June 2008 Archives

Poynter Report

| More

The Poynter Report into the HMRC incident and subsequent investigation is an excellent insight and a great case-study in Information Security management.

Surprisingly (at least to me) was the fact that the organisation had neither a Chief Risk Officer or CISO. Both of which have subsequently been recommended in the report.

The report contains a pragmatic and common sense list of 45 recommendations. It's just unfortunate that it took such a serious incident to make it happen. I'll be looking more closely at one or two of those recommendations for my own organisations benefit....

Web based email and a prediction for the future

| 1 Comment
| More

I've been following an interesting Q&A thread on LinkedIn where the question is asked "Should business messages be allowed to flow through personal/webmail services?"

What's interesting to note is the difference in opinion between the more technical network security analyst types and those more business orientated individuals.

Security & Systems Engineer: This should not be allowed. Security is tough enough without introducing additional systems that are not under your control

Sr Systems Architect: Business messages should not be allowed to flow through personal services, just as employees should not be doing work on the home computers.

Network and Data Security Architect: Absolutely not. It's unprofessional.

Information Security Specialist: This is a business decision not one for IS engineers

Principal Consultant: while many security researchers and practitioners would be quick to shoot down the suggestion of personal webmail, that's oversimplifying the situation

Chief Information Security Officer: The business owns the data, so they measure the risk and define the acceptable use for that information

This comes back to the point I made a few days ago about not allowing the IT department to set policies. Decisions such as this must come from the business and I wholly agree with the response quoted above from the CISO. If the business decides that it needs to use webmail services for whatever reason then it's up to us to ensure that the risks in doing so are adequately mitigated, communicated, agreed etc. Of course, I might want to recommend a different service from the one being proposed and I would hope that my views on risk would be taken into account (and don't forget to review the terms and conditions too - you want to make sure that you still own your own documentation!).

In this particular question of webmail, there is a much bigger picture to take into account too. "In the cloud" services (PaaS, SaaS) such as Google Apps, web-based email, SFDC and so on will, in my opinion, one day very soon be just as normal in the workplace as Microsoft Word and Exchange-based email are today. We need to adjust our thinking accordingly.

Virgin Media Security Incident

| More

News that Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost passed with little of the fuss usually associated with such incidents. It's been reported on the BreachBlog and a few other sources such as VNU. Maybe it's the relative small quantity of lost data compared with other recent incidents or maybe the mainstream press is just starting to get bored with this type of news.

The article on The Register goes on to mention that while the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive. Well, they have said that they are very sorry. Does that count?

Social networking pros and cons

| More

The social networking security debate continues. Not just a debate, but a heated debate. I like those the best!

Since I work for an organisation that is actively promoting the benefits of social networking as a legitimate business tool (and building it's own community sites such as www.infosecurityadvisor.com) I understand the potential benefits. Being "Lord of Corporate Paranoia" (as I have been affectionately referred to today) I also appreciate the potential security risks.

Can we have our cake and eat it? To some degree, yes, but it very much depends on your organisation, and more granular than that, who within the organisation wants to be using social networking and the messages that are being communicated to them.

The international drinks manufacturer, Diageo, takes a more cautious approach. It will allow some departments to access social networking sites, if they have a business reason for doing so. But it is also aware the social networking has the potential to damage the company's reputation if it is misused by staff at work.

That makes perfect sense to me.

NHS Password Sharing and Business Requirements

| More

I was reading with interest Tony Collin's blog on password sharing in the NHS. In my view the problem is that the system being used was not designed to take into account the way that the customers need to access information. If somebody had bothered to observe and ask about the way that doctors work on the wards then the system would have taken their requirements into account. I'm making a rash and unqualified assumption here but I've seen plenty of examples where new systems are planned by over-enthusiastic CIOs intent on making their mark but then fail because they forgot to account for the simple fact that nobody actually asked for it!

