February 2009 Archives

McKinnon step closer to extradition

| More
British computer hacker Gary McKinnon has lost the latest round of his battle against extradition to the US.

See http://news.bbc.co.uk/1/hi/uk/7912538.stm

More here: http://community.zdnet.co.uk/blog/0,1000000567,10012233o-2000331828b,00.htm

This, now pointless and irrelevent case, drags on.

Rats coming out of the sewer

| More
More than two years ago I mentioned on this blog the fact that large networks are likely hosting a variety of nasty things we will probably never become aware of. This is more than just speculation and there's some good supporting evidence in this latest story about another breach of a credit card payment processor which apparently only came to light when, as quoted below:

In most of the latest high-profile breaches, the threat was found only after the forensics team came into the picture. "Existing network security mechanisms remained clueless,"

However, search hard enough on any network and I'll bet you could find some speculative evidence of unauthorised access or malware that really amount to very little of interest. Is there sometimes an over analysis of forensic results when it comes to IT systems? I've seen plenty of vulnerability test reports that over-egg benign issues into something far more serious than they really are.

I'll be interested to see where this story goes.

Joined-up security can save you money

| More
A blog from Colin Beveridge caught my eye and touched a nerve. Colin says:

We need a holistic approach to information security that properly encompasses the social/ cultural aspects, rather than the prevailing exclusive emphasis on security technology.

It's a pipe dream and will remain as such for as long as information security continues to be treated as a seperate function of the business, struggling to fight its way out of the IT budget bag.

Colin is dead right of course, a "joined up approach" is needed. If only more would listen and take note. In these cash strapped times having a holistic approach to security could save a fortune, as well as making the business more secure.

When cloud computing goes wrong

| More
I'm a fan of cloud computing based applications and services, in fact I use them a lot to organise a whole raft of things I do and need to get done. But at the same time I really do understand that confidentiality is a misnomer and that there's no guarantee of integrity and/or availability. The control I put in place is a strict backup plan to mirror data locally and to 3rd party online storage facility.

There's no doubt that this does add a performance penalty and additional cost in terms of time and money, but this is what I'm prepared to tolerate as a trade off for knowing my data is suitable protected. Alas, not everyone is in as good a position as myself......

In late January the social bookmarking service Ma.gnolia.com suffered a catastrophic technical failure that rendered all its users' data irrecoverable. The service did have a data backup facility but it hadn't been set up properly in the first place and hadn't been subsequently tested to ensure it worked as expected.

In the fall out it transpires that the Ma.gnolia.com service was actually being run by a one-man-band operating on a shoe string budget with the minimum amount of hardware and software (in this case two Mac OS X servers and four Mac Minis).

All I can really say about this is caveat emptor..... and make sure you have a tested business continuity plan when working in the cloud.

A lesson in low tech for the CIA

| More
A story in todays Times newspaper about the supposed secret use by the CIA of an airbase in Pakistan has an interesting Information Security angle. In particular because it appears that supporting information for the story comes directly from the Pentagon which apparently posted details about fuel deliveries to the base on their Defence Energy Support Center website.

One of the best penetration testers I know barely needs to touch any so-called hacking tools to get all the information that he needs to launch his attacks. Most organisations that he deals with have so much information available online, sitting behind public IP addresses, that he's usually achieved most of his objectives simply by using Google, a notebook of lined paper and pencil, and some very strong coffee.

Low tech research provides the fastest route through high tech security controls. The Pentagon probably have details of their drone operations under the tightest security within the most secure systems. However, given a journalists' ability to snuffle a story out of the slenderest thread of information, posting information about fuel deliveries to a remote Pakistani airbase on a public website would be like a red rag to a bull.

Public Sector vs Private Sector. Who does security better? Part 4

| More
You're hilarious! A Ford Anglia? Actually, I'm a Morris Minor Series II enthusiast. What more could you want than a British Classic through-and-through that has been exported internationally and become an icon - just like myself ;-)

While I stay on the subject of cars I'd like to ask the following question: How many times have you had to reboot your modern computer processor dependent German motor? Your car might be faster, more aerodynamic, safer at high speed and great with the ladies, but it is symptomatic of the highly integrated technologies at the very heart of our society which are stoking up the biggest vulnerability: over dependency on new and tightly coupled networks and technologies that are difficult to fully understand and can often react in unknown ways.

