Stuart King's Security and Risk Management Blog

EDS again

Fri, 10 Oct 2008 07:45:00 +0000

Today EDS stands for Even more Data Stolen, or maybe Encrypt Data, Stupid!

See http://news.bbc.co.uk/1/hi/uk/7662604.stm

An investigation is under way into the disappearance of a computer hard drive containing the personal details of about 100,000 of the Armed Forces.

The information was being held by EDS, which is the Ministry of Defence's main IT contractor.

The MoD said the portable hard drive went missing on Wednesday during a priority audit carried out by EDS....It is understood the drive was not encrypted.

As Oscar Wilde might have said "To lose one unencrypted disk may be regarded as a misfortune; to lose two looks like carelessness" or something like that..

Application security - don't forget third party components

Thu, 09 Oct 2008 18:00:00 +0000

Developers: bless 'em. They do love to download and use stuff from everywhere and anywhere in the name of functionality, time saving, or just to show how clever they are. How much control and oversight does your security group have on the integration of untested and untrusted third party components within in-house developed application code?

This week I've seen first hand evidence of what can happen when third party controls are implemented without oversight: a massive memory leak that has brought an entire system to a grinding halt. Ironically, the first thing the organisation in question discovered was that the issue with the particular component is documented and well known even on the vendor's own website.

There's some good guidance from OWASP on the subject here: https://www.owasp.org/index.php/Research_and_assess_security_posture_of_technology_solutions.

Some years ago, whilst working as a developer, I installed a component I'd downloaded into the system that I was working on. About three minutes after receiving my code, the QA manager threw it back to me: Where's this in the technical specs? What does it do? Who reviewed it? It's not in the test plan! Two minutes later, I had my tail firmly between my legs after being bollocked by the development manager and was re-writing my code minus the component. We learnt fast back in those days. I'm not sure I can remember the last time I saw a developer write a tech spec! Hell, so far as I know, has not yet frozen over.

Open University course on forensics

Thu, 09 Oct 2008 11:45:00 +0000

Only a couple of weeks to go until I commence a new course through the Open University entitled Computer Forensics and Investigations. You can read more about what this course offers online here http://www3.open.ac.uk/employment/associate-lecturers/courses/M889.shtm.

While the course will not make me an expert on the subject, it should be a good primer for further work, and give me some extra capability within my own organisation.

The Open University is an excellent way to gain new qualifications and I'd recommend it to anyone who can muster up the commitment to study in their own personal time.

Strategy and the business

Tue, 07 Oct 2008 09:00:00 +0000

Today it's time for my annual information security strategy review. Some of the activities discussed the last time around are now considered to be business as usual - that's a big tick in the right box so far as I am concerned especially as those activities include things considered almost to be new initiatives last year when I first came into this role: network vulnerability testing, patch management and PCI compliance amongst other things.

That means I'm much more available now to focus on making information security more transparent. I'm disturbed by reports recently in the press which state that IT security fears are seen as stifling innovation within organisations (see story here). This does not need to the case and I personally want to be much more engaged within the business looking for solutions rather than creating problems.

An old sage in the industry once commented to me that you shouldn't expect to be popular if you're working in security. I think he actually enjoyed being awkward and saying "no." I have a different approach: I think it's much more important to build relationships and find out what you can do to help projects succeed. Superior products need superior security!

Incident response - practice makes ready

Mon, 06 Oct 2008 09:30:00 +0000

It might surprise you to learn that I had no interest in security, computers or IT until I was well into my twenties. In fact I wanted to be a pilot in the RAF but failed the application process and joined the forces out of sheer stubborness anyway. My first posting after training as an assistant air traffic controller was to a fighter base - RAF Wattisham - in Suffolk. I learnt a fair bit about risk during my time there. Rule number one was to never assume anything. Fast jets move...er...fast! Take your eyes off them for a moment while they're flying around the airfield and you'll quickly lose track of what's going on.

Safety processes were critical and drummed in through continual training. In the event of an incident the requirement was to be able to respond instantly and instinctively. These days, incident response at work is rather less likely to be dealing with potentially fatal consequences however, I still maintain that it's important to have IR processes regularly reviewed and practiced. It's the same reason as why they always tell you to read the flight safety card on an aeroplane. Having just read the card means that you will respond faster in an emergency because you'll mentally plan the actions you'll need to take.

