Welcome to the SecAware blog

I spy with my beady eye ...

24 Oct 2006

Party party! We've passed the 3,000 mark!

I almost missed it! Earlier this month, I noted that over 2,800 organizations had been certified compliant with ISO 27001 or the equivalent national standards. Well, the number has just crept over 3,000 mark and seems to be increasing exponentially (I really ought to graph it at some point). It's no secret that I've been an ardent fan of BS 7799 and the standards it has spawned for well over a decade, since before it even became a British Standard. I've been predicting for years that it would take off, rather like the ISO 9000 series quality assurance standards did. Well, we're still on the up-curve but all the signs are positive. I reckon, before too long, we'll start to see organizations compelling their first tier suppliers to confirm their ISO 27001 certifications as a condition of bidding for information security-relevant products and services ... and they in turn will conmfront the second tier ... and soon it will be a basic condition of entry into certain markets. "The military" and government departments will probably lead the way, closely followed by financial and information services companies.
More on the ISO 27000-series standards here

19 Oct 2006

Oracle admits 100 critical security flaws

Oracle, which "leads in customer relationship management" according to its home page has released a shed-load of patches containing : 22 security fixes for Oracle Database; 6 security fixes for Oracle HTTP Server; 35 security fixes for Oracle Application Express; 14 security fixes for Oracle Application Server; 13 security fixes for Oracle E-Business Suite; 8 security fixes for Oracle PeopleSoft Enterprise PeopleTools and Enterprise Portal Solutions; 1 security fix for JD Edwards EnterpriseOne; 1 security fix for Oracle Pharmaceutical Applications; and a partridge in a pear tree. If you run Oracle software, get busy with the patching to miminize the risk of incidents. If you work for Oracle, how about some of that customer relationship management i.e. better quality software for your valued customers?
More links on incident management and bugs!

18 Oct 2006

Open Information Security Risk Management Handbook

Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources

17 Oct 2006

When POTS becomes VOIP

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Not just the VA

SC Magazine reports that, since January 2003, all 19 agencies included in a US House Government Reform Committee summary reported at least one breach. So, it's not just the beleagured US Department of Veterans Affairs after all.
More links on incident management

13 Oct 2006

Patch within 15 mins

Microsoft has dumped another bucket of patches on its customers. Read the Microsoft info page or, for another perspective, check out what SANS Internet Storm Center has to say. The ISC picks out three critical patches, one of which they rate "PATCH NOW" since it is being actively exploited. If you are too busy to check, test or download the patches, remember that the clock is ticking. A few days back, the BBC reported that a honeypot system running unpatched XP Home gets compromised within ~15 minutes of web connection. Get your patching processes up to scratch or face trying to explain to your stakeholders why you suffered avoidable information security incidents ...
More incident management and bugs! resources

Pre-incident forensics

Managers seem to expect forensic evidence to appear as if by magic when an employee is caught committing fraud or circulating porn on company IT equipment. The reality is that, while system, network and firewall logs usually record some information, it is unlikely to be sufficient or suitable for forensic purposes unless the logs and controls have been designed and maintained with that potential use in mind. Aristotle has an unusual network usage/content monitoring product that claims to address this kind of controls gap. It is targeted at schools and offices, for example identifying children contemplating suicide or employees stealing corporate data. It retains forensic evidence and provides the reporting tools to use of it.

More incident management links

11 Oct 2006

Litany of privacy breach incidents

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Xerox copy center hack

A presentation at Black Hat 2006 by Brendan O'Connor covered Vulnerabilities in Not-So Embedded Systems. Specifically, it described a hack on a Xerox mulitfunction device (copy-scan-print). The machine has an embedded AMD CPU running Linux and Apache with the Xerox applications layered on top. Accessing the device remotely thanks to its web and telnet interfaces, the hacker exploited vulnerabilities in parameter handling by the applications to compromise the root account. To Brendan, this was a bit of a lark. He clearly enjoyed explaining how to hack the machine and, for example, photocopy and scan a stray paper clip and set it up as a default printing template. For Xerox, however, the presentation and exploit represents a security incident that forced them to roll out urgent security fixes to their understandably irate customers. It seems unlikely to have enhanced their reputation in the market.
More security incident management and hacking links

Computer room environmental controls

Seems I'm not alone in having trouble locating good information online about computer room environmental requirements (power, air-con, physical access controls, raised floor design etc.). A fellow infosec professional searching specifically for air-con parameters published some useful links on the CISSPforum today i.e. IBM, HP and more HP, Sun and the University of Texas. I recommended a book from the Sun Blueprints series by Rob Sneveley: Data Center Design and Methodology (~$62 from Amazon). I'm still looking for relevant standards.
More physical security links

10 Oct 2006

Do you want garlic bread with that?

A story about inadequate security practices by Pizza Hut has graduated to a public relations nightmare thanks to the local news media in New Zealand. The incident which sparked it involved a customer noticing that the delivery boy's delivery note included her name, address, phone number, full credit card number, credit card expiry date and cardholder's name - apart from the lack of CVV2 data, that's game, set and match for identity thieves, potentially including Pizza Hut staff, delivery boys/girls, their relatives/friends and indeed anyone who finds a carelessly discarded delivery note. A consumer advice site that broke the story was given the run-around by Pizza Hut and fobbed off with an unhelpful response from their PR agency. Pizza Hut NZ is evidently planning to change its systems not to print the full credit card number ... by March next year ... so, meanwhile, Pizza Hut NZ customers are well advised to pay in cash or find a pizza supplier that actually gives a hoot about their customers' security.
More resources on security incidents

The reality gap

An international survey reveals a fascinating discrepancy between what teleworkers say they do in the way of information security and what they actually do. For example, about a quarter admit to personal use of company laptops yet around half say they shop online (OK, some might be shopping with the corporate credit card, but probably not all of them). There are significant implications for those of us who use questionnaires and interviews to assess the level of security awareness. Essentially, the survey warns us against believing everything are told and to beware the gap between perception and reality.

More links on teleworking security and security awareness

6 Oct 2006

European CERTs

If you ever need advice or professional assistance to deal with serious information security incidents involving European organizations, ENISA maintains a useful inventory of European CERTs (Computer Emergency Response Teams). Navigate through the online map, print it out as a poster for your office or download the inventory as a PDF for the files. [Thanks to our Spanish security friends at www.iso27000.es for the pointer to this information.]
More incident management resources

Laptop security is a top priority

ZDnet reported "The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain." I would of course agree that loss or theft of data on laptops is important ... along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

More portable IT security and wireless networking links