Stuart King's Security and Risk Management Blog

How many botnets reside within your network? Are you worried about the almost certain fact that they do?

I described it to a colleague today as being similar to rats in a sewer. These insidious creatures crawl around within the dark tunnels of our global network usually remaining out of sight. We know they are there but unless we go on a hunt it's unlikely we'll actually see them. My colleagues' view on the matter is as follows

"So in infosec nuisance malware is just that, but must not be allowed to take the focus. The focus needs to be what matters, the effects on the company and its information/reputation. So this comes down to managing the risks and knowing what the critical assets are rather than trying to protect every device and scrap of information as equals. … you have as much hope of protecting everything perfectly as removing the rats from the sewers of London."

It's a view I fully agree with. Instead of chasing rats, focus on protecting assets. We have little choice but to live with the nasty stuff so be aware that it is there, mitigate risk as far as you can, and don't spend too much time trudging through the sewers because it's not very nice down there!

There some more information on botnets here including a link to an interview with a botnet owner - won't his parents just be so proud!

http://www.wormblog.com/2006/03/an_inside_look_.html (an excellent blog)
http://www.mckeay.net/secure/2006/02/botnet_owner_interview.html
http://www.schneier.com/blog/archives/2005/12/dutch_botnet.html

Another news story suggesting that a hacker "may have breached" information but that personal information "was not compromised." If you want to read the full story then go here. I'm not sure it's even a story worth reporting. This particular university has a large computer science department - so we have a large number of students, with access to huge computer facilities, and they get surprised when they find "unauthorized movies and games on the network." Not exactly a case worthy of Sherlock Holmes.

But it does raise the issue of what comprises an incident, how we identify and categorise an incident, and what is an appropriate response. I found this definition of an incident here:

An Information Security incident is an event which appears to be a breach of the organisation's Information Security safeguards.

Incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event

An event is any observable occurrence in a system, network, and/or workstation

Anyway, to finish off, here's an interesting blog on incident response for the more technically minded: http://windowsir.blogspot.com/. Lots of links to other resources and some good narrative too.

I've been trying to sort out my opinion on how worried I think we should be over the Microsoft Vista speech recognition security hole as reported here by the BBC. On the one hand it would appear to be a "technically possible" but unlikely risk, on the other hand after hearing so much about how secure Vista is going to be and drinking the "trustworthy computing initiative" cool-aid I'm concerned that we will see a lot more reports of Vista security problems. SC magazine report Microsoft's Adrian Stone as saying "While we are taking the reports seriously and investigating them accordingly, I am confident in saying that there is little, if any, need to worry about the effects of this issue on your new Windows Vista installation." Well, that's all fair enough and I don't doubt Adrian's word however, I do think that there is cause to be worried.

The reason is that despite the focus on quality of code, the embedded security within the lifecycle, the review and testing process, the whole focus on security, security and more security from Microsoft, a few days after release of their new flagship consumer product, an exploit is apparently discovered that might allow someone to delete files simply by uttering the word "delete."

More to the point though, it's not just Vista that I'm worried about because this is evidence that despite all the best efforts - and I give Microsoft a good deal of credit for their security initiatives and have mentioned before how much value I get from their associated tools such as the threat modelling software - having a goal of eradicating all security bugs is going to be nigh on impossible to achieve.

The nay-sayers will continue to try to put Vista down. Personally I'm with Ed Bott and his blog on the features that sell the software but I hope that he hasn't spoken too soon when he says there there has so far been no "devastating security breaches." However, from a risk management perspective, the jury is going to still be out for a while. Richard Stiennon of Fortinet, who keeps a blog here makes the comment that reportedly "you can already purchase Vista zero day exploits on the web." Now, while I'm generally suspicious of comments made by a vendor of IPS solutions for problems that would be resolved by an IPS solution I have some measure of respect for Richard's opinion.

So, this is a rather garbled, unstructured, blog entry on a subject that will remain a topic of debate and discussion. Maybe it will have triggered one or two questions in your own mind. To close this one off I'll refer you to Mark Curphey's other blog and this amusing cartoon take on Microsoft's entry into the desktop security market...

Did you see this gadget, on show at the RSA Security Conference? It's a "a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform." One of the scenarios created through this device is the ability "to scan every machine on every wireless network for file shares and download anything of interest to the device. Then just put it in your suit pocket and walk through your target's office space..." Read more about this here, where Immunity CEO Dave Aitel makes the important point that "There's wireless testing. Then there's pen testing. Those are very separate things. With this, we're joining those two things.."

