Recently in Security Threats Category

Experienced professionals don't need Machiavelli to point out that introducing change is difficult, not just from a technical perspective but also from a political or legal one. Outsourcing and off-shoring are especially challenging. Cloud computing is the latest frontier for the ambitious pioneer. And it offers plenty of scope for real or imaginary show-stoppers.

The latest scare is state-sponsored espionage. POLITICO, a US political journal, reports that the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about government authorities gaining access to data held by service providers under the PATRIOT Act.

Some potential customers will be deterred by this risk. Others will be happy to accept government assurances. And many will dismiss the thought as merely a spot of fear, uncertainty and doubt put about by jealous rivals. But how paranoid should we be about the threat of government eavesdropping? The answer is that it's impossible to eliminate the risk.

If you're really concerned about such foreign espionage, you should also be picky about the sourcing of your technology, your employees and the contractors you use. For absolute safety, you might consider avoiding email altogether and perhaps disconnecting your systems from the Internet.

In practice it's easier to ignore the elephant in the room. That approach enables you to take advantage of huge savings from offshore technology, staff and services. Sometimes too much knowledge can be a hindrance to progress.

Leaked emails from the hacking of HBGary, a top US security investigator, provide further insight into the techniques and targets associated with advanced persistent threat (APT) attacks (a euphemism for sophisticated espionage attacks).  

An article in Bloomberg, claims that some of Dupont's computers were implanted with spyware during a business trip to China, where the PC's were stored in a hotel safe. The response to this threat should be to install self-encrypting drives on laptops, which are more resistant to "'evil maid' attacks. Other types of attack, such as phishing attacks, require a comprehensive package of security measures, including executive education, specialist exercises/tests and continuous network monitoring.

The important point to grasp is that these measures are above and beyond the requirements of ISO 27001, so if you have trade secrets or highly profitable products, then you will need to raise your game above traditional 'best industry practice' levels to resist these attacks. These are persistent attacks, which are coming your way, and they won't stop.   

A few weeks ago the press carried stories of a future "Global Katrina" costing the world economy $2,000 billion, caused by intense solar storms that are due in a year or two. Hardly anyone batted an eyelid. The press buried it in their inside pages. Yet this is a serious problem, researched and reported by respectable scientists.

Perhaps the memory of Y2K and Swine Flu scares makes us suspicious of doom laden warnings. If so, then we will have an uphill struggle convincing managers that this is a real phenomenon that requires a fair bit of preparation.   

This problem is cause by "space weather" which can affect communications and electricity supplies. Solar storms are forecast to reach a peak in a year or two, the likes of which we haven't seen for a long, long time, well before the Internet, GPS, mobile phones and modern power grids. They weren't around back in 1859 when the last really big solar storm hit, but it did take out telegraph services.  

Lloyds have recently published a 360 Risk Insight report on the subject. It's essential reading for anyone working in security, business continuity or risk management. 

Expect a fair bit of disruption to critical services. When will it happen? We don't know for sure. That's what makes it different from Y2K. But there are similarities. We need to examine our supply chains and identify critical services that might be affected and develop appropriate contingency plans.

Yes, it's another Y2K job, though it has yet to appear on the risk registers and heat maps of most enterprises. But watch out for the coming bandwagon. I'm already booked to speak at a conference on the subject later this month.  

This year, Imperva have also penned a Christmas poem with a security flavour...

'Twas the CISO Before Christmas

'Twas the night before Christmas, when all through the Net

Every hacker was stirring, engaging in cyber threat.

SQL statements were injected with care,

In hopes that credit card numbers soon would appear.

Security auditors were nestled all snug in their beds,

While visions of audit logs danced in their heads.

And the CISO in his 'kerchief, and I in my cap,

Had just settled our brains for a cross site scripting attack.

When out from the cubicles there arose an Insider,

I sprang from the computer to see what was the matter.

Away to the database I flew like a flash,

Tore open the log files worried about lost corporate cash.

The dim office lights shined on a new iPad

Giving access to sensitive data, turning a good employee bad.

Then, before my eyes, data began to disappear,

Instantly killing holiday cheer.

With access to a file server--a breach!

I knew in a moment no trip to the beach.

The Insider downloading files faster than a bunch of geeks,

We'd be front page New York Times and featured on Wikileaks.

"Now Auditor! Now, CISO! Now, DBA and Network Security Team!

Get on, fast! It's a Christmas Data theft. I wanted to scream!

To the database! To the IT room at the end of the hall!

Now audit away! Audit away! Audit away all!"

As dry leaves that before the wild hurricane fly,

When they meet with an obstacle, mount to the sky.

So up to the house-top the sensitive files flew,

In an iPad full of files heading to Julian Assange--we're so screwed.

And then I heard something, I thought it was a goof

Prancing and pawing, perhaps it came from the roof?

But no, as I drew in my head, and was turning around,

Down the hall the CISO came with a bound.

Dressed for cyber defense, from head to foot,

His clothes were all sweaty, but he stayed put.

A bundle of security tricks he had flung on his back,

He looked like a soldier, ready to counter attack.

His eyes-how they twinkled! His pocket protector, how merry!

His cheeks were like roses, his nose like a cherry!

His droll little mouth was drawn up like a bow,

His face showed he had that data security mojo.

A cell phone he held tight in his fist,

Ready to call the CEO who was going to be pissed.

He had chubby face and a little round belly,

That shook at every cross site request forgery!

He was stout and plump, a right jolly old security pro,

And I trembled when I saw him, feeling like Homer, "Doh"!

A wink of his eye and a twist of his head,

I realized I had nothing to dread.

He spoke not a word, but went straight to his work,

He pulled a plug and blocked access to the network.

And laying his finger aside of his nose,

Way way way up the corporate latter he rose!

He sprang to his office, to his team gave a whistle,

And away he flew down the hall like a missile.

But I heard him exclaim, before he turned out the light,

"Merry Christmas to all, and to all a secure-night!"

By Rob Rachwald, Director of Security Strategy at Imperva

I prefer to avoid clichés, but this snowclone heading seems to best capture the missing dimension in the current debate on cyber defence. Judging by the latest tome from Chatham House, we can expect years of academic posturing on the principles, strategy and ethics of cyber war, while no one seems much interested in addressing the underlying problem of badly designed instrumentation.

This week I saw Barnaby Jack of IOActive in London demonstrating how to hack an ATM. It follows a recent (unrelated) report by a US analyst speculting that a recent spate of ATM failures might have been the result of malware infection. At the same time Symantec published an analysis indicating that the Stuxnet worm appears to have been designed to sabotage uranium enrichment equipment. On top of that we've had claims that China hijacked a huge amount of Internet traffic earlier this year.   

These vulnerabilities suggest that Die Hard 4.0 might be more real than we imagine, perhaps even understated in terms of the worst case damage. The modern world is heavily dependent on process control and supervisory systems. Yet for decades we have been building critical infrastructure with insufficient concern for security. Legacy designs and code appear to be littered with vulnerabilities and far-from-best practices. We've even had one report of a hard-coded password in a SCADA chip. 

Isn't it time that Government mandated stricter standards, better architecture, training, code review and testing of systems supporting critical national infrastructure? 

It's good to read that the UK Government is finally waking up to the fact that cyber attacks are a serious threat to the nation. In fact it's always been so. Why? Because we don't build secure platforms and application systems. And we expect users not to create breaches.

The answers are simple, but unlikely to be implemented. First, we must mandate that all important systems are designed from the outset to be resistant to attacks. And, second, we must take account of human error and built appropriate compensating controls into systems. 

The safety field discovered these truths many decades ago, and acted on then. Unfortunately, the security community prefers to keep its head in the sand. 

My blog has been very quiet lately as I've been on vacation. I seem to have come back to a changed world, one which has woken up to the reality that industrial process supervisory systems are actually vulnerable to attack by sophisticated malware, such as the Stuxnet worm. It's a new scare to the average citizen, but one that should come as no surprise to any security professional.

I've been concerned about this issue for twenty years, having worked in the oil and gas industry and seen, at first hand, the way that SCADA systems are designed and operated. In the early days, the biggest problem was that the engineers who built them had absolutely no security experience and liked to dial in over unauthenticated links to maintain them.

Even after many of them had been well and truly hacked, by relatively benign hackers, the security solution space was dogged by the fact that their use tended to fall outside the scope of the IT Security function. The primary business concern was safety and reliability, rather than security and sabotage (a mindset that focuses on cock-up more than conspiracy). And these systems were felt to be reasonably well protected, as they used specialised operating systems and private infrastructure. Complacency was further fuelled by an absence of major incidents.

This situation is a typical consequence of our flawed approach to risk management. New technologies don't come equipped with appropriate security countermeasures. Risk assessments are backward-looking, and standards don't emerge until long after associated problems have surfaced. We also apply security to the wrong end of the system development cycle, starting with operational fixes that have an immediate impact, rather than focusing on the root causes of inappropriate security requirements and design principles.

Quick fixes are not good enough to deter a targeted, sophisticated threat from a well-funded, hostile intelligence service. Today's SCADA systems were not designed to withstand zero day attacks from knowledgeable agencies with the capability to exploit the wide range of human weaknesses present in everyday operations. Mitigating such risks demands a step change in the security standards for building and operating systems supporting critical national infrastructure.

In particular, we need to focus on the early stages of the systems design cycle and incorporate plenty of additional defence-in-depth to take account of future increases in the security risk environment. Realising this will be a challenge in the current economic environment, but there is no prudent alternative. We must bite this bullet to get to grips with the new threat environment. 

The latest Kaspersky Labs analysis of Information Security Threats in the Second Quarter of 2010 is essential reading. It's by far the best of the vendor research summaries of malware trends.

This edition has an interesting ZeuS Trojan, as well some interesting observations on the growing threat to non-Windows platforms. Most interesting, however, are the remarks about the low level of attacks on Australian machines, which is attributed to the fact that ISPs down under refrain from providing Internet access to computers without antivirus protection or firewall installed. It's a lesson for the rest of the world. 

The latest edition of the Economist has a major feature on Cyberwar, complete with a sensational image of an explosion in a civilian area, as well as a fascinating tale of a logic bomb. Unfortunately, perhaps seduced by this imagery, it misses the bigger picture of information warfare, which as I've said before is more the art of illusion, rather than the science of sabotage. There's certainly plenty of fear, uncertainty and doubt in this feature, however, as well as a good dose of spin. 

While our attention is focused on football in South Africa, it's worth taking note of other developments across the African continent, especially the growing threat presented by millions of networked, insecure PCs. The Internet has arrived in Africa, ahead of the security needed to make it safe. 

Fortunately this problem is receiving increasing visibility and attention. Countries such as Kenya are implementing legal and regulatory frameworks, and kicking off awareness campaigns. Security products and services are also becoming increasingly available. But security skills and experience are in short supply. It's a growing problem that is bound to have an impact on all Internet users in the future.

'The Global Threat from across the Seas' is the timely theme for a security day next month in London on HMS President. It's free to members and a modest £50 for non-members, and it promises to be an excellent day out.