Recently I was chatting with the IT manager from a branch office of a large organisation. His company has recently implemented a new regional network. Employees within the office are in some disarray because prior to the new network being implemented they were using MSN Messenger for video conferencing with clients. With the new network it's banned under the security policy. Now, I'm not going to get into an argument about what the security risks may or may not be. In fact, it's irrelevant. The reason being that usage of this application was a business requirement and somebody should have taken that requirement into account. The fact that they didn't means a work-around has to be found. It's work-arounds that cause the security issues - and that's precisely what has happened with the NHS system.


IT snooping - what is your team looking at?

| More

A recent survey from Cyber-Ark Software reveals the following information

Whilst you sit there innocently working away, little do you realize that a third of your IT colleagues have been snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information.

...One third of the survey sampled admitted to using their privileged rights to access information that is confidential or sensitive by using the administrative passwords as a means of peeking at information that they are not privy to.

I don't think these results will surprise anyone. In fact, only last month a case of an employee caught-in-the-act snooping on somebody elses email passed by my desk and I'm sure there are many more that go by unnoticed. Another article here goes into more specifics on employee snooping within an American healthcare business:

Snooping into celebrity health records by workers at UCLA Medical Center sheds light on a largely hidden ailment facing employers: their own people peeking at confidential data.

And then there was the well publicized case about American State Department workers snooping on passport applications.

There are a whole range of controls to suggest but I reckon it's more down to company culture. Having a standard of ethics that all employees have to read is a good start. More fundamentally promoting a decent and open work environment where employees feel valued, get paid a decent wage, and are treated with respect is the best control of all. 

Curiosity however, is human nature. If we want to protect private data from the possibility of access by a snooping IT administrator then we need to also have a decent set of process and technical controls, including auditing. The message needs to be loud and clear that IT staff snooping and accessing resources they have no reason to be viewing will not be tolerated.

Internet coffee machine hacked

| More

Given all the world's problems: famine, disease, war and so on, thank goodness somebody has come up with the answer to it all. Yes, finally, a coffee machine that can be connected to the Internet. Phew, and there I was thinking that we were all goners.

Of course, life's not quite so easy because no sooner have we plugged the damned thing in than somebody comes along and hacks it. So, while an expresso might be just what you need, chances are you'll be lumbered with a tall latte and bang goes another war in the middle east.

I wont be buying a Jura F09. I'm happy enough with my low tech kettle. Call me old fashioned.

AV industry sucks

| More

So says the CEO of Trend Micro, Eva Chen, in this new interview where she describes how a cloud-client architecture is the solution to stop malware.

It's good to finally see one of the large anti-malware vendors sticking its neck out and trying to address the problem at source.  Chen says "For me for the last three years I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?"

Read the full story here.

Broad principles and guaranteed security

| More

I've been looking at the security and risk associated with the development of a new web platform. On asking the lead developer to show me some basic documentation (an architecture diagram and functional spec) I received the following reply in my email:

We operate on the broad principle that we're executing in a secure environment that is provided by the hardware of the infrastructure apart from the exposed servers in the front tier

Sounds like another case of "security bullshit" to me. To cap it all, the person in question goes on to say....

We certainly cannot be compromised by a SQL injection attack as all of our SQL queries are fully parameterized...This is guaranteed by the technologies we use.

I may as well go home then. It sounds to me like there's nothing whatsoever to be concerned about. In fact, I don't know why I even bothered to ask.....

Somebody is about to be brought down to earth. Any developer who believes the above quotes ought to be banned from using a computer and made to sit Clockwork Orange style with their eyelids held open and subjected to all the PowerPoint from the last 5 AppSec conferences. What worries me is that somebody might really believe that it doesn't matter how the code looks because the infrastructure will protect them.

You don't. Do you?

Security scare insight

| More

An excellent and insightful blog from one Peter Cochrane who describes what happened when he mislaid a couple of hard drives containing more than 100GB of information. Read it here:

..security measures have to be continually reviewed in the context of a back-drop of accelerating technology, deviousness and social complexity that increasingly puts us all at risk.

Well worth your while to read through the whole article.

Website Security, Application Firewalls, and Auditing at a Glance

| More

A good article here on "at a glance" website auditing.

Take a look at any Website. Just by looking at the URL bar, I can glean several things right off the bat. If the site does a redirection to another page, it might show a file extension like ".aspx" or ".php." In my experience, a .aspx extension generally implies that there are fewer cross-site request forgeries, fewer cross-site scripting vulnerabilities, and fewer login problems than a .asp classic site. And the HTTP headers help to tell what type of machine the Web server is.

It's not perfect science but it's a good place to start.

Reading that piece led me to another article somewhat related to one I wrote a few weeks ago that led to accusations of madness being levelled against me. In my blog "We can't write secure code" (May 16th) I claimed that "systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes" In Developer's Dillemma , this theme is taken further:

We are at an interesting tipping point. On one hand, we are training our development teams to work faster, and usually with less quality, in an effort to quickly iterate on our code. Yet such haste pretty much eliminates the effort to analyze and fine-tune the code to reduce security issues.

It's another arguement in favour of Web Application Firewalls. We can't develop faster and be more secure at the same time so we need to put the security at a layer in front of the code. In fact, even OWASP agree. See this PowerPoint presentation from AppSec 2006 where Ivan Ristic states that web application firewalls are "an important building block in every HTTP network."

At this very moment I'm reviewing a report I've been given relating to the security of a website. All the usual suspects are present: SQL Injection, Cross site scripting, error messages, and so on. It's a production product, taking in and reporting live data. Fix the bugs or a WAF? We can't take the site down and can only afford to do one or the other. I know where I'll be saying we should be spending the money.

Arrested for blogging

| 1 Comment
| More

64 bloggers have been arrested in various parts of the world since 2003. A new report reveals that the majority of incidents took place in the Middle East and Asia with some in North America and Western Europe.

In China and Egypt arrests were for things such as taking part in a protest against constitutional amendments or for writing about human rights. Here in the UK a blogger was arrrested for incitement of racial hatred while in the USA one blogger was arrested for videotaping a burning police car and another for terrorism.

Never before has it been so easy to publish thoughts and opinions, and I suppose consequently more individuals will be publishing words considered to be offensive or constituting a crime. 

I hope there will continue to be brave individuals speaking out for human rights just as much as I hope that our own government will continue to come down hard on prejudice and racial hatred. I think the balance is right in this country.

Read the BBC story on the subject here.

McKinnon: my two cents worth

| More

I can't make up my mind about Gary McKinnon. On the one hand he's portrayed by the US authorities as a serious threat to national security, on the other he sells himself as a curious but benign hacker seeking information about UFOs.

Now we hear that he broke into more than 73,000 US government computers, including those of the US Army, Navy and Nasa, and deleted critical data.

The indictment claims that McKinnon caused a network in the Washington D.C. area to shutdown, resulting in the total loss of Internet access and e-mail service to approximately 2000 users for three days. The estimated loss to the various military organizations, NASA and the private businesses is approximately $900,000.

The fact that the American systems were apparently so easy for a hacker to penetrate and damage doesn't seem to have been raised as an issue but that's not so important as the fact that there is no reason why the authorities should believe his stories about searching for evidence of anti-gravity propulsion systems and extraterrestrial technology (among other things he claims to have seen pictures of alien spacecraft on a Nasa system as cited here). So far as they are concerned, an unauthorised individual hacked and damaged a military system. In the mind of the average paranoid Yank, he may just as well have set about burning the Stars and Stripes on the steps of the Supreme Court.

I was reading an interview that McKinnon gave to Jon Ronson of The Guardian back in 2005. I think that Ronson sums up very nicely when he states: he is indeed a complete idiot.

Let the courts decide. We've got more interesting and important things to be concerned about. 

Data Breach Investigations - Watch your partners

| More

At the start of this year I wrote a blog entitled "What CIOs should be doing about security in 2008" listing the top key security topics for CIOs to be thinking about this year.

Number two on my list was Security of third parties and partners. This advice is validated by a report  (PDF download) just released from Verizon which finds that 39% of data breaches (out of a study of more than 500) over the past four years involved business partners.

A difficult question to consider is what to do when such an incident occurs. Do you simply drop the partner and find a new one? That's not going to be easy if there are a lot of business processes and systems tied up in the relationship, not considering all the other political and contractual aspects likely to be present.

I don't think there's a simple answer. Probably best in the first instance to discuss the situation with the partner. If they are willing to be open and honest about the nature of the incident and the subsequent actions they've taken to fix vulnerabilities then that's a good start and at least indicates their acknowledgement that they take what's happened seriously.

Consider also your own processes. How far did you go in ascertaining the partners security prior to forming the relationship? I frequently find that we are simply not very good at asking partners the right questions - in fact, the process falls over from the start because the information security team is probably not even consulted before the contract is signed.

We need to stop being coy about asking probing questions about the systems and processes our partners use. I ask almost the same set of questions that I use to ascertain the risk status of one of my own companies business units.

Unfortunately the Verizon report is rather fuzzy when it comes to making any recommendations on this subject but that's not to be critical of the work that went into creating it. The facts and figures speak for themselves. 

The role of HR in Information Security

| More

This turns out to be a more controversial subject than I had thought. My opinion is that the HR department is an essential ally for ensuring that information security policies are correctly presented, documented, communicated and enforced. Conversely I've encountered HR professionals who think nothing of the sort and in fact, have little or no idea about why it's something they even need to know about.

It's by no means a new subject. A couple of years ago Computer Weekly discussed it here and the point was made that "HR directors do not understand the potential risk [to security] that is presented by new technologies. There is a lack of education in the HR world about IT". A survey discussed in Personnel Today, the journal for HR professionals, back in 2004 stated that despite "91 per cent of respondents saying that IT security was very important, only 28 per cent cited the need to better educate and train their staff on IT security as a top initiative." More recently, that same journal has been strongly advocating the role of HR in being key to preventing data breaches:

"..policies should be published and made accessible to all employees in terms they can understand, and if companies are serious about protecting their data, employees, even directors, should face serious disciplinary action if they are found to be contravening these policies....And as an HR director, if you aren't getting any direction from the board, you should be bashing down the door demanding something be done."

There's an interesting opinion piece here in Computer World (by Jon Espenschied) entitled "Four good reasons for security to talk to HR". I particularly like the point made that "the role of the ISO or IT manager is to document events, not judge them. " The final reference for this blog is the results of a National Computing Centre survey (.pdf file) which concludes that "organisations are not aligning HR with security governance."

For my own part, I'm takng steps to ensure that I have an HR person contributing to my security committee. That way, I get buy-in to new employee focused policies and that all-important non-technical view.

Cabinet Office Terror Files - Inquiry Results Here

| More

The latest incident relating to the "terror files" being left on a train shows that in spite of, or despite, all the best technical controls, security awareness messages and everything else we do to preserve confidentiality, there will always be some muppet who thinks the rules don't apply to him.

There's little we can really do about it except acknowledge the risk. The results of my thirty second inquiry into the incident are that the fault is, in my opinion, completely with the individual concerned. He had authority to take documents out of the office and he blew it. No doubt the cabinet office will spend slightly more time and money on a lengthy inquiry which I predict will conclude that "processes failed and additional measures will be taken in the future to prevent a repeat occurance."

There's no reason why anybody really needs to be sitting on public transport reading confidential documents either in paper form or on a computer screen. In fact one of my very first article submissions to Computer Weekly back in 2002 was on this very subject (read "What the hacker saw" here). I still enjoy sneaking a glance at what others are looking at on their computer screens on the train. If it's private then look at it in a private place!

Is your IT manager a security dictator?

| More
great_dictator_512.jpg There are a couple of things that I take exception to. Number one is the IT department thinking that it can determine company policy, number two is communication of policies that simply don't exist.

An example would be something along the lines of an IT manager dictating that nobody in the company will use Instant Messaging because it poses a security risk. Was any consideration given to either what the business needs are, or to the risks that are being mitigated through having the policy?

It is possible that various departments need (or want - it's not for the IT Manager to decide) to use instant messaging for communicating with clients. What should happen in all cases is that if there is a requirement within the business to utilize a particular service or solution then it must be the job of the IT department to provision it in a way that's cost effective, secure, taking relevant risk into account, or make a very good case for why it can't be done and propose alternatives.

