Security and privacy compliance awareness

July's security awareness module on compliance and enforcement

Especially if you work in a heavily-regulated industry, you may not be the least bit surprised to discover that our latest awareness module on security compliance is weighty. Admittedly the high-res poster graphics account for much of its 100Mb but the annotated seminar presentations, briefing papers, mind maps and so forth ended up bigger than normal, even without going into detail on specific compliance requirements or resorting to the convoluted and archaic language heretofore favored by the legal profession.

So what makes compliance such a bulky awareness topic?

Part of the reason is of course that compliance obligations are many and varied. As a taster of the content in the module, here are 10 types of information security and privacy-related laws and regulations, taken from a list of 20 in one of the general employee awareness papers:

1. IT and corporate governance - directors’ responsibilities to society and owners 
2. Integrity, availability, accurate and complete reporting of financial data (mainly) 
3. Copyright, patents, trademarks and designs, laying down Intellectual Property Rights (IPR) 
4. Reporting and notification of those affected by information security incidents/breaches 
5. Disclosure of information by public bodies or in the public interest (Freedom Of Information) 
6. Information security and privacy standards recommending good practices 
7. Distance selling and tax laws (e.g. running businesses on eBay) 
8. Restrictions on the import/export and use of strong cryptography (e.g. in France and Israel) 
9. Contracts, agreements and warranties (e.g. the validity of electronic signatures) 
10. Internet Service Providers, IP addresses, domain names (industry regulations). 

Since our customers are doing business all over the globe, we touched on the complexities of having to comply with laws and regs in the international context, again without going into specifics. Issues such as jurisdiction and the differing rules of evidence make this a significant challenge but there is an important rider to all our awareness content: we are not dispensing legal advice! We've done our level best to keep it generic, readable and most of all interesting and engaging.

We deliberately interpreted our scope widely, going beyond security/privacy laws and regs to discuss compliance with corporate security policies for instance. This gave us an opportunity to raise the ethical and cultural aspects of compliance - again, just a light touch to prompt managers and staff to think things through for themselves, perhaps reminding them of previous awareness materials on those topics. [One of the advantages of our monthly cycle is that we don't have to go into depth on everything right now: we can refer back to stuff we've raised before, and we will pick up various loose ends in future months, giving continuity and consistency over the course of the awareness campaign that more conventional approaches lack.] 

Security/privacy clauses in commercial contracts get a mention too, and with good reason: they are often quietly slipped in there by the legal and procurement people only to be forgotten ... until a security or privacy incident blows up and all of a sudden they pop out of the woodwork. One of the case studies picks up on exactly that issue, hopefully prompting the class to think about what perhaps ought to be done in the way of security compliance during the life of the contract, as part of routine relationship management.

It was tempting to bleat on about penalties and enforcement actions but aside from the odd mention (oh, and that poster image!) we consciously chose not to flog that particular horse. Enforcement is such a downer that we preferred instead to focus on the advantages of voluntary compliance, particularly the value of adopting good practice security standards and frameworks such as ISO27k and COBIT - a far more positive and upbeat awareness message, don't you think?

Regards,

Gary (Gary@isect.com)

PS  Do get in touch if your awareness program needs a bit of a boost on compliance, or 39 other information security and privacy topics ...  

Rogue insiders

The kind of insider incidents pulled by Nick Leeson at Barings Bank and Jerome Kerviel at Societe Generale demonstrate how much risk is associated with those in such powerful positions.  Both guys successfully bypassed sophisticated controls designed to limit their ability to take risky trading positions without proper authority, eventually causing eye-watering losses that nearly tipped over the global financial system's house of cards.  

Big risk-related questions remain about this type of massive internal threat: 

• How many more rogue traders are still out there, doing much the same thing today?  
• Is it even sensible, let alone possible to draw the line between legitimate and illegitimate activities?  Given that, how can the really dangerous rogues (*) be identified from star performers?
• How many people in other such powerful positions are rogues (*) working for themselves rather than their employers, with dubious ethics if not outright fraudsters? 
• Which controls can truly be relied upon?
• Where are the control gaps and vulnerabilities and which controls are needed?

I certainly don't have all the answers but I do know that multi-level security awareness is part of the solution. The corporate snitchline, for instance, is a powerful control that only works if a number of conditions are met, most importantly that people are aware that they have responsibilities to themselves, their employer and to society to report suspicious and inappropriate activities.

Regards,

Gary (Gary@isect.com)

* "Rogue" is not the right word really.  It glamorizes fraud.  It has connotations of the cheeky chappy, the wide-boy, someone who is a bit of a trickster but is lovable and has a heart of gold.  In reality, their hearts aren't gold but their safety deposit boxes probably contain some.