The device can clearly be used for the purpose of testing one's own environment but I was pondering on the potential threats that this device might pose. It makes for a stealthy way to attack security within an office environment and perhaps just as worrying is the threat it might pose to workers who are getting into the habit of sitting in the coffee-shop and on other public Wi-Fi networks to catch up on work.

And here's a comment I found on Slashdot

Activate one of these devices and drop it in at the post office addressed to yourself. It'll ride in postal delivery vehicles, stopping in front of each house long enough to do some serious searching until it reaches yours. Then unwrap and see what you've harvested. Only cost is the postage and packing, virtually no gas or calories from you.

A couple of years ago, I along with the team I worked with, assessed zero-day malware as potentially the biggest risk faced by our business. In fact I wrote up a white paper based on research I performed at the time where I stated that "there is a serious danger to the organisation from blended-threats and zero-day exploits" and went on to say that the impact of such could be "catastrophic."

The time frame over which my paper made the prediction of catastrophy has passed and we're yet to see the likes of the type of attack that we imagined at that time. We are, however, seeing zero-day vulnerabilities being exploited such as the latest Word vulnerability as reported here on the Computer Security News Portal, and on PowerPoint as discussed by Bruce Schneier here, and we also often hear stories of the likes I mentioned in my blog a few days ago when I reported that "you can already purchase Vista zero day exploits on the web" (see my Feb 5 entry). This blog article is also typical of the types of reports we are getting used to seeing. Such news is no longer a surprise and it no longer causes panic beyond the usual warnings and guidance.

The truth is that zero-day attacks so far have not had the dire consequences on our abilities to go about our business. We've yet to see the devastating malicious payload and at the same time our defences have strengthened and our networks become more resilient to attack. Should we still be so worried? This article on the Internet News site makes this point about the motives behind malware: "Hacking is not about getting your 15 minutes of fame anymore. Cybercrime is a multi-million dollar global business." It's a good point because we're led to believe that many of the individuals writing malware are increasingly motivated by financial gain and the "Return on attack" as opposed to simply causing damage for damage sake. It therefore follows that where some zero-days are being exploited, there's a likelihood that it's happening in a relatively stealthy fashion.

However, some people are still worried. In a recent article published in Network Security Journal, Georgios Portokalidis and Herbert Bos state "new breeds of worms are expected to spread to millions of hosts in minutes, if not seconds" and that our existing systems of detection and prevention are too prone to false positives, unable to check for variance in worm signatures, and only effective against known malware as opposed to zero-day attacks. They go on to discuss a system called Sweetbait which addresses "the problem of fast worms by means of honeypots." The paper makes for interesting reading and the full citation is as follows:

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
Computer Networks, Volume 51, Issue 5, 11 April 2007, Pages 1256-1274
Georgios Portokalidis and Herbert Bos

Do the anti-malware controls built into Windows Vista mean that we can begin to think about reducing the amount we spend on third party desktop AV products? Discuss!

I'm sitting on the fence on this issue - so far. On the one hand there are opinions of the sort being aired on The Register as evidenced in this article by Thomas E Green who says "don't rush out to buy Vista in hopes of getting much in return security-wise", on the other there is this mostly positive - and somewhat critical - well written review from Joanna Rutkowska who concludes by stating "Microsoft did a good job with securing Vista. "

Did they? Have they? What do you think?

We've been having some discussions here about UTM (Unified Threat Management) devices. For those of you who don't know, UTM applicances are products that unify and integrate multiple security features integrated onto a single hardware platform. For instance, a single device typically includes firewall, SSL VPN, anti-malware and web URL filtering. Example products include Fortinet's FortiGate and Checkpoint's UTM-1.

UTM devices certainly appear to offer the promise of a number of benefits. In particular in terms of cost savings, management overheads and interoperability. For example, a single management console and a single device potentially saves a lot of overhead.

Conversely there are drawbacks. The one that concerns me most is that we could end up with a single point of failure. On his blog, Kurt Seifried discusses some of the risks. He states that devices "that combine multiple functions into a single platform have a great deal of added complexity" and goes on to say that networks will "have a small number of highly critical security devices placed at network choke points and other strategic locations that are potentially vulnerable to compromise."

It's a good point and UTM devices are going to need to be extremely "robust and less prone to security failures."

Initially, it's likely to be smaller businesses that take advantages of the cost savings of having a single management device. But here's a word of caution from IT Week:

It may well be up and running, but the main question is - is it giving your business proper network security? How can you tell?

