Welcome to the SecAware blog

I spy with my beady eye ...

31 Dec 2007

EPO incident

If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest:
"A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said.

The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid vulnerable to shortages, Matthew St. Amant, a California Highway Patrol officer assigned to an FBI task force, wrote in an affidavit. No blackout occurred because the incident - which cost $14,000 for 20 computer specialists to repair - happened on a Sunday, investigators said. Denison was identified by surveillance-tape footage and his security-access code, the affidavit said. He pleaded guilty to attempted damage of an energy facility, a felony. He is to be sentenced Feb. 29 by U.S. District Judge Garland Burrell."

If you don't already subscribe to RISKS, it's highly recommended.

30 Dec 2007

Top information security risks for 2008

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Awareness module

Offices are the “information factories” where most of an organization’s intellectual property gets created and processed, and a lot of information assets are stored. They are the knowledge workers’ natural habitat. Some of us practically nest in our cubicles.

Numerous information security risks affect offices, including IT/computer security and telephony risks from viruses, power glitches, IT/network capacity and reliability issues, physical security risks such as thefts, fires and floods, and process-related risks e.g. if untrustworthy visitors are not properly authenticated on arrival or are allowed to wander freely around the offices.

Despite us having covered office security issues in many other NoticeBored modules, almost all of the materials have been written from scratch for this one, bringing them all together in a context that most employees will relate to.

Read more about January’s NoticeBored security awareness module and get in touch if we can interest you in a subscription to NoticeBored, the modular security awareness service. Happy new year!

27 Dec 2007

CISSP course in Dubai

If you or someone you know in the Middle East is thinking of taking the CISSP exam, Clement Dupuis will be leading a boot camp-style intensive CISSP training course in Dubai on 11-15 February 2008. Clement has stacks of experience at CISSP training and will be using Shon Harris' course materials recently updated to reflect the latest CBK. The course is being offered in conjunction with the Open Information Systems Security Group.

For those who don't know Clement, he is the inspiration and driving force behind CCcure.org, recommended reading for all CISSP candidates and indeed for those seeking other information security qualifications or who simply want to keep their knowledge and skills up-to-date.

22 Dec 2007

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

19 Dec 2007

UK insurance firm fined for pretexting incidents

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data:

"The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft."

The official FSA report makes interesting reading, disclosing for instance that fraudsters were using information obtained legitimately from public records held at Companies House to respond to authentication questions.

The company has since smartened up its act with better policies, procedures and (hopefully) compliance activities but I doubt that even it would claim to be immune to social engineering risks. Pretexting is a relatively cheap and easy form of attack and the juicy personal data in such databases is clearly luring fraudsters.

18 Dec 2007

Infosec risks top ten

Fellow infosec pros,

Tim Bass recently posted a stimulating entry to his blog proposing a top ten list of information security threats - not "risks" but threats specifically. This struck me as an interesting idea and an opportunity to add some depth to the rather banale top ten IT security risks lists that appear every new year. So, shamelessly extending a good idea, I've set up a shared document on Google Documents and now invite you to participate in a collaborative project to draw up a more meaningful list of current infosec risks, starting with separate lists of threats, vulnerabilities and impacts, then working on the risks, and finally the controls and conclusion.

If you would like to get involved, please check the shared document as it stands today and then email me (Gary@isect.com) to add you to the list of users with update access to the shared doc. Google Docs is cool but if you can't be bothered to update the doc yourself, just email me with your comments and I'll have a go. I'm particularly interested in emerging trends, as perceived by qualified information security professionals rather than journalists and marketers. What are you working on today and what do you expect to be doing in the year ahead?

I'm planning to publish the finished item on the Web under a Creative Commons license on or before Jan 1st 2008, acknowledging all contributors. Please don't ask me if you can earn CPEs for this though!

Kind regards,

UPDATE Dec 19th: the lists of threats, vulnerabilites and impacts are nearing completion so it's time to make a start on pulling things together as "risks". See the shared paper as it stands today and by all means have your say - pop a comment below if you like.

12 Dec 2007

Why HTML email is BAD

Click here for a full size screenshotThe screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness.
What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malware, thank you very much.

Carelessness threatens privacy

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:

1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.

2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.

3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.

If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.

Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.

11 Dec 2007

Social engineering bots pass Turing test

"Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow."