NZ Cybersecurity Awareness week - woo hoo

The following sentence is quoted directly from the top of the first awareness leaflet I downloaded from the new website associated with a public information security awareness campaign, running in New Zealand this week:

"NetSafe has heard from hundreds of people who have has their account broken into because their passwords where weak - meaning they where easily acccessed by hackers." [sic]

Aside from the evident lack of competent proofreading, other concerns regarding  the free security advice they are offering hardly inspire confidence in the campaign.  For example, the same leaflet continues:

"PASSWORDS SHOULD BE:

STRONG:

Made up of a mix of 15 letters, characters and symbols. 

An example would be: Th1sI5a5tr0ngP@ssw0rd!" 

Maybe the leaflet's author is not aware that:

• Th1sI5a5tr0ngP@ssw0rd! is not 15 characters but 22 (it should have advised "at least 15 characters", or simply said "the longer the better").
• Rather than "letters, characters and symbols" the author presumably meant "letters, numbers and punctuation".
• Pass phrases in most modern systems can include spaces, so normal sentences, with conventional capitalization and punctuation, are OK.  The short phrase "This is a strong password!", for instance, is 28 characters including the quotes making it stronger than the convoluted example, and much easier to recall and type accurately.  [The convenient password tester at Rumkin.com tells us the leaflet's example password has 112 bits of entropy, whereas mine has 132 bits, and still has 122 bits even without the quotes.  I rest my case m'lud.]
• Complete lines from favourite songs, poems, books, quotations or  sayings make long, memorable passphrases, and better still suggest an obvious family of distinct passwords for different sites or when changing passwords (I won't lay into the dubious, outdated advice later in the same leaflet to change passwords every 90 days, at least not right now). 

In summary, the leaflet is badly written, somewhat inaccurate and misleading, and doesn't bode well for the rest of the campaign.

Arguing that it is "better than nothing" is lame because they are missing a golden opportunity to give helpful information security advice to naive Kiwis, and no doubt spending my tax dollars to do it.

Regards,

Gary (Gary@isect.com)

PS  Aside from ourselves (we weren't invited), notably absent from the list of corporate sponsors are the banks, and I can't say I blame them, despite their obvious reliance on customers to avoid phishing, malware and other nasties, most of which ultimately cost the banks $$$.  Wespac's plain-speaking information security advice to its customers, for instance, would knock spots off the stuff in this campaign.

PPS  Please stop using "cyber" as a prefix.  It reminds me of the terrifying cybermen from the iconic BBC series Doctor Who that I used to watch from behind the settee as a kid some 30-odd years ago.  Security should be friendly, positive and welcoming, not scary and outdated.  Computer security, IT security, network security, Internet security or information security are perfectly adequate and understandable terms without the connotations.

PPPS   Many other countries have run public security/privacy awareness campaigns, a few quite successfully over several years.  I wonder if it even occurred to Netsafe to find out about them and apply the lessons from abroad, or was it "not invented here"?  


PPPPS (June 18)  A classic spot-it-a-mile-off 419 scam story that led to a  Christchurch man losing about $20k in advance fees for a nonexistent $600k prize from Ghana is yet another reminder of the importance of security awareness for Kiwis.  Who knows: maybe the penny finally dropped for him when he saw the NetSafe campaign?

The California State Office of Information Security and Privacy Protection publishes a fair range of awareness materials of interest to State agencies and others.  Their 4-page Hostile Takeover paper gives a decent outline of multiple controls against insider threats, including the need to cater for such incidents in incident response procedures.  Good point!

As with other forms of contingency planning, there are two common ways of preparing incident response procedures:

1. Create a detailed manual explaining how to respond to a range of types of incident.  This is costly and tedious for the documentation team, since such detailed manuals are usually voluminous and complex to maintain.  Keeping the manual updated, and ensuring that responders are adequately trained and aware of the latest procedures is an ongoing requirement.  On the other hand, it is easier for responders to grab a manual, look up the type of incident, and follow the instructions - rather like a pilot might consult his flight manual to deal with unusual situations when flying.  
2. Create a simpler generic incident response process and multi-skilled team that can deal with practically anything that occurs.  Train the team, emphasizing flexibility and thinking-on-your-feet.  There is less documentation to prepare, agree and maintain, but a lot more depends on the skills and capabilities of the particular responders, hence responses to similar incidents are more likely to vary.  

Approach 1 can run into trouble if the particular incident that unfolds is not covered by one of the scenarios in the manual, or (just as bad) is covered by several e.g. an insider attack involving malware and fraud might be covered by three response plans.  Approach 2 can lead to confusion and errors in the process, particularly if different people are working on the same incident simultaneously, but separately.

A third way involves a combination i.e. a less-detailed manual covering a suite of common scenarios, with the responders being trained and skilled to cope with more complex situations on the fly. 

If your organization takes a different approach, I'd be fascinated to hear about it, and to find out how it works in practice.  Please comment on this posting, or email me.

Regards,

Gary (Gary@isect.com)

Employer = Insidious insider?

A recent privacy case in New Zealand raises ethical and legal concerns in relation to whether an employer can legitimately snoop on its employees using keyloggers etc. on corporate IT equipment.  Although I have absolutely no knowledge of this case other than that one newspaper report (which may be accurate but is certainly not complete), and I am definitely not a lawyer, forgive me if I consider the privacy, ethics and insider threat aspects that this kind of situation raises in more general terms.

From the employer's perspective, the IT equipment and network are its property, and of course it is likely that employees are using it during normal work hours when they are expected to be working for the employer.  The employer would probably claim ownership of the information on its systems and network, hence using a keylogger to grab a password on an office PC and then rifling through the employee's emails could be deemed legitimate, particularly in a situation in which the employee is being investigated for some reason (i.e. the snooping was justified and legal because there was already probable cause to suspect serious  wrongdoing, particularly some illegal act).  The employer can potentially access the emails on its systems even without the employees' passwords, although the most direct way of gaining access (changing a user's password) would probably tip-off the employee that they were being investigated.   

From the employees' perspective, the content of emails, web sessions and phone calls at work inevitably include private matters that are of no direct concern to the employer.  We all have a reasonable expectation of privacy, even while physically at work during working hours - in exactly the same way that society agrees that it is inappropriate to site CCTV surveillance in toilets, even if there are genuine security concerns.  In such situations, privacy trumps security.  We retain the right to control intimate knowledge of ourselves, forcing others to respect our dignity. 

Ethically, most reasonable people would agree that practices such as keylogging, secretive CCTV or telephone monitoring and bugging are distinctly dubious, rather devious if not wholly unacceptable, since they pry into areas that are considered private and personal.  Information is unlikely to be admissible in court unless it has been properly and fairly obtained, for instance under a court order permitting surveillance as a result of prior evidence of illegality.  Without controls of this nature, society would be firmly in the oppressive realm of 1984 and Big Brother.  

The employer evidently argued that its policies allowed it to snoop in this manner since employees had been informed that their use of the IT facilities was being monitored.  Statements to this effect are commonplace, often repeated in several places such as employment contracts, employment manuals or codes of conduct, security policies, system banner notices, and related security awareness and training materials.  The Privacy Commissioner argued that keylogging was not specifically mentioned and went beyond the implied access right in the corporate policy.  Furthermore, the employer had rifled through old emails, going beyond what it needed to check for the particular situation at hand.   

Take-away lessons from the case include: 

• The importance of having explicit policies and making sure employees are fully aware of them (the courts may reject or react badly to information obtained in ways that would generally be considered sneaky, underhand or otherwise unethical);
• The need to make sure that employees investigating possible wrongdoing also respect the policies and laws of the land, for example gathering evidence in a legitimate, forensically sound manner, knowing when to stop probing, and respecting the privacy of people whose information they obtain;
• Be careful - be very careful about what you say, type or do at work, and don't be surprised if your information is captured, reviewed and used against you, outside the original context.

The final bullet could be considered an insider threat for employees: most of us trust our employers as much as they trust us, but we all know that trust is a fragile control.

Regards,

Gary (Gary@isect.com)

Army insider threat awareness

Insider threats have always been of concern to the military, so it's no surprise to read a simple awareness piece from Fort Bragg advising soldiers to look out for warning signs such as colleagues "Expressing hatred or intolerance of American society or culture" or "Associating with or expressing loyalty or support for terrorists".

Gary (Gary@isect.com)

419 throwback

I plucked the following random 419 email from my spam box today because it is so obviously a scam:

From: Willis, Joanna

Sent: Wednesday, June 06, 2012 10:09 AM

To: notice@domain.org

Subject: "Please see to the receipt of this mail"

Sent: Wednesday, June 06, 2012 10:09 AM

To: notice@domain.org

Subject: "Please see to the receipt of this mail"

We have approved a cash sum of $500,000.00 USD as our personal donation to you this year 2012.Contact us via email for more details.(violetallenXX@yahoo.com)

Goodluck,

Allen and Violet Large

Please you have to delete this message if you ar not willing to carry out

this projet

Without even delving into the email header, there are self-evident clues to its scamminess:

• Lousy grammar and spelling mistakes;
• Unsolicited email offer from someone I don't know;
• Sent to unknown recipients;
• Clueless subject line;
• Ridiculous proposition involving an outrageously large sum of cash;
• Yahoo! email address within the message; 
• Unilateral demand that I delete the message if I don't want to get involved in "this projet" (which is possibly a clue that the sender was a native French speaker from West Africa, and is certainly a hint that the project probably involves me sending them various fees and duties to get my hands on the promised loot, which of course doesn't exist - a classic Advance Fee Fraud or 419-scam).

I'm amazed that such crude scams are still doing the rounds after all these years, among others that are significantly more advanced - but then it probably only needs to ensnare one unfortunate, naive and/or greedy victim to earn its keep.  I've seen for myself the poor living conditions in various parts of West Africa and imagine that if it were me living there, I'd do almost anything to escape the abject poverty.  Scamming a few tens, hundreds or thousands of dollars out of 'rich foreigners' is probably regarded as an entrepreneurial enterprise, if not an income stream for the region.

Looking on the bright side, the sender (if not the actual orginator) is sufficiently literate to type a version of English on a computer with email and Internet access.  Quite likely, the sender is running a business, selling his "419 generation" service to numerous unfortunate, naive and/or greedy scammers, hence the reason that we see the same old scams coming back around so often.

Regards,

Gary (Gary@isect.com)

Cyberwar Trojans - updated again

Are you surprised by the news that the US, in conjunction with Israel, was indeed responsible for attacking Iran's nuclear program using the Stuxnet worm/Trojan?  Reports on Stuxnet and Duqu have previously pointed the finger at US and Israel as the likely culprits due to the obvious political connotations, so confirmation from the Whitehouse is hardly a shock on that score.

What is surprising is that this was officially disclosed, right now.

Possibly the US government had reached the point that its position, its continued denials and silence on this matter, was simply untenable.  Perhaps the impending release of a book about the Stuxnet affair meant that  incriminating evidence was about to hit the streets, so releasing it (via the NY Times no less!) was a way for the Whitehouse to retain some control over the 'official' version of events.

Or perhaps this is all propaganda - the Stuxnet reports, the book, the official denials and pronouncements, the lot.  Are we being fed the not-exactly-subtle line that the US has a proven, offensive, cyberwar capability, so foreign powers should be quaking in their cyberboots? 

Doubtless a huge amount of work is going on behind the scenes in the US and elsewhere to bolster cyber defenses for Critical National Infrastructures, but realistically what has been achieved so far?  I wonder if confirming Stuxnet may in fact be a calculated move to prompt those responsible for CNI security to up their game substantially.  The specter of retaliatory cyberattacks by Iran or some hostile foreign power should focus the minds of those in charge of CNI security on improving defenses, with the added benefit that they would  also be guarding against cyberattacks from other quarters (terrorists, criminals and hactivists, for example).  And those attacks, frankly, are every bit as credible and likely as all-out cyberwar.

Still one of the most fascinating aspects of the Stuxnet attack was that it involved jumping an air-gap to penetrate the Iranian's internal ICS/SCADA network which was (supposedly) totally isolated from the big bad Interweb.  Air-gapping networks is an obvious defense mechanism.  According to public reports, Stuxnet jumped over by dint of an infected USB stick with which someone naively bridged the gap.  

An outstanding keynote presentation by Mark Fabro at AusCERT on the forensic analysis of an ICS/SCADA malware infection suggests another possibility - namely that the ICS/SCADA systems may have been pre-infected before they were even delivered and installed.  The air-gap between the Internet and internal networks, even coupled with rigorous controls over anything that might cross the gap, is moot if the  internal network is already compromised.  Suddenly, the fuzzy background chatter about possible backdoors in compilers, CPUs and cryptosystems that we've heard for years comes into sharp focus: states with the resources to be designing and producing such high-tech stuff patently have the wherewithal to insert secret backdoors, giving them the power of control over anyone using their trusted kit.  Is this the ultimate Trojan horse, the most insidious of insider threats?

Regards,

Gary (Gary@isect.com)


PS  Given that the recently-discovered Flame malware, dubbed "the most sophisticated cyber weapon yet unleashed", appears to be stealing 'technical information from the Middle East', it doesn't take a rocket surgeon to  figure out a possible link to Stuxnet and hence the US Government - thought that's mere conjecture of course.  As Kaspersky's blogger put it:

"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."

Perhaps the disclosure of Flame was the reason behind those revelations in the NY Times?


PPS (June 9th)  Seems disclosure of the US government's role in Stuxnet is being used for political gain, or at least for media exposure.