Secondly, we have the case of the "you can't do that because it's company policy" scenario when the policy has been neither documented or justified because of risk. If the policy is not documented then it doesn't exist. Stating that something is policy infers there are consequences for non-compliance: disconnection, loss of privileges, disciplinary action etc. If any policy is to be enforced then it must be written down and it must be based on there being a good reason for having it.

One of the challenges in managing security is to ensure that we don't end up with a tail wagging the dog scenario. The business should be leading with its requirements for services and facilities that help it make a profit. The security team and the IT department should be working together to make sure that those requirements can be met securely. At the end of the day my salary is paid for by the good people in the company who generate the profits - I see my job being to help them make more not to be getting in the way!

Insect security

| 1 Comment
| More

I've read some rubbish in my time, and probably even been responsible for writing some, however does this qualify as the biggest load of security bullshit of all? I find the most surprising security wisdom in the insect world..It's common to find insect countermeasures that are non-obvious, but nonetheless effective...When two-spotted spider mites attack them, the plants emit a chemical distress signal....Yes, the plants have evolved to call in air strikes against their attackers.

And the pseud guilty of this pompous and pretentious claptrap is....none other than the highly respected but clearly mad Bruce Schneier! Read the complete interview - if you can bear to - in CSO Online here. "...thinking rationally and making intelligent trade-offs. That's what separates us from the rest of the animals. We can override our fear, our fight-or-flight mentality. We can reason. We can think."

Yes, quite. Steady now.

Hairdressing and security reports

| More

That's just about the end of my galavanting around South-East Asia. In fact, as I write this blog I'm sitting in a hotel room in damp and chilly Sydney, Australia recovering from attending the Hair Expo Gala Night! Hair Expo is one of my organisation's more glamourous events and the gala was billed as being "the place to be seen." While I admittedly don't get too excited about hairdressing, one has to admit that it certainly attracts a more glamourous crowd than Infosec - especially as last nights event had Tim Hartley a hairdressing phenomenon and one of the most influential stylists of his generation as the guest star.

By the time you read this I'll be well into my journey home, stopping off in Singapore on the way. It will then just be left for me to write up a report for my management on the observations and recommendations from my business unit visits. This is no easy task: one has to be careful not to overstate risk and, conversely, not ignore it. We need to keep the focus on what's important to the business: money!

I expect that some of my report will prove to be contentious. I'm not averse to sticking my neck out and management expect an honest appraisal. I'd much prefer to bring a difficult subject out into the open for discussion than leave potential risk simmering in an unattended pot.

Is Data Loss Prevention Really Possible?

| 2 Comments | 1 TrackBack
| More

A friend and I were debating whether it is really possible to prevent data leakage? Personally I think it's impossible to know an organisation's rate of data leakage.

One of the problems is that the easier it is to copy data then the harder it is to control. I recall that back in my military days we had a process to manually log all signals classified as restricted or secret that came off the teleprinter, record each and every copy that was made, and identify to whom those copies had been distributed to. Each recipient down the line would have been required to do the same. Even with such tight controls in place, the documents would still get mislaid and go missing. And goodness only knows how many copies were really being made and of those copies how many were being logged.

In the corporate world data is completely out of control. I don't think we can stop data leakage and the only way that we can have influence on the likelihood of it occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the "copyability" of data

That's all fine if the data is stored within systems that provide suitable controls but it's actually more likely to be in spreadsheets or other office document formats, on XML data streams, sitting in an email, in the fax machine, or on a forgotten print-out that went to the wrong printer on the wrong floor. It's also sitting on systems that we don't own belonging to the third parties we entrust to store our data. What do we know about the processes they have in place? We really have lost the game and the increasing number of data leakage incidents prove it. I'm sure that most, if not all, of the organisations we see being reported as having suffered a data leakage have processes in place that are supposed to prevent them from happening.

One of the errors we make is that we place emphasis on deliberate and malicious data theft while the reality is that most of it is accidental. And all we generally do to prevent accidental data leakage is stick up a few posters now and again that have inane captions on them such as "think before you click." Click what?