If you frequent chat and dating sites, especially Russian ones it seems, beware robots posing as fellow frequenters that chat with you, flirt with you even, and extract personal information. From the news report, it sounds like this bot passes the Turing test.

Security awareness a commonplace concern

A survey of information security concerns at 455 US SMBs (small to medium sized businesses with 5 to 1,000 employees) is mostly same old same old but one statistic caught my eye (see graph above). Three-quarters of those surveyed believe that security awareness would help to improve the level of security in their company. Most SMBs are not that bothered about their security budget or how many security people they have.
"Employees are not the only people who need to be ‘educated’. One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security and, possibly, the range of security measures that could be implemented."

Why is it, I wonder, that security awareness is in such high demand? It's great for our business, of course, but still I'm curious as to the attraction. Is it that security awareness is just too difficult for most people? Or is it just this month's fad (I sincerely hope not!)?

With NoticeBored Classic starting at just US$2300 for organizations with less than 500 employees, security awareness is surely within reach of even the smallest SMBs.

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business.

The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability and rigour. I wonder whether PCI DSS has this? Are PCI DSS auditors re-assessed from time to time? Does the PCI consortium check the quality of their assessments, for example by independently re-auditing certified PCI compliant merchants to confirm whether they are truly compliant? If not, I doubt that the PCI DSS scheme warrants the confidence level it currently enjoys.

Email scams increasingly sophisticated

Two news stories illustrate the increasing sophistication of email security threats.

The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more.

Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social networking sites or elsehere off the Web) to fool them into following dubious links. Their PCs are then infected with malware, typically keylogging Trojans according to the article. Thereafter, everything the exec types in (bank details, passwords, secret documents, whatever) is also available to the scammer. Nasty.

Both stories demonstrate the effectiveness of social engineering methods. We humans naturally trust our friends and acquaintances. Scammers who somehow succeed in appearing to be our friends and acquaintances are taking advantage of that trust.

UPDATE Dec 11th: The "I'm stuck in Nigeria - please send money" email scams evidently work just as well in India too.

Microsoft advice on social engineering controls

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document. Here's an extract from the overview:
"To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources."

This document is part of Microsoft's Midsize Business Security Guidance collection.

10 Dec 2007

Social engineers steal $4m IT equipment

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story:
"The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt."

This was clearly a social engineering incident.

7 Dec 2007

No Tech Hacking

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon, when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

According to an interview in CSO Magazine, Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use".

Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology.

I haven't read the book yet but it's on my Christmas wishlist (hint hint Santa).

Social engineer exploits Dutch employer

CSO Magazine reports on a security consultant cum botnet operator, PayPal account hijacker and fraudster. He infiltrated a Dutch company, exploiting the trust placed in him to install malware on thousands of machines. It's a salutory lesson in the need for pre- and para-employment vetting of employees in such sensitive positions.

Breach disclosure net widens

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states.

SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public.

The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298:
" AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional."

6 Dec 2007

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

4 Dec 2007

Social engineers infiltrate Shell

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals. The brief story sounds remarkably similar to case studies in Ira Winkler's books, in which Chinese officials coerce Chinese nationals working abroad into providing insider information on targeted organizations.

Is this all just smoke and mirrors or a genuine threat? Despite being 'professionally paranoid', I normally dismiss claims about Chinese hackers and spies, specifically, as mere xenophobic propaganda by the US and its allies, especially when specific details of the alleged attacks are conveniently omitted. The Times refers to a letter from MI5 to 300 UK businesses warning them about the Chinese threat, and outlines an alleged Chinese Trojan attack on Rolls Royce. There are many other allegations flying around about the Chinese ... just as there were allegations about WMD in Iraq and Reds Under Beds. I'm not privvy to the inside track on these stories, but I bet the CIA and US/allies' secret services, diplomats and mercenaries are every bit as active in China and other "foreign places".

3 Dec 2007

Social engineering awareness module released

Security awareness - the key to counter social engineering attacks
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.

Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak!

In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a competitor. The social engineers may also need other pieces of information, such as login details for the network and a database server, in order to get to their ultimate goal.

Social engineers may also be interested in information about employees. Private investigators, for example, investigating suspected marital infidelity, may try to find out what time an employee normally leaves for home and where he is planning to go on his next business trip. Journalists might go fishing for information to corroborate a news story. Fraudsters and identