Code talkers

The death of a Navajo Indian veteran reminds us of the role played by the Navajo "code talkers" in WWII.  Their obscure language, coupled with the use of codes, provided sufficiently secure communications on the battlefield.  

Regards,

Gary (Gary@isect.com)

Another email scam

An email appeared out of nowhere in my inbox today with no message content, just a very long subject line and a dodgy attachment.

The subject reads: "This mail was intended to you only because your surname seems similar to my late client. A client in our Bank died Five Years ago leaving behind Capital amount {US$17.5M}Read the attached copy and get back to me.Thanks Spencer Clayton".

It's hard to believe anyone would still fall for such a lame attempt at social engineering, but I guess there's a sucker born every minute.  

Regards,

Gary (Gary@isect.com)

The value of awareness

This year's UK information security breaches survey is, as always, a useful source of statistics concerning how real-world organizations are dealing with information security.  It is also, as always, a depressing read for those of us promoting good security practices, partcularly (in my case) ISO27k and human factors.

 So, 44% of organizations gave additional staff training after their worst breach - presumably they realized that their existing training (and awareness?) activities were lacking.  But what of the other 56%: they either thought their training (and awareness?) was OK (wishful thinking?), or it didn't even occur to them that they might need reinforcement.

26% of organizations "believe" their staff have a very good understanding of their security policy.  Bravo!  However, I can't help but wonder how many of those actually have data to support their belief.  How many of them have the metrics to know?  And what of the remaining 74% of organizations who acknowlwdge that their staff don't have a very good understanding of their policy: does that mean the policy is opaque, or tucked away in some intranet backwater perhaps?

That three quarters of the organizations with a poorly-understood policy had staff-related breaches implies a strong correlation, although it is not necessarily cause-and-effect.  As well as being promoted in standards such as ISO27k, most infosec professionals would agree that policy is an important security mechanism, for several reasons (e.g. it clarifies the rules for employees,  confirms management's overt support for security, and is a Litmus test for organizations taking security seriously).  I doubt anyone would seriously claim that having a well-written, readily-understood security policy would make security worse.

Finally, I am dismayed, though not at all surprised, to find that more than half of small businesses don't have any security awareness programme.  I suspect many small businesses don't have IT or HR or Finance specialists, in fact some don't even have experienced, qualified, professional managers as such: they make do with common sense, passion for their core business, and occasionally take advice/assistance from third party professionals such as accountants, lawyers and IT support companies, many of whom are also small businesses.  There are certainly control and governance benefits in being small - information security may not (appear to) be quite the issue that it is for larger organizations since the owner can keep a beady eye on things.  I suspect information security risks and opportunities materially differ in different sized organizations, and it is entirely possible that other considerations such as establishing and maintaining their brands, or securing adequate cash flows eclipse most information security risks although, arguably, brands and cash flows are themselves information-security-related.

Anyway, those are just four or many thought-provoking statistics in the report.  I will be poring over the numbers, gleaning whatever I can and no doubt using some of the key findings in our security awareness materials over forthcoming months.   We've just reduced our minimum annual subscription to below $3,000 in order to appeal to more small businesses: compared to the risks of not having an effective security awareness program, and the costs and difficulties of creating an awareness program in-house, we think that's a sound investment, but naturally we are biased.  What do you think?

Regards,

Gary (Gary@isect.com)

Cryptohistory

Information security took great strides forward during WWII, particularly in the field of cryptography and cryptanalysis.  With help from their allies (particularly the Poles), the boffins at Bletchley Park were able to piece together details of many of the encryption schemes used by the Axis forces and succeeded in breaking some of them, thanks in part to inventing computers to crack crypto keys.

 

Regards,

Gary (Gary@isect.com)

Trusting Bruce Schneier

Yesterday I was in Wellington to see Bruce Schneier speak about his latest book, Liars and Outliers.  For about an hour, he discussed the concepts covered in the book:

• Security exists to enable us to trust each other (both individually and institutionally), where 'trust' is a complex issue
• In addition to morals, reputation and legal controls, security gives society some control over those who behave selfishly, furthering their own personal interests rather than those of society as a whole, helping to stabilise the societies
• Real life is far more complex than this imiplies - for instance, individuals belong and have allegiance to multiple overlapping "societies" e.g. family, groups of friends and colleagues, organizations, nations, cultures and professions

It will be interesting to read whether the book discusses the fragility of many human societies, for instance the looting that commonly occurs when civil disobedience leads to rioting.  Many of us are evidently prepared to break the rules of society and act in our own interest when the opportunities arise.

As usual, I will publish a review with further comments and impressions once I've actually read the book. [I trust that it will be worth reading.]

Meanwhile, thanks to Bruce for coming all the way to NZ to speak to us.

Regards,

Gary (Gary@isect.com)

Historical security awareness module

We sometimes mention historical incidents in the NoticeBored materials but this is the first time we have gone into any depth on the history of information security.  May’s brand new awareness module plucks interesting stories and anecdotes from the annals of history to set people thinking, drawing out the information security aspects that remain relevant today.

Our timeline stretches from pre-history to the future.  Novel security technologies and techniques developed in wartime include both offensive weapons and defensive measures.  The use of information as a weapon is a theme throughout history, hence information security is far older than any of us.

This is not a history lesson as such - we have been very selective about the issues we have covered, with the aim of finding items of interest and relevance to employees in general, management and tecchies.

We prepared the NoticeBored awareness materials to satisfy the following learning objectives:

• Inform employees generally about the history of security, entertaining them and sparking their interest through a potted selection of security-relevant incidents and anecdotes spanning the millennia from evolutionary pre-history to science fiction;

• Point out that many well-known ancient threats, attack methods and techniques are still around, while others re-emerge from time to time;

• Prompt employees to consider the relevance of information to battles and wars, and hence the value of protecting and exploiting information in business and other contexts;

• Identify historical controls, technologies and techniques that remain valuable in securing today’s information and other assets;

• Act as a platform, the creative basis on which you can customize, adapt and enhance the materials to suit your own security awareness purposes without having to start from scratch.

Regards,

Gary (Gary@isect.com)

Office printer hacks and security

An infosec blogger describes the fun he had using nmap to analyze typical office printers (that's an excellent Google translation of the Spanish original). 

Most printers have web configuration interfaces on the network and, thanks to having no passwords or (well known) default passwords, hackers can play pranks such as printing junk, resetting the admin pasword or changing the printer's IP address (e.g. deliberately conflicting with another device on the network). 

All pretty juvenile really, little more than geek vandalism, but I guess printing directly to the device might conceivably be of concern if the printer is loaded with check blanks and relies on security on the print server to prevent anyone who feels like writing themselves a big fat check simply doing it.  Given that they would need access to the printer's network, knowledge of the print formatting necessary to put all those zeroes in the right place, some way of slipping past the business process controls normally associated with company checks and, of course, a safe way to cash-out, the probability is quite low, even if the financial impact could be serious.


Something else caught my beady eye though.  Tucked away in the blog is the throwaway line "In the case of Ricoh printers, which have a Document Server, we can see some documents stored (as images) on the printer itself."  Now that could be more serious.  Want to see what the boss - or head of HR - has been printing lately?  Curious to find out what has been sent or received by FAX on the office multifunction device?  Keen to read whatever has been submitted to the Secret printer in the secure corner office?  Mmmm, that could be a more significant risk.

For a more detailed look at printer hacks, see this piece by Adrian "Irongeek" Crenshaw or read this provocative 2002 paper by Ltlw0lf which reminds me that anyone with physical access to a printer and sufficient technical nouse (say, a printer maintenance engineer, or a social engineer pretending to be one - perhaps turning up to fix a printer that says it needs maintenance as a result of him hacking the message on its little display panel) may be able to pull/swap its hard drive and analyze the data at his leisure.  Using a compromised network printer as a launch point for further hacks, and a fairly safe place to store purloined data, is a possibility.  Again, the risks are probably low enough to be insignificant compared to many others for most of us, but there are situations where they may be of concern.


As to what we can do to secure our network printers, the articles are rather light on practical advice.  We should physically secure the printer and implement suitable policies and procedures against social engineering attacks (accompanied by effective security awareness, naturally!).  Changing the admin password seems like A Jolly Good Idea, and of course firewall the network, if not the printer itself.  Monitor the network like a hawk is great advice for any organization that has a surfeit of diligent network security analysts with boundless time on their hands. Other than that, we're largely in the hands of the printer manufacturers and their software engineers.  


By the way, if security patching your printers seems like a good move, consider that the very same software update mechanism might itself represent a vulnerability.  Rock, meet hard place.

Regards,
Gary (Gary@isect.com)

Know your enemy

Paraphrasing the key conclusions of Organised Crime in the Digital Age, a study into digital crimes by BAE Systems Detica and the John Grieve Centre for Policing and Community Safety:

• Digital crimes are superceding drug crimes.
• 80% of digital crime is conducted by organised groups rather than lone criminals.
• Group structures vary (clustered, hierarchical etc).
• Two thirds of organized digital criminals are over 25.
• The median size of groups is 6 members, while one quarter are 11+.  However, even small groups can inflict significant damage.
• A quarter of active groups are new (in operation less than 6 months).
• Traditional criminals are increasingly using digital tools/techniques 

There are implications for governments and the police, naturally, but also perhaps for the potential targets/victims of organised e-crimes and those whose services are being used by them - particularly social media and financial services.  However, it's far from obvious (from the summary report anyway) how to respond.

Regards,
Gary (Gary@isect.com)

Office security awareness

Offices are where most knowledge workers do our thing – it’s where we hang out, creating our stuff, pushing papers, processing information.  We mostly take our space for granted but have a quick look around at your own workspace.  Is your cubicle a paragon of security?  Everything neat and tidy, all sensitive information safely locked away while not actually in use?  Or is it more like mine - a mess, a dumping ground for all manner of paperwork, computer equipment and media?  Do you eat lunch “al desko”, dropping crumbs in the keyboard?  How many times have you spilt coffee and gummed-up your mouse?  Or is it just me?

Rather than inhabiting the rat-run that is the average corporate office block, maybe you are one of the growing band of road-warriors and home workers.  Your office may be a spare room, an Internet café or airport departure lounge, or a laptop and cell phone in a car, hotel room or rent-by-the-hour serviced office space.  

Perhaps you are a nurse or a factory worker, using a shared workstation tucked away in a corner somewhere.  The location and type of office does of course affect the nature and significance of the security risks, but through the NoticeBored office security awareness materials this month we emphasize the common factors and generic security controls that apply to most.


Regards,
Gary (Gary@isect.com)

Business continuity example

Here's a neat illustration of the different elements or phases of business continuity management in action.

When the standby generators failed during a power cut, surgeons in a Canadian hospital completed an operation by flashlight, M*A*S*H-style.

The power grid is designed for, and in fact generally achieves extremely high levels of, resilience.  As a whole, it is a well-engineered high availability system and a massive investment for Canada.

The first standby generator is a recovery mechanism for the hospital.  It takes over when the grid fails.

The second standby generator is a further recovery mechanism.  It's not entirely clear from the article whether the second generator is run in parallel wth the first, sharing the load, or a full-capacity system available as a backup if the first fails. 

The flashlights located around the hospital, along with the willingness of employees to remain focused on getting the job done and do whatever it took, despite the adverse circumstances, are contingency arrangements.  They demonstrated resourcefulness in the absense of resources.

Sure, they need to look at the generator failures (reportedly they overheated, which implies either inadequate cooling or more likely overloading - a common problem in this IT-enabled age) but the contingency arrangments saved the day.  The article doesn't specifically mention UPSs which are another resilience option to maintain critical electrical supplies such as life support systems, along with battery-powered emergency lighting, but I suspect that's just the journalist's oversight.  The UPSs would need to be generator-backed in any case to cope with extended grid failures, so the genny failures would have been a problem anyway.

Regards,
Gary (Gary@isect.com)