In my opinion, UTM devices should certainly be considered as one part of a strategy to consolidate infrastructure and decrease costs. The most important thing of all is ensure that UTM is fully understood in terms of it's capabilities; potential drawbacks and risks, as well as the promised benefits.

I need to correct an error I made in my blog entry earlier this week where with regards to a test performed by AV-Comparitives on MS OneCare I stated "There is no detail as to what configurations or settings were used to perform the evaluation and neither do we get much insight into the test methodology used."

As has subsequently been pointed out to me, there is a seperate document containing said methodology, available here: http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf.

The subject of Skype came up again. We've taken a pretty hard line against the use of this software on the corporate network and for good reason too in my opinion. Questions around fundamentals such as confidentiality, issues around protocols, and risks from malware have led to a policy banning it's use. However, use of Skype is becoming quite common within a increasing number of businesses and inevitably the policy gets questioned when customers and vendors request to have Skype based conversations.

I've not softened my stance against using the software within the corporate network (we offer plenty of alternative messenging and VOIP services) but have allowed it to be installed on laptops on a per-need basis so long as it's use is strictly off-piste, that desktop anti-malware controls are in place, and that users are made aware of relevant risks.

Of course, that still leaves the potential risk of a malware infected laptop being plugged back into the network One of my colleagues stated that he would not allow the machines used to be brought back onto the network even with AV. I think the risk is manageable so long as there's close supervision but it has become an emotive subject of discussion and I know that some believe my opinion on the matter to be rather too flippant.

It comes down to business requirements. We need to be a business enabler and not a block. There is a request to make use of some banned software for a good business reason and I've prescribed, what I believe to be, suitable controls that allow that to happen whilst also ensuring that stakeholders are aware of what the risks are.

I'll be interested to find out what others are doing.

There's a couple of blogs and articles that I found interesting on the subject of Skype and general VOIP security:

From Skype: http://share.skype.com/sites/security/

A VOIP security blog: http://voipsecurityblog.typepad.com/marks_voip_security_blog/

Recently discovered Skype security glitch: http://nanocrew.net/2007/01/19/skype-security-fud/

Skype based Trojan: http://securitywatch.eweek.com/exploits_and_attacks/trojan_spreading_via_skype.html

Last word from Bruce Schneier's blog: http://www.schneier.com/blog/archives/2006/08/skype_call_trac.html

The very first time I put finger to keyboard on a task to write some useful code was whilst serving in the RAF back in the early nineties. Judging by the decision made by the MOD to extend the life of the RAF's NT4 network (see article as reported in Computer Weekly here) I wouldn't be surprised if some of that code is still being used! The reason being given for this folly is that they have to wait for delivery of the new Defence Information Infrastructure before upgrading. Who'll wager me that this will turn out to be yet another late, over-budget, delivery? (tip. you might want to reconsider your wager when you realise that the principle contractor, forming part of the Atlas Consortium responsible for this £4billion project is EDS whose most recent turn in the limelight was their incomplete Child Benefit Agency system. Read all about that fiasco here. Another contractor, Logica, also made recent headlines through their being canned by Transport for London over a failure to meet SLAs as reported here). In the meanwhile the RAF's infrastructure is being run on an insecure, unsupported platform.

The number of excuses for still running NT4 is diminishing but, granted, some of us have no choice through circumstances so what should we be doing to ensure that we're doing all we can to maintain security? I would suggest, at a minimum, ensuring that effective anti-malware\firewall controls are in place and that the NT4 domain is as isolated as possible. Utilise Host-based IPS and don't give users access.

Taking into account that NT4 was released in 1996 then I fall into the category of people who didn't curse Microsoft for ending support when they did: you wouldn't expect Ford to provide free servicing to a 1996 model if it broke down tomorrow and given the speed the IT world moves at then I think MS did a good job of supporting it as far as they did. So, sensible cost effective precautions need to remain in place until you get around to trading up to something better.

This refers to a blog entry I posted early in January. My good friend, Bryan Fite, has posted a comment and I didn't want to let it pass un-noticed because I think he makes an important - and eloquently put - point. Bryan says:

Are the rats contained to the sewer/cellar? I contend they are in your pantry caressing your breakfast. They are on your AD Admin's desktop. How would you know? The botnots of the past were used to DoS or deploy SPAM. The new breed of rootkit is dedicated to harvesting access credentials and establishing a base of operations. OPCR (Other People's Computing Resources) are an incredible motivator for criminals. How can you protect the castle when the family jewels are in the fields?