Investment in technical controls (to monitor and prevent data being copied and printed) together with an eye-catching and relevant security awareness program are, I think, the most effective ways to mitigate risks associated with data leakage. There are also process based controls that need to be managed such as ensuring that the right levels of access are being granted to the right people, and of course, using encryption for data when it's on mobile devices.

All that said, we also need to plan for when the incident happens. Let's assume the worst and ensure that when it happens we're ready for it and have the right people putting out the right messages.

HSBC in the news yet again

| More

Two more data breach incidents affecting HSBC. Personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK. Full details here.

Are smartphones a 'bigger security risk' than laptops?

| More

According to this article on NetworkWorld "smartphones are seen as a more of a security risk than laptops and mobile storage devices." Apparently some 94% of senior IT staff fear PDAs present a security risk, just above the 88% who highlighted mobile storage devices as a worry.

The problem with the research is that it was conducted with IT staff. In my experience the IT department is the worst of all to rely on for determining what the biggest risks to the business are. And more often than not they are also the department likely to be the most flippant in their attitude to risk.

You're probably more likely to lose your smartphone by accidentally flushing it down the lavatory than having it stolen by an opportunist intent on stealing any data that's on it (see David Lacey's blog on that very subject here). However let's not lose track of the point that smartphones are yet another extension of our perimeter and need to be managed as such with a decent set of policies and security awareness messages to those carrying them around. In fact my opinion is that they only pose a security risk if companies ignore fundamental rules.

I do not rate the security risk as being greater than for laptops. In fact, if truth be told, in my role as a risk manager, they do not yet feature on my list of business concerns. But I'm open minded on the matter. Perhaps the IT department can give me their view?

President Bush clarifies FACTA

| More

Known as "that Moron in the White House" by my American father-in-law, President Bush yesterday signed into law a couple of things that you might have missed.

H.R. 2356, which encourages the display of the flag of the United States on Father's Day;

S.J.Res. 17, which encourages the United States to initiate international discussions with other Arctic nations to negotiate an agreement for managing migratory and transboundary fish stocks in the Arctic Ocean.

H.R. 4008, the "Credit and Debit Card Receipt Clarification Act of 2007," which specifies that certain entities that printed an expiration date on certain credit and debit card receipts were not in willful noncompliance with the Fair Credit Reporting Act;

Were you aware of that last one? It relates to FACTA - the Fair Credit Reporting Act - which, amongst other things states:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

Any American consumer who purchases goods or services from an American based company has a right to take legal action if the receipt from a credit card transaction shows either more than the last 5 digits of the credit card number or the card expiry date. And there are quite significant fines at stake as well. According to this document, Costco, California Pizza Kitchen, FedEx Kinko's, IKEA, Wendy's, TGI Friday's, T.J. Maxx, and Radisson Hotels (among others) are all defending against FACTA class action lawsuits.

According to the receipts I'm presently carrying around with me Starbucks and Sheraton Hotels should be very wary too! It's unfortunately all too true and if you're doing business in America then you need to be aware of this legislation and check whether or not your business is compliant. 

One night in Bangkok

| More


The latest installment in my grand tour of South East Asia is from Bangkok where I've been spending time with a part of the business that organises some very successful exhibitions within Thailand and Vietnam.

The photograph is of the traffic queue outside the office block. I was able to bypass the traffic and make use of a river taxi and then connecting with the excellent (and, thankfully, air conditioned) Bangkok Skytrain.

A recurring theme of this trip is my being introduced as the "IT Security Director." I've been quick to allay any expectations that I'm only interested in IT related aspects of security and that my role and interests cover the full scope of information security. This has ensured that I've also had an audience with those responsible for HR, marketing, project management, and finance.

Without going into specifics, the biggest risks encountered during this trip to date have been where control of data is outside of company networks. However, that isn't by any means something unique to this part of the world. In fact, I've been very pleased with the effort that has gone into security in most of the locations I've been too. What I have encountered that is different to what is often found in the UK is a pride in getting the job done properly regardless of how menial or unimportant it might seem to be.

Next stop is my favorite place in the world: Hong Kong. See you there!