So too with incident response plans at work. If you don't review and practice them then no-one will know what to do, or who to call. Of course, I'm preaching to the choir here because you all regularly review your IR procedures. Don't you? Actually, when was the last time that you did?

My advice is not to make the plan too specific to any expected incident, keep it short and simple, and focus first on resolution and cause rather than the actual event trigger. My document focuses on incident identification and communications. Handling an incident and, more importantly, recovering, requires a clearly defined and strict chain of command.

My RAF days are a long way behind but I meet a lot of people in the security business who are also ex forces. Only last week I was introduced to another industry ex-forces person as being an ex-officer. I quickly corrected the guilty party. I enlisted and worked for my living!

Virgin Media data breach highlights the powers of the ICO

Fri, 03 Oct 2008 08:00:00 +0000

The news that Virgin Media have experienced a data breach is not so interesting as the consequences (see full story here).

On reporting the loss of a CD containing 3000 unencrypted customer records, the company has been ordered by the Information Commissioner's Office (ICO) to encrypt all portable media that store or transmit personal data. Note that this instruction also extends to third parties processing data on their behalf.

The incident highlights the power and willingness of the ICO to impose sanctions, and also the fact that organisations are now obligated to report any data breaches that involve more than a thousand records.

Some of you might not be aware that their powers were recently strengthened following changes to the Criminal Justice and Immigration Act. You can read more about this at http://www.out-law.com/page-9110. If anyone is left in any doubt about how much power and authority the ICO is now welding then simply review the organisations recently served with enforcement notices. The list includes government departments, large organisations, and small institutions alike. HMRC, Marks & Spencers, Carphone Warehouse, FCO, and so on. As Virgin Media have just found, it is not difficult to end up on that list.

Is IT Security dead?

Wed, 01 Oct 2008 08:00:00 +0000

If the Gartner IT Security Summit is the best the industry has to offer, then IT Security is dead. I've come away from it not merely disappointed, but frustrated. Frustrated that I've been sitting through presentations from speakers reciting the same old woe: lots of malware - we know; financially motivated hackers - no shit Sherlock; changing risk environment - yawn. It's like watching a weather forecast telling you what the weather has been doing. It rained today. Really? And there was me wondering what that cold, wet, miserable stuff falling out the sky was.

And the answer to all these ills? Buy software! Buy hardware! Buy some more over-priced, under-specced rubbish that you'll never fully implement, never be able to properly integrate into your network because you'll not bother to send your techies on the training course, and you'll forget all about it after three months because nobody knows what it's really doing.

Look in the newspapers: today we read about a camera sold on eBay containing images taken by MI6, yesterday we read about somebody who purchased a VPN device from eBay, switched it on and was automatically connected to a local government network. We've had secret documents left on trains, stolen laptops, lost disks, lost memory sticks and so on. What IT security device is going to solve these problems? Answer: none. So why do we keep on putting up with listening to this junk about IT being the solution.

Some people get it. For example, Martin Smith and David Lacey have been pushing out the message for years that awareness and training are the foundations of good security. And it's cheap. Much cheaper than buying over-hyped and over-priced Data Loss Prevention software, for instance. But I'll bet you'll have an easier time getting the DLP spend past the budget committee.

I wont deny that we need to have decent technology but don't kid yourself that it solves problems. Putting up an umbrella does not stop the rain. And here's the real crux of the matter. Seminars such as this Gartner summit are talking to the wrong people. Telling IT Security people that they need to have better security is like showing porn to a sex addict.

There needs to be a business security summit, with not a single techie in the room, where presenters who can do more than draw graphs on PowerPoint and read bullet points off their slides present to an audience of real business influencers and get the right messages across. I'm up for presenting at that one but who could get the marketing right to draw in the right people?

Chips and custard

Mon, 29 Sep 2008 18:00:00 +0000

Two things that definately do not go together are chips and custard. Unless you're pregnant. Or from Belgium where I suppose it's not too far removed from smothering your frites with mayo. An old friend of mine actually has a phobia of mayonaise. I'm not making it up. Put a jar of Helmans finest in his fridge and he'll skip all meals until it's gone.

This was my rather inappropriate line of thought during the opening keynote at the annual Gartner IT Security Summit today. Twenty minutes after the speaker began his rant about why everything we do is wrong and why everything he has researched is right, I gave up trying to pay attention completely. Thirty more minutes later, while I was contemplating what sort of reaction removing my eyes from their sockets, standing up and shouting "look at me" would have in the crowded theatre, he finished and I headed for the coffee.