I'm no hacker but not so long ago I was invited to participate in a "capture the flag" contest. This is where groups of bespectacled, potato-chip munching, pizza eating individuals attempt to be the first to exploit vulnerabilities on a target computer system. I was fortunate enough to be paired up with an old-hand at such contests who was able to demonstrate the ease with which it was possible to hack into a seemingly secure system using readily available, free, easy to use tools including one called Metasploit. Quite frankly, from a security management perspective I found this tool frightening in it's capability. It allows you to design your own payload to fit the exploit and then simply hit a button to launch your attack. There's a new version now released that you can read about here: http://www.securityfocus.com/columnists/439. There's also a Metasploit blog here: http://blog.metasploit.com/.

While I'm obviously very aware of the need to ensure that systems are patched and networks protected, this day brought home to me the message of how easy it can be for an experienced and determined attacker to drill into a network given the slightest hint of an exploitable vulnerability. In fact, scratch that bit about the need to be experienced because even I, with a couple of useful tools on my laptop and a surfeit of strong coffee, was able to find my way into a command window on a target PC.

Hooray for HSBC and their new security authentication system as described here: http://www.computerweekly.com/Articles/2007/09/06/226622/hsbc-develops-new-security-authentication-system.htm. I've noted in the past the downside of giving customers tokens to keep, look after and ultimately break or lose. Using the mobile phone is a good solution: nearly all of us have one and this method can enable 2FA into multiple services from the same device without burdening people with a pocketful of tokens.

I've been looking at a similar solution from a company called SecurEnvoy. This will send one time passcodes by SMS to a mobile phone. The passcode serves as the additional form factor for network access. I was reading here that T-Mobile are already using this system. Some will criticize, some already have. Ian Yip says I can't help feeling that there's a way to game the system and warns about losing your phone (see here). Fair enough point but it's early days, it does mitigate risk to some degree and it's up to you whether or not it's enough. It's the approach that I like, and so long as we acknowledge the weaknesses we can make a judgement on affinity to risk. Those weaknesses are:

- the mobile phone is not as good a second factor as a dedicated token

- if you're caught in an area without a phone signal or a period of high network traffic then the token might not arrive

- a one-time password is going to be more vulnerable to compromise through phishing attacks where the captured data is sought for immediate use

There are other vendors moving into this area including Entrust (IdentityGuard) and i-Sprint (AccessMatrix). My bet is to couple this technology with something like OpenID and we've got a decent consumer single sign-on solution. Let's see where it goes...

There's a new book out entitled "Securing IM and P2P Applications for the Enterprise " (ISBN: 978-1-59749-017-7 ) where it's written: "Although Skype is well known for its voice communication, it is a very functional client for instant messaging via text and file transfers. Since it encrypts its information natively, this is a good tool to use for online communications."

I wonder how many of you agree with that statement. There's been quite some debate on Skype within my own organisation. Prior to my coming into the company, Skype was banned. Period. Don't even think to argue.

More recently Skype has become a hot topic with some individuals perceiving benefits of using it for free and easy Internet telephony: particular those who travel a lot and spend nights away. In addition, there are plenty of documented potential business uses for Skype. one reference (Skype Me! by Micheal Gough) discusses how using it could be advantageous for a help-desk:

An office in Mumbai, India, can provide the same support that someone at the corporate office in San Diego or an employee at home in Seattle receives. Company X can provide help desk Skype Me! links on the intranet homepage, and calls can be quickly routed for help tickets. The same is true for IT staff members who travel frequently from site to site. No matter where they are, as long as they have an Internet connection, these employees are able to provide reliable assistance....Technicians can take advantage of Skype's text-chat option to provide specific documentation or even case-sensitive shell commands to a user in dire straits.

The book goes on to mention that "Several companies are currently developing software and hardware solutions to augment Skype's capabilities into a fullfledged business-class telecommunication medium." I look forward to this but what of the risks?

Some individuals cite Skype's proprietary encryption as an issue. It's actually only an issue if confidential matters are being discussed. In fact, having read the paper Skype Security Evaluation by Tom Berson I'm not sure that it's an issue at all. Tom states:

Skype uses a proprietary session-establishment protocol. The cryptographic purposes of this protocol are to protect against replay, to verify peer identity, and to allow the communicating peers to agree on a secret session key. The communicating peers then use their session key to achieve confidential communication during the lifetime of the session. I analyzed this protocol, and found that it achieves its cryptographic aims. Further, I explored the strength of the protocol against a range of well-known attacks, including replay attack and man-in-the-middle attack. I determined that each of the attack scenarios is computationally infeasible.....I started as a skeptic. I thought the system would be easy to defeat. However, my confidence in the Skype grows daily. The more I find out about it, the more I like.