Let's get this back on track......

First of all lets admit that the full scale of private and public sector breaches isn't adequately recorded. No one can admit with any degree of certainty how bad, or good, the size of the issue really is. Reporting of data breaches in the private sector has always been downplayed by nervous boards of directors scared (and quite rightly so) of the fallout from their customers and shareholders. With so much at stake much better to sweep it under the carpet and hope that no one notices. I'm not saying that the public sector is any better, but it is important to appreciate that without accurate and reliable breach statistics then both our arguments are on shaky ground. The answer of course is a mandatory and legally enforced breach reporting requirement and maybe this is something we should save for a future online debate.

Second, human error happens everywhere, for example Google's recent blacklisting of the entire Internet. Accidents happen even to the very best and even with the most thoughtful security controls there will always be residual risk that can't be mitigated away or dealt with. The issue here is whether someone has willingly and knowingly not followed instruction that leads to the data loss or breach. In such a situation there's no excuse and people who regularly do decide not to follow corporate policy really are plonkers. Protecting information assets really is a team sport and we're all in this together.

As for there not being baseline security standards this is simply not true. BS7799 (now known as ISO/IEC27001) came into being in 1995 and most recently the Security Policy Framework has been openly published on the Internet. Both are based around solid and mature management processes which are supported by policy, people, physical and technical aspects of information security. Will these help the public sector better manage information risk? You bet ya! Will they completely remove the possibility of a data breach? No, but then again nothing will. Is the public sector working hard to continually and constantly improve? Absolutely. Is this a big job? Probably the biggest! At least the public sector recognises that there are no silver bullets..... anyone who says otherwise is selling something. 

And don't forget the public sector probably faces the most sophisticated of all cyber attacks, as reported here and here.

Public Sector vs Private Sector. Who does security better? Part 3

| More
Let's stick to the facts. The public sector has more data breaches. In the six months up to April 2008 there were 62 serious incidents in the public sector against 28 in the private sector (as reported here), and as commented, the private sector incidents are most often the result of sophisticated attacks while ithe public sector data breaches are almost always the result of a cock-up.

I dislike using the alleged youth of information security as an excuse. Take the following quote: Despite a growing awareness of computer vulnerability, the current status of computer security in most installations, when compared to the current level of technical sophistication, can most charitably be described as primitive. This actually comes from the very first issue of Computers & Security Journal published back in 1982. The same article (entitled "Computer Security, A Current Assessment" by Samantha Fordyce) , with its references to insider threats and the changing nature of computer vulnerabilities could easily have been taken to have been written more recently. So, if understanding of the issues was in it's infancy 27 years ago, the continued lack of understanding certainly cannot be attributed to the excuse of an industry in its infancy here in the 21st century.

We can also refer to some more recent literature. The Coleman Report, for instance, an independant view of public sector security information security published in the middle of last year, stated that the government is "trying to address (information security) challenges" however "adequate mechanisms were not yet in place to support them in achieving this." Much more disconcerting is the fact that the same report states that the government had still not signed off on a set of baseline security standards.

For all the "security theatre" of the private sector, the potential consequences of poor information security keep us on our toes. For my own part, a lack of foresight would be no excuse for poor hindsight in the eyes of the company board if the business were to suffer a serious incident. Information security is a process rather than a project: ongoing, continually evolving, but still with eyes firmly focused on the fundamentals of protecting electronic data that have been around now for the best part of half a century.

Until the public sector can get its head around this approach, it will forever be treating security as another project task that can be completed by setting a deadline, slinging the latest version of ITIL at another set of hapless civil servants, and another bucketload of cash at external consultants.

If security were cars, I'm in something modern, German, with lots of safety features designed in as standard, and good brakes so I can go faster. Duncan, you're in an old Ford Anglia, it's got wobbly wheels, a rusty exhaust, and you'd better hope you don't have any steep hills to go down.

Public Sector vs Private Sector. Who does security better?

| More
You've thrown down the gauntlet and I accept the challenge....

But let's put the problem into context first. Both private and public sector have had equally disastrous data breaches of late. From RBS Worldpay late last year to this month's 2nd hit on Monster.com. From whichever stance either of us take both private and public have the growing embarrassment of large scale, technology facilitated (but often people and process faulted), and hugely costly information security breaches. My humble opinion has always been that both private and public sector are both in this together and as equally challenged as each other in all the same people, process and technological areas.

The difference becomes clearer when we look at levels of capability maturity in the supporting infrastructure and capacity and I believe that the public sector is head and shoulders above and beyond anything the private sector is doing, or has done in this regard. From the early foresight and initial sponsorship of the development of BS7799 - Information Security Management System to the on-going work of CESG, the National Technical Authority for Information Assurance, the public sector has a long history of investment in, and understanding of, the needs and requirements of robust information security solutions in the widest sense.

Lets face it, information security and information risk management in particular is a young, emerging, and by it's very nature evolving discipline that has only just started to be better understood and appreciated as we all comes to terms with being an information and information infrastructure dependent economy. What better place to be than an environment with a history of coming to terms with these problems and putting in place real solutions, rather than the 'security theatre' that is often seen in the private sector?

Over to you Stuart for your retort.....

Twits on Twitter

| More
Only one word really for US politician Peter Hoekstra on a secret visit to Baghdad, who then announced his arrival on Twitter. That word is Plonker...http://www.computerweekly.com/Articles/2009/02/10/234715/twittering-us-politician-endangers-lives-in-baghdad.htm.

Public Sector vs Private Sector. Who does security better?

| More
Mods against Rockers, Tom and Jerry, Batman versus The Joker....

My partner in blogging and I have one more to add to that list. Duncan is standing up for the public sector, I'm on the side of the private sector.

Public Sector versus Private Sector Information Security. Which is better?

The debate begins here and I'm going to kick it off by stating as a sure fact that the private sector is the superior when it comes to protecting data and implementing decent information security.

The public sector is too steeped in bureaucracy to be flexible, and staffed by too many incumbents encumbered by their historical, organisational and cultural biases which hamper new ways of working in case it upsets their hard-won status-quo. This means that emerging risks and trends are more likely to be ignored until something bad happens. As it did, numerous times within numerous public sector departments ranging from HMRC to the Royal Navy.

Conversely, in the private sector, initiative is encouraged and flexibility to adapt is essential. New risks are quickly assessed and managed. To remain competitive, we get fast access to the latest technologies. Security is bread and butter stuff. If we get it wrong there's the potential to go out of business.

Duncan, over to you. You can argue the opposite but frankly, no-one is going to take your side...


NCC Survey - Protecting Corporate Reputation and Brand

| More
I've been reading with interest the results of the National Computing Centre survey of 98 UK-based organisations entitled Protecting Corporate Reputation and Brand. You can download it here.

Some of the key findings are:

- Most senior managers will readily circumvent corporate policies designed to protect reputation and brand

- Barely half of those surveyed perceive loss of reputation as a high risk

- More than two thirds of companies do not have a formal risk assessment process

More than anything else, the survey highlights the fact that most companies are failing to deliver a set of policies that enable people to actually do their jobs without security getting in the way. It's a challenge but it can be done if you have a decent process for assessing risk and defining appropriate policy rather than jumping onto the "no you can't do that" band-wagon. The consequences of getting it wrong are that people will go out of their way to circumvent policy which, as we all know, can lead to much greater problems.

Apparently this survey is "catalyst to a national debate on the nature of risk." That'll keep a few old boys busy for a couple of years. In the meantime, I'll carry on promoting a flexible, risk based approach to policy making.

Fraud through the roof?

| More
Seems like David Lacey's first security forecast of 2009 (Fraud hits the roof) is already becoming clearly evident. The FT recently reported that UK corporate losses against publicly reported fraud hit £1.19bn, an increase of 14 per cent year-on-year. Given that we've only just started our economic ice age it is highly probable that this is just the tip of a much larger iceberg.

Given that an insider has the greatest opportunity and knowledge of business processes (and their associated weaknesses) it goes without saying that they are often the prime suspects. And given what they might have at stake, either hiding their existing misdeeds or enhancing their own future financial interests, you can bet their motivation is high. But as economic conditions become tougher, and more organisations are stretched to their financial limits, large scale fraudulent techniques will undoubtedly be exposed, unraveled and pass into the bright light of day.

