Recently in Network security Category

Security, scale and functionality - Part 3: Functionality

| More
I love system functionality, it's a great thing. It brings a rich and dynamic user experience or empowerment through seamless processes to get things done. Whether it be business functionality or technical functionality, we now have more system functionality at our finger tips than we've ever had.

In the 1980's BT offered a dial in bulletin board type service known as Prestel. It was a simple service based on Viewdata technology with a private electronic mail capability and was my first experience of being in an online networked environment. Prestel hosted the UK's first home online banking service (Homelink). It was a basic service to say the least. You could view your account balance and pay specific utility bills but that was about it. At the time it was revolutionary, but today limiting your service to these features would be archaic.

Lets jump back to today when Internet banking is the norm and the range of banking functionality is enormous (I can wire transfer money anywhere in the World from anywhere in the World without delay, interruption and at minimal cost) and it starts to become obvious that retail banks, for a number of reasons, have dismantled their internal processes and controls and have brought them out of the back office and have put them right into every living room, coffee shop and street corner (a scale issue).

There's no doubt that there are real rewards with giving you access to all this extra functionality and I'm a real fan of Internet banking myself. However, the problem comes when/if your account becomes compromised. Back in 1984 I really wasn't bothered as Homelink really wouldn't let you do that much therefore the damage was limited and the impact minimal. In today's environment all bets are off and your account easily plundered or your Visa charged before you know what's hit you.

And therein lies the rub. The more functionality we provide in information systems the more opportunity we create for nefarious or malicious activity to flourish. Add in the scale dimension and the problems start to be compounded even further. When I started this thread I argued that you could only ever have two elements from scale, functionality, and security and I still believe this to be true.

If this is the case how can we approach the security element in order to bring this vital element into the picture? If we can't provide the right amount of security into highly scaled, functionally rich systems then how can the general public trust and embrace them? People will readily adopt new systems when they see a clear reward for changing their behaviour but will not go past the point where the risk outweighs the attached rewards.

My last post in this series will look at what we really mean, and can expect of security in this environment and what we as information security professionals and our Boards of Directors need to clearly understand about these realities.

(Postscript: Thinking about my first adventures with Prestel has brought back loads of memories. For those of us in the UK this cutting edge service significantly changed the IT security legal landscape. After Prince Philip's Prestel e-mail account was compromised the Computer Misuse Act 1990 was introduced and I guess things have gone downhill ever since ;-)

Laptop with personal data stolen

| 2 TrackBacks
| More
Another third party vendor failing to implement decent security around sensitive data.

You've got to check out your vendors! The vendor might be at fault, but it's your data, and your liability.

BBC, BotNets and legal hacking

| More
On Monday I remarked on the BBC Click botnet investigation. I slightly regret my post because, in fact, I think they did a great job in bringing to life the potency of botnets. Legalities aside, let's focus on the fact that it only took 60 PCs to cause a denial of service situation. That's very disturbing and we all need to sit up and consider the consequences of that.

I was chatting with the CISO of an investment bank earlier today. He was wondering whether or not we should have in place a legal framework that would allow "researchers" a better way to test system security without fear of being accused under the Computer Misuse Act. It's dangerous territory but I take his point. If somebody discovered a gaping hole in my own organisations' network security then I'd be grateful for the information. Many of the third parties I legitimately employ to do discovery work do little more than run Nessus and then post a report, so the hackers view would be invaluable. But where do you draw the line between "hacking" and "research" and what assurance can be gained from an unsolicited security report?

Google Docs accidentally shared

| More
From SC Magazine

Users of the Google Docs application have had their information inadvertently shared.


A flaw has been identified in the system, which meant that some documents were marked down as collaborative items that allowed third parties who are also signed up to the system to access and amend them.

I've been dealing with requests within the business from people wanting to use Google Docs. Personally, I think it's secure enough for general day-to-day work. I wrote up and issued a quick bullet point list of sensible security guidelines relating to using the service, and we have a few people now using it to their benefit.

I'm much more concerned about the number of file shares within the corporate network that get set up without thought given to their contents or to whom access should be authorised. I find those all the time.

Rats coming out of the sewer

| More
More than two years ago I mentioned on this blog the fact that large networks are likely hosting a variety of nasty things we will probably never become aware of. This is more than just speculation and there's some good supporting evidence in this latest story about another breach of a credit card payment processor which apparently only came to light when, as quoted below:

In most of the latest high-profile breaches, the threat was found only after the forensics team came into the picture. "Existing network security mechanisms remained clueless,"

However, search hard enough on any network and I'll bet you could find some speculative evidence of unauthorised access or malware that really amount to very little of interest. Is there sometimes an over analysis of forensic results when it comes to IT systems? I've seen plenty of vulnerability test reports that over-egg benign issues into something far more serious than they really are.

I'll be interested to see where this story goes.


| More
I had the privilege last week to hear an excellent presentation given by Bob Burls on the subject of Botnets. Bob presents an eye opening view over the power and complexity behind the botnet networks, and the damage they can do.

The manner in which botnets have evolved, making them both resilient and persistent, is worrying enough. The ease with which they can be created and controlled is terrifying. User friendly interfaces provide point and click functionality to create and launch new attacks, with the ability to propogate across the world, in seconds.

What really stood out though was the satisfaction that comes from digging into the networks, tracing those controlling them and bringing them to justice. Great work if you ask me, and I reckon that anybody thinking of getting into the botnet game should think twice knowing that the likes of Detective Constable Burls are after them.

Web access policy and dictators

| More
There are a few things that annoy me: impoliteness, petty bureaucracy, Chris Moyles, BT customer "service", the price of cinema popcorn, the smell of fast food on public transport, drivers who can't stay in lane when they go round a roundabout (Hey, Mrs Blue Audi driver on the A316. See those white lines on the road? Yes, they indicate a concept known as "lanes"), amongst others.

I also get annoyed by little dictators in IT departments who think it's within their remit to decide what the Internet usage policies should be within an organisation. Come off your high horse folks. Let the HR and company management team decide what is and what isn't permitted and acceptable employee behaviour.

The policy at my organisation is simple: anything identified by WebSense as being a potential security threat (i.e. contains malware or malicious content such as hacking tools) is blocked. Everything else is open or closed depending on whether the HR director agreed to allow it, based on a combination of common decency, local laws, and common sense. Requests to open up access to specific sites -  that might have been miscategorised or sit within blocked categories - go to either a security manager if they fall under a security category, or an HR manager for approval. It's not a perfect process but it beats having the IT manager deciding based on whether or not he thinks an individual should have access.

There is an ever growing grey area as more consumer sites become adopted for business use. These come to me for assessment and there are a set of "good enough" control measures in place based on the risk profile of the work being done. Never say no, put a price on yes!

Risk assessment and the Nu M8 Child Tracker

| More
A few weeks ago I allowed my 7 year old daughter to walk the last 400 yards from the bottom of the road to the school gate by herself. Off she trotted, full of her own independence, and away she went. About half an hour later the school headmistress called me "did you know that your daughter arrived at school by herself today?" You'd have thought some crime had been committed, or that I'd been negligent in my care. The expectation is that all children will be accompanied to the school and into the grounds by a parent. When I broached this subject at a friend's party recently and expressed my view that most of the kids at the school are more than capable of walking the half a mile of so without needing to cling to a parent like a monkey with velcro arms, one mother of two particularly obnoxious offspring stated "well I'd be too worried to let mine go by themselves." So, it's no surprise that products such as the Nu M8 digital watch with child tracker are now on the market.

I really don't see why anyone would want to buy one. If my kids are outside playing then I can usually hear them and if I can't hear them my general attitude is "phew, some peace and quiet at last." Either I'm unaware and ignorant of the fact that kids are being regularly picked off the streets, or perhaps I'm just old fashioned enough to remember that kids like to explore and enjoy some carefree freedom rather than being shackled to the house under constant supervision just in case they graze a knee and need hospital treatment.

Statistically, children are at more risk inside their own homes than out of it, from everything ranging from domestic violence to electric shocks. However, the hype that the press has put on the apparently ever increasing risk of child abduction (59 cases in 2002/2003 - see here) means that people do a quick risk assessment in their head where the formula used is something like risk = number of Daily Mail articles multiplied by mentions on GMTV. If result is a number greater than number of fingers on one hand then action equals throw protective blanket around child.

It's this same principle that causes people to panic about getting on an aeroplane at the same time as they happily swerve from lane to lane at 90mph on the motorway. It's also the reason why businesses have failed in the past to deal adequately with information security: hire an IT guy, call him the security dude, give him a firewall and a know-it-all attitude, and Bob's your uncle: tick the box, we're protected. It's no different from buying a Nu M8 - you get the same soft, warm, squidgy feeling of security without having done anything to address the real risks. The system will break down the first time the child goes to cross a road and gets run over because these days nobody teaches them the Green Cross Code anymore.

For information security, we do the brain surgery but, as somebody recently said, end up dying from the common cold. Example: a nicely developed and well coded online CRM system that I recently saw. No obvious hacks, hosted on a decent infrastucture with firewall, IPS, and anti-malware . Even a good hacker would struggle to get in through the code and steal the data. Except that everyone with access to the system was, for ease of use and administration purposes, using the same, very simple, username and password combination.

Anyway, must go and make up the kids school packed lunches for the day: remember, nothing with nuts just in case there's somebody with an allergy in the school, no sweets in case they get fat, but the crappy fake chemical cheese snacks that come in a plastic pot with some sticks of wood included for dipping are fine...

Malware hits London hospitals

| 1 Comment
| More
It's interesting to speculate how three seperate hospital computer systems have managed to simultaneously fall victim to malware. See Given that the rest of us have not today fallen victim to anything new, and that other hospitals appear to still be functioning, it looks like a highly targeted attack. The Register reports that it might be a case of the Mytob worm however, I'm dubious: Mytob is more nuisance malware rather than disruptive, it's signature is well known, and I doubt it would result in the networks of three hospitals being so thoroughly disrupted. If it were a new variant evading the anti-malware protection, then we'd all be seeing it.

Rambling on about risk assessment

| More
I was reading with interest a two-part blog posting from Chris Hayes on his Risktical Ramblings site. It's a detailed and thorough run through of a risk assessment process. I actually think it's very instructive and those of you who want to learn about how many information security professionals approach assessing risk should read through it. That's not supposed to be complementary. Sorry.

The problem is that it's completely impractical. I'll take a recent, and fairly typical situation as an example. I was taking issue with the manner in which remote access was being provisioned for a third party vendor to connect to a system hosted by one of our European business units. To cut a long story short, it was not only a breach of policy but highly insecure. I wanted the access to be disconnected, the business unit director wanted my risk assessment. And he didn't want to wait for it.

To quote Chris Hayes, spending time on working out the expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force was not going to pacify an angry Italian fearful that my decision was going to cost him money. He wanted my explanation of the risk and more importantly, what I was going to offer as a solution to keep his business functioning.

Information security risk assessment does not require detailed and scientific analysis. This is not rocket science, it's business. If you have a problem then you need to be able to explain the reasons why in a language that even somebody in the marketing department can understand. Risk models have their place, it's useful to understand the components that create risk but most of what I read that's aimed at the information security market is less than useless for working with on a daily basis.

When I need to document a risk assessment I use a very simple form: list the threats, state the level of vulnerability, list the associated operational costs and potential revenue hits. High, medium, or low risk? Describe the controls and options. Write up who needs to do what, and how much of their time it's going to take. Job done.