So, perhaps those who still argue against any corporate use can cite malware as their reason
It's true that there have been trojans targeted directly against Skype however, with multi-layered network and desktop defences together with basic user security awareness about not clicking on links in unsolicited messages then the malware should be easily defeated.

I'm not trying to be flippant. I'm as concerned about potential risks to private data and network integrity as the next man. Just I think that Skype, if properly managed and if it suits a business requirement, presents a low risk. This is consistent with the message I put out on this blog back in March however, I have softened my attitude somewhat. We need to put the right price on saying "yes" and support what the business wants.

I'll leave you with this final "security flaw" that some-one noted on a blog titled "Skype Security FUD"..There is another loop hole in it when you talk on it they can stand in your office and hear what your saying Amen!

There's an old episode of Blackadder Goes Forth where Baldrick proudly presents a bullet into which he's carved his own name. His reasoning being that if he is in possession of the bullet that has his name on, then nobody else will be able to shoot him with it.

It's that sort of logic which probably keeps those who maintain security devices such as IPS or firewalls but never keep or audit the log files in blissful ignorance of their impending doom! I'll take a recent incident I'm aware of where a production server was found to have been compromised and contained rootkits. Surprisingly for the team who immediately went to inspect the IPS device that was supposed to be affording the server some protection, the logs were empty. The reason being that the device had been plugged into the wrong port - it wasn't actually offering any protection at all.

Now this demonstrates failing in more than just an inability to check logs. We could talk about change control and testing and the skills of those maintaining the server room and we'll come back to all of those topics at a later date, but since the device was presumed to have been in the corerct place and running for a number of months, the fact that no-one had noticed that the logs were empty before is plain neglegent.

I have recently discovered an excellent blog dedicated to log file management from Dr Anton Chuvakin, the "Security Warrior". If you have even a passing interest in the subject then I recommend you head straight over there. Anton lists his 6 mistakes of log management:

1. Not logging at all
2. Not looking at the logs
3. Storing logs for too short a time
4. Prioritizing the log records before collection
5. Ignoring the logs from applications
6. Only looking at what you know is bad

A common excuse for all of the above is a lack of time, resource and skills. It's true, log analysis can be time consuming and it takes a practiced eye to identify important anomolies. But let's be clear, this is far preferable to the time and expense it takes to resolve a security incident or rebuild a rooted server. Here are some reasons from Anton as to why you should bother to look at logs:

- Situational awareness: you know what is going on with your network devices and applications
- Discovery of new threats
- More value out of your network and security infratructure - you've paid for it!
- Measuring security and performance; especially for reporting trends and metrics
- For compliance and regulations
- For incident investigation and forensics

The following lists summarise the value of logging and monitoring and why you need to be doing it.

Logging

-Audit
-Forensics
-Incident response
-Compliance

Monitoring
-Incident Detection
-Loss prevention
-Compliance

Analysis & Mining
-Deeper Insight
-Internal attacks
-Fault prediction

Now, who has a cunning plan?

Malware remains a threat. The Storm Worm is one of the most threatening in recent times, and it continues to propogate. Bruce Schneier discusses it in detail here on Wired (thanks to David Lacey's blog for drawing attention to this piece).

Schneier makes some remarks that should stick in all our minds over the coming months - the choice quotes are:

- Antivirus companies are pretty much powerless to do anything about it

- Inoculating infected machines individually is simply not going to work

- we know that users can't keep themselves from clicking on enticing attachments and links

- We simply don't know how to stop Storm

- Oddly enough, Storm isn't doing much, so far, except gathering strength

- Personally, I'm worried about what Storm's creators are planning for Phase II

A gentleman named Frank Boldewin has reversed engineered the Storm Worm and performed an analysis on how it works. The paper is hard going - especially for a very out-of-practice coder like me - but the message is clear. This is not a virus knocked together by a script kiddie in his bedroom. This is very dangerous malware that will create havoc on our networks and open up the door to more infection. And we can't detect it because it's been designed to bypass and be ignored by all of our desktop anti-malware controls (perhaps we should remember that the chaps who write malware probably test it against common controls before they unleash it). The conclusion of the report is that

it should be clear that the developers of this malware deal with a lot of nasty tricks to gain access to victims’ machines and hide from detection, even on standard protected boxes.

Ultimately, malware has come of age. This is destructive and undetectable, and put together with some no small amount of skill. We need to continue meeting the threat with up to date controls and detection. We need to ensure we have documented incident response plans for when we discover infected machines on our networks (and don't believe that we wont) - and we need to practice running through them. We also need to continue communicating security awareness messages to our employees.

From "Killing Botnets" by Ken Baylor and Chris Brown of McAfee.

A botnet of 1 million bots, with a conservative 128 Kbps broadband upload speed per infected bot, can wield a powerful 128 gigabits of traffic. This is enough to take most of the FORTUNE 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.

There's been some debate about whether or not to purchase an IPS device to put in front a new online service. Some of you might be reading this and thinking "why wouldn't you?" Well, granted, if it was a military system or an online banking service then I suppose it would be a no-brainer. Here in the security-suburbs, the answers are not so clear cut. Actually, neither are the questions.

It's not so much a question of "is an IPS required?" rather, does the loss impact potential warrant spending the money? We need to decide the point at which it becomes a necessity as opposed to an expensive but "nice to have" option. Here are some questions I'll be asking:

• Is the service strategically important to the business?
  
• Are there high revenue expectations?
  
• What are the regulatory requirements?
  

1. Signatures
2. Traffic rates
3. Anomaly detection

There is also the promise of the holy grail of network defence: zero-day attack protection. I don't really believe that any IPS truely has this capability, if it were true then there would be no need for signature and rule updates.

There are some downsides to IPS. They generate a high number of alerts and tuning the device requires skill. Resource is required to review logs and react to alerts. The devices are also expensive to buy.

What other defences are already in place? In this particular instance the network architecture includes redundancy, well configured devices, and a well designed architecture. IPS would be an additional layer of defence on a well defended network. So, it comes down to how comfortable the business feels by not having the control. There may be other factors to take into account such as future strategic plans or issues of credibility specific to the business that might not usually figure in the risk analysis. Clearly, this is much more complex an issue than it might first appear to be.

The answer must come from the business once armed with the right information.

Great blog on budgets from Gunnar Peterson. Quote:

How secure am I?

Am I better than this time last year?

Am I spending the right amount of $$?

How do I compare to my peers?

What risk transfer options do I have?

Do we need to come up with new ways to deal with the risks associated with non-company equipment being connected to our networks? I presently operate a policy that prevents anyone plugging in their own personal laptop computer. There are a number of reasons why, mostly related to the threats of malware and other unauthorised software polluting the network. In fact, like many other organisations we have a standard, one-size-fits-all, desktop computer build. I say one-size-fits-all but in fact it's not quite that straightforward because certain groups - developers, for instance - require more flexiblity. Even so, GPOs are tightly controlled with software in place to identify any desktops that fail to comply.

However, my thoughts are now turning to the idea that perhaps there should be more flexibility in the system to allow users own personal systems to connect. There is more demand for this than ever before across an increasing variety of different types of device ranging from laptops, PDAs, digital cameras, and other multi-media devices. However, I'm also very conscious of the need to remain in control of the network. The question is one of how to enable the business and personal resources to live side by side.

What problem am I trying to solve? Here's a few:

We don't seem to talk about spam much anymore. Services such as Postini and products like SurfControl have more or less removed spam from the corporate Inbox. While these products are generally effective, it still amazes me the percentage of email that is identified as spam: up to 90% of all inbound traffic at some periods. Although we are adept at controlling spam targeted at our own mail servers, the biggest risk comes from allowing corporate users access to web-based email services from within the company network. And spammers are constantly looking for new ways to get their messages opened.

GFI report on this new trend on their website here:

MP3 spam is a natural progression from PDF and Excel spam whereby spammers are exploiting a new file format to be able to send spam. This is their latest attempt to evade anti-spam filters.

Once again, we hit on edication as having a large degree of affinity to the risk. But I'd also like to come back to the subject of personal accountability and making individuals on the network responsible for their action. I'm interested in how far other organisations go down this path.

I've just finished writing up a short White Paper on Skype - in particular the old question of whether or not it can be installed onto company equipment, the risks, costs, and some investigation into the system architecture.

Quite honestly, I don't consider Skype to be an insecure system (so long as you keep the client updated. See here...), but it does undoubtably introduce some additional risk. The question is whether that risk is too great to allow a few travelers to have the client installed onto their laptops.

