security through obscurity.

False assumptions about security are just as dangerous. It is common these days to see third-party sites using an API to hook into sites like Facebook or Twitter, offering visitors the chance to use their social media login details instead of creating a new account.

"I have severe doubts about the security of Facebook, and any data that's in there," said Deighton. "Not just Facebook - other social networks. I think that LinkedIn is going the same way."

Two-factor authentication (2FA) is often held up as a prime example of good security practices, but even it is not totally safe. "Recently there have been some issues around the use of SMS messaging for two-factor authentication… It's better than nothing, but it does have some vulnerabilities." When the University uses 2FA, it generates and sends codes through Google Authenticator.

To tackle these issues, the University has established a new data management scheme, balancing investment in data as an asset against risk and targeting areas where the risk is greatest. Deighton named these as:

• Adaptive security - Targeting high-risk activities, people and assets; the University rarely applies these strategies across the organisation.
• Artificial intelligence and machine learning - Detecting patterns of user behaviour and traffic. This is a difficult area to work in because of the amount of hype.
• People - Constant training and reinforcement. A senior member of the University's IT team has told Deighton, "We don't just have to protect ourselves against the clever people - the hackers - but also the stupid people."

It will probably be no surprise that the University considers people to be both a major risk and area of improvement, but Deighton's work to change the perception of security continues here. He is trying to foster an atmosphere where people are not afraid to report problems to the security team in the fear that they will "come down on them like a ton of bricks" - they must, however, be aware of risks and consequences.