But I get the funny feeling that I won't be surprised to hear that the next major white collar fraud will have involved lax security controls. Back in 1994 the UK Audit Commission clearly identified that failure to implement and maintain basic internal IT security controls was a primary enabler in computer misuse and abuse, and that this corporate disregard for internal security controls gave rise to opportunity formation for the motivated insider threat.

So David, sportman's bet about the level of corporate fraud losses in six months time?


| More
I had the privilege last week to hear an excellent presentation given by Bob Burls on the subject of Botnets. Bob presents an eye opening view over the power and complexity behind the botnet networks, and the damage they can do.

The manner in which botnets have evolved, making them both resilient and persistent, is worrying enough. The ease with which they can be created and controlled is terrifying. User friendly interfaces provide point and click functionality to create and launch new attacks, with the ability to propogate across the world, in seconds.

What really stood out though was the satisfaction that comes from digging into the networks, tracing those controlling them and bringing them to justice. Great work if you ask me, and I reckon that anybody thinking of getting into the botnet game should think twice knowing that the likes of Detective Constable Burls are after them.

Soft leaders and hard managers

| More
Last Tuesday evening I went along to one of the regular Computer Weekly 500 Club meetings where Bruno Laquet, CIO of Corus, was giving an interesting talk on the theme of "influencing across the organisation." From the resulting Q&A session, it was clear that many senior IT leaders have some difficulty with this but I wonder whether this is sometimes a deliberate ploy by those who employ them. In other words, corporate management don't want an IT leader with too many bright ideas, just somebody who can keep their critical systems operational and a safe pair of hands. I think a good subject for debate would be "The entrepreneurial CIO - who needs them?"

With that thought still fresh, I got into a discussion a couple of days later about a certain banking group that has recently made their CISO redundant. They've instead opted to rely on an international network of security project managers. Obviously it's an appalling idea. Without co-ordination and control the atrophy will quickly set in. But I couldn't help feeling when I heard the story that maybe there's more to it: perhaps the CISO in question had poor influencing skills and was undervalued. Or maybe he was a git.

Either way, CIO or CISO, the "soft" skills are probably just as - if not more - important than the technical skills. Technical skills to build credibility as a manager. People, influencing and entreprenerial skills to be a leader.

The Dreaded Flux?

| More
A lot of my time this week has been taken up by the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit group that oversees the Internet's addressing system. I've been reviewing and commenting on an initial report from their Fast Flux Hosting Working Group. It's a comprehensive piece of work that has had considerable input from a wide range of stakeholders.

If you keep up-to-date in this particular space you'll already know that fast flux hosting is a technique used to increase the resiliency and availability of botnets which are used for criminal phishing operations. As international law enforcement have stepped up their efforts to take down these operations the criminal fraternity have replied with fast flux peer-to-peer technology to remove single points of failure  and dynamically change the Internet location of command-and-control servers. It really is more difficult to hit a fast moving target!

Personally, I've always found this interplay between the good and the bad, and the associated 'arms race' fascinating. The constant evolution and exploitation of technology to push criminal sophistication is not only entrepreneurial and innovative, but also ripe for further scholarly study, probably from a criminology perspective.

For the here-and-now all this is creating a big headache for Internet community at large. By itself fast flux hosting is not a bad thing. On the contrary, several premier Internet service providers use the technique to deliver highly resilient and reliable legitimate services to retail and wholesale users. And it is this dual use that is at the heart of defining the problem. There's no clear answers, or solutions from ICANN and I didn't expect there to be for this problem.  

What it does highlight is the need for joined up, cooperative action and quick action by the international law enforcement community, and maybe more importantly the need for burden sharing between international law enforcement and ISPs whichever jurisdiction they are in. I've commented before that we can no longer prevent electronic attack so the backstop is detection, response and repair. I've also commented before that I believe that the Internet is experiencing de-globalisation, but obviously with cyber-crime this just isn't the case.

This issue hasn't been lost on the great and the good. The World Economic Forum have summarised that the

"Cybercriminal has become a full-time (if secret) job title for some, including people with both brains and a top-flight education. Governments are finally beginning to grapple with the problem; however, they are nowhere near being able to come to grips with it. One idea is to establish a national or international authority that puts infected or infectious ISPs (internet service providers) through a quarantine process or sequesters them."
Radical thinking from the Davos crowd!