No-one reading this blog will be even remotely interested in anything the presenter, Neil MacDonald, had to say during his pontification on adaptive security infrastructures.

One question that came to mind during Martin Smith's excellent presentation on security awareness was this: if security awareness is so effective at reducing risk, what technical controls can I throw out and save money on once I have my successful awareness program in place? Hmmm....We were treated to an good demonstration of how Unilever have made use of Second Life for spreading the awareness message within their organisation. Got me thinking...

Breaking websites without touching the application

Fri, 26 Sep 2008 09:00:00 +0000

Just as there is more than one way to skin a cat, there are many ways to break a web application. When I speak to developers and ask them if they are producing a secure system, the answer I'll get will usually mention validation and SQL Injection and so on. Good stuff. But is it all literally secure?

A neat trick I used to use when web security was the main focus of my job was to trawl the Internet looking for information posted by developers working on the system I was interested in. Google Groups, for instance, can be a great place to look for postings made by developers looking for help resolving problems and they often include code snippets (somewhere out there is a question I posted to a programming forum twelve years ago, still there for the world to see. Hopefully the application I was working on at the time isn't!). Finding snippets of code can provide you with a great insight into how the system is being developed and clues as to how to break it.

These days, of course, developers have their own blogs and belong to various online communities. A fact discussed in this article entitled "Tiger Team member attacks developers, not apps." The article makes the point that with the right amount of reconnaissance, access can be gained to a web application without ever touching it. Chris Nickerson says: "Instead of spending time going through the application first, I figure out who the developers are," he says. "If they have Twitter accounts, MySpace pages, personal email accounts, and phone numbers... I start profiling them. I can guarantee I will find code faster than those who are directly touching the code."

It's an excellent article that highlights the point that website security is more than just validating input so that the vulnerability scanner gives it a green light, and in fact, is more than just about writing secure code. You also need to consider the security of the code itself and treat it as an asset to be protected.

Value of CISSP status

Thu, 25 Sep 2008 09:00:00 +0000

It's been a while since I updated my CISSP certification with CPE credits. In fact, I've not even thought of it even though I've got plenty accumulated and was wondering why I continue to pay the annual subscription fee year after year. Am I getting any value from it?

On saying that, I've been giving some encouragement to a techie in the office who is presently working towards his own CISSP certification. Working through the various domains seems to have sparked a deep interest in the subject for him, and I'm pretty sure that by the time he comes to sit the exam that he'll have a an excellent foundation of relevant knowledge.

(ISC)² say that the CISSP provides information security professionals with not only an objective measure of competence but a globally recognized standard of achievement. For my own part, if I'm recruiting a security analyst then I'll favour the CVs of those who have the certificate - in fact, I'd make it a requirement on the job spec. It shows me that it's not just an IT person trying his luck but somebody who has gone out of their way to get professional recognition. It doesn't guarantee they'll be brilliant at their jobs but it's a good place to start.

So, back to the question. Am I getting value from my own certification? Maybe not directly anymore but it helped get my foot through the right doors when I needed to and I recognise the work that's required to achieve it. I'm going to submit my CPEs today and bring my account up to date.

BBC Mailing List Compromised

Wed, 24 Sep 2008 14:30:00 +0000

A point I frequently make is that it's not just the regulated and sensitive data sets that have value and require good control. Simple lists of email addresses and names also have value. No better evidence of this is required than the fact that a BBC mailing list of people who had signed up to receive information on next month's Electric Proms music festival has been hijacked by hackers and used to send spam for anti-impotence medication. See http://www.information-age.com/home/information-age-today/646696/bbc-mailing-list-hijacked-by-spammers.thtml.

No small amount of embarrasment for the BBC, especially with an MP throwing his weight behind the commentary and calling it a compromise of "reputation of integrity and trust."

I've just sent a message to cascade throughout my own organisation about this incident. It's good to learn from the misfortune of others. But, as they say, "there but for the grace of God go I..."

Unauthorised software on the network

Wed, 24 Sep 2008 09:00:00 +0000

I spent a good part of a recent day discussing the reasons why I had instructed the removal of certain unauthorised software from a number of PCs on the company network. The arguments that came my way were:

- they needed it
- we should be accommodating
- it's not posing any risk

It's all rubbish. They didn't need it. In fact they circumvented a GPO by changing the name of the executable in order to get it working in the first place. The company already provisions suitable software, however that, apparently, was not good enough. Should we be accommodating? Sure! But we also need to remain in control of our corporate network or else there is no hope of the IT department being able to provide support or ensure that PCs remain patched up to date and free of malware.

Which brings me onto the last argument given: that there was no risk. It's usually an uninformed one where an individual will state something along the lines of "we had it at my last company" or "I use it at home all the time." Ask them about licensing, configuration, or where to obtain security updates from for it though and you'll get a blank stare in response.

Some of you are reading this and about to ask: why are desktops provided with local admin rights anyway? In general, they are not. A certain group of users - web developers - have local admin rights. Unauthorised software is prevented through the Windows GPO but otherwise they have full control. How much more accommodating can we be?

The trump card in all such discussions is the risk ownership signature. If you really really want and need the software then we'll fill out a risk assessment, complete a departure from policy form and ask the CIO to sign it off. Funny how the requirement quickly changes under those circumstances.

There's a hole in your network and you're not the first to know...

Mon, 22 Sep 2008 09:30:00 +0000

In the words of the great poet, David Brent (from The Office), "If you can keep your head when all around you have lost theirs, then you probably haven't understood the seriousness of the situation."

Years ago, whilst participating in a military exercise I got caught putting the kettle on at the precise moment we were supposedly under attack from an imaginary enemy. Little wonder my military career never went anywhere. It was a great cup of tea though.

The lack of a visible enemy can often make it difficult to justify imposing controls. This is particularly true of network security. Just because nobody has noticed something bad happening doesn't mean that it hasn't. In a blog entitled Dumb Luck IS a Strategy! , Anton Chuvakin makes the excellent point that if you discover a hole on your network it's highly likely that the same hole has already been found with a variety of probable unseen consequences such as a bot being deployed or a data breach.

This view is supported by work done by various Honeypot projects. For example, follow this link to read about how a vulnerable Win32 system has life expectancy not measured in months, but merely hours.

Of course, we first need to know for ourselves that there's actually a hole in the network. Regular scanning is one approach, and I'm sure that Anton will agree that reviewing logs is another. Both require use of somebodys time and resource, and are exactly the types of task that quickly become useless unless the scan reports and logs are actually analysed by somebody who knows what to look for.

Once again, we see the problem is people, not technology.

Hypothetical situation: security incident or not?

Fri, 19 Sep 2008 14:30:00 +0000

A friend and I were imagining the following hypothetical situation: somebody performs a change to a network service which subsequently (let's presume it's business critical) is out of action for an extended period of time as a result. Documented change control processes were not followed. Is this a security incident?

My answer: yes it is. It's non-malicious but in effect it's a denial-of-service incident that could impact on the company's ability to function. So, there is an operational cost impact. In addition, the fact that the proper change process wasn't followed means that numerous different bits of corporate compliance are likely to be called to question. We could also call to question business continuity processes and wonder how many other unauthorised changes have occured prior to the event.

An opposing view is that it's a management - and disciplinary - issue not requiring the input of the security team.

Which side of the fence are you? Anyone?

Information security is not recession proof

Thu, 18 Sep 2008 06:00:00 +0000

I keep getting told how lucky I am to be doing a job perceived to be "recession proof." Personally I don't think this is the case. If the company were to go down then I doubt there would be much room in the lifeboat for security awareness programmes and risk models. Don't take anything for granted these days.

Especially don't take it for granted that when somebody says they have lost their laptop computer that they really have lost it. I heard some anecdotal evidence yesterday that a number probably end up "re-assigned"...i.e. son/daughter about to go to college. They get the old work laptop and daddy goes to the office and gets a new one. In these hard economic times there's likely to be a lot more of that sort of thing going on.

In fact, internal fraud and corruption are all expected to rise. Petty theft is one thing, but data theft is quite another. During the same event yesterday some of the motives behind internal data theft were presented. One particular quote from a convicted fraudster stuck in my mind "...working in a cold room, paid minimum wage, customers phoning in with their credit card details. I realised I could make more from that information than from my salary."

There remains a serious threat from company insiders. See my blog from the beginning of August where I discuss this in more detail.