There are opposing forces in action - on the one hand a number of individuals who claim that they need Skype and consider life to be unfair unless they have it. On the other hand are those who consider it to be no more than KaZaa in different trousers, and that it should be kept well clear of company equipment. I'm somewhere in the middle: put a price on saying "yes" and make sure risks are controlled. But is that just a cop-out? I'm wondering whether I shouldn't simply point my finger at desktop build policy and then remind people of that great invention: the telephone.

This all relates to a blog I wrote a while back on the subject of the increasing consumerization of our environments. I quoted there that "consumerization creates a new burden that can potentially cripple already fragile IT organizations" but on the other hand is the point that "consumerization is already in motion, so how do corporate IT departments manage the new reality?"

Do a few users with Skype on their laptops really increase risk to the business? Depends who it is and what they do with it. As a someone has reminded me this very evening, it may not matter until some senior executive is defrauded or their company provided equipment is compromised. I'm not sure it's even an argument worth having - there are so many different solutions for communication out there now that I'm baffled why we are getting so hung up on Skype anyway.

If I have to make one prediction for 2008, it is that I think we will see an increase in reports of targeted attacks against organisations of all sizes and types. That such attacks are already happening goes without saying because penetrating the average corporation appears to be childs-play for the skilled attacker.

To remind myself of exactly how easy it can be, I was re-watching a webcast presentation given by one Marcus Murray at this years Tech-Ed. This is must see viewing with some great practical examples of inserting trojans onto the network, sniffing wireless networks, and a fascinating demonstration of compromising a domain administrator account using just the stolen password hash.

Marcus makes the observation that networks are not hacked because the operating systems are poor, but because of the way they are usually configured. This is a message I'm continually pushing out within my own organisation: you must patch (and not just the Microsoft stuff - patch everything!), you must become very fussy about change control, you must monitor IDS/IPS logs, and you must test your network from the outside.

Even then you can still be compromised the moment somebody clicks a link in an email and inadvertently installs a trojan. The above mentioned presentation demonstrates in stark detail how to do this and also shows how the trojans are designed to ensure that desktop anti-virus controls don't get activated in the process.

Bruce Schneier wrote two years about an increase in targeted attacks:

We are seeing a decline in the "noisy" brute-force vulnerability scanning that hobbyist hackers tended to favor, and an increase in more targeted, stealthy, and sophisticated scanning.

The reality is probably one where we should assume that sooner or later something we don't want is going to get into the network. We can reduce the risk by looking at the various control areas (e.g. Internet access, remote access, wireless networks, device management processes and so on) and making sure basic tasks are being performed such as logging, and the right controls in place such as IPS between wireless and wired networks, and monitoring for rogue access points. We also need to become better at protecting data in-situ with encryption and ensuring that our incident response processes are well rehearsed.

My only other prediction for the year ahead is that it'll be business as usual and more of the same. Our CIO's and business strategists might be getting themselves all hot under the collar about web 2.0, social networking and virtual worlds, but you know and I know that we'll continue to have plenty of work to do as all the same old mistakes get remade in slightly new and unusual ways...

Robert Moore is a convicted hacker, currently serving two years in prison for his role in stealing and reselling VoIP services. In an interview given to Information Week, Moore describes in detail how easy it was to break into corporate systems and the methods that he used.

On particular quote that sticks in my mind from the article is:

Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.

What's also interesting is the opinion of Alan Paller, director of research at the SANS Institute who is quoted as saying that the problem is with the vendors for making it too easy for system administrators to leave default passwords enabled on devices. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do." I don't agree. While vendors might be able to do more, short of providing systems that can jump into the rack fully configured for any network scenario, the onus has got to remain with network administrators to ensure that the implementation of new devices follows good hardening practices that includes changing the default password.

You can read the full interview with Robert Moore here.

I also recommend the Voice over IP Security Alliance website here as well as their blog.

More than 40 security software technologists and anti-malware testers from around the world recently met in Bilbao, Spain to formalize the charter of the Anti-Malware Testing Standards Organization, or AMTSO. The formation of AMTSO has been driven by industry-wide concern about the increasing mismatch between what anti-malware technologies actually do, and the testing methodologies used to evaluate them.

Read more about this new organisation here: http://www.amtso.org/http://www.amtso.org/

There's an interesting interview with the leader of a Chinese hacker group on CNN. Xiao Chen makes a number of claims: that his group is paid by the Chinese government, that they have successfully hacked the Pentagon, and that even the highest security websites have weaknesses that can be exploited.

I'm not going to outright dismiss Chen's claims as being typical hacker arrogance because firstly, I wouldn't be at all surprised if the Chinese government were paying hackers (in the same way that the American government is probably also doing so). What would surprise me would be hearing one of those hackers talking about it. And as he is so forthcoming in talking to CNN then why wont he "specify what was gleaned" when talking about the alleged Pentagon website hack?

The last point about high security websites all having weaknesses is something I've long stated as being an inevitable fact associated with the increasingly complex products that we are putting online. This isn't just related to the number of lines of code either. The middleware, and third party components that we're plugging in are just as likely to contain exploitable issues as the code that we're writing ourselves. I don't need some self-acclaimed hacker to tell me that as I frequently see the evidence for myself.

Anyone can call themselves a hacker - these days all you need is a few point and click scanning tools and a copy of Metasploit. So, I'm not going to give any credit to Xiao Chen or his group. I'm also not going to give any credit to CNN for wasting their time talking to him.

You can read the full article here: http://edition.cnn.com/2008/TECH/03/07/china.hackers/index.html?eref=rss_latest

If all the hype is to be believed then IT execs who ignore Web 2.0 collaboration technologies could be hurting their company's bottom line. That, apparently, is the message from IT leaders and industry analysts who are convinced that Web 2.0 technologies are the real deal. And, as it's published in CIO Magazine then it must surely be true.

The article goes on to cite examples from the real world (the one where you have real friends and real business relationships) that demonstrate just how vital these collaboration technologies are.

- A company - Serena Software - where some customers only talk to them via Facebook because they've "given up on e-mail because it's such a horrendous technology"

- The same company has Facebook Fridays where "executives encourage their 900 employees in 18 countries to connect with customers, business partners and each other over the company's group portal on the popular social networking site."

- Cisco, "where the virtual world of Linden Lab's Second Life....is quickly becoming a preferred method of interaction among the company's employees, business partners and customers"

- Gartner, who say that "organizations can create a mash-up, a combination of multiple applications, of their CRM database and their employees' Facebook contacts to identify personal links among sales prospects."

Before I talk about why I think all of the above is misguided advice, opens up the network and data to unacceptable risks as well as increasing personal risks to employees, there are actually some good words of wisdom in the same article. Accenture, for instance, who rather than using a public site, .. opted to build a social networking platform behind the company's firewall on Microsoft Office SharePoint Server to connect Accenture's more than 170,000 employees worldwide. This is a good approach because it's using technology specifically developed with business functionality in mind, it has strong security, and Accenture are keeping it within the boundaries of their own networks.

As soon as you start sharing company data across a public facing, consumer network that's also being used by your children to share happy slapping videos and news about what happened down the rec on Friday night then you've lost the plot. Show me the business case and cost savings model that led you to believe that it's a good idea. I'll wager that you don't have one, but that you've leapt straight in and done it anyway because of all the industry pundits telling you to do so and threatening that you're going to get left behind if you don't.

The example quoted above where the company uses Facebook in place of "horrendous" email is one instance where you wonder just what problem they are trying to solve and why and how swapping over to an email service provisioned by an organisation that will know all your contacts and all of their contacts, and all of the information being swapped makes it better. Are you really using Facebook's email service to swap company information? Good grief! Remind me not to use your company if I ever need the type of product you're selling. Just read back through their privacy policy and tell me that you still want to use Facebook in this way.

I realise that not every organisation has the deep pockets necessary to invest in tools such as SharePoint and that they will want to utilise consumer technologies to some degree. Fine, but you generally get what you pay for and if you're getting something for free then don't complain when you find your business profiles being used for marketing purposes by either a) a competitor or b) somebody else pretending to be you. Oh yes, and also don't complain when the service goes down the next time that the Pakistani or some other government gets upset about some of the content.

My personal advice is to not cheapen your brand and to seriously consider the security risks associated with using consumer networks as a corporate sharepoint for email and business relationships. Embracing new technologies is one thing but long term success is built on what comes prior to the embrace: assessing the benefits, working out the costs, determining the risks etc etc. Does that make sense?

It's reckoned that two million new strains of malware, or five every two minutes, will emerge onto the Internet this year. That doesn't include the 15 to 20 new Trojans released every hour. These are the figures reported by Kaspersky in an article in the latest edition of Information Week. While the numbers are shockingly high, they are not in my opinion representative of where the real threat and the greatest risk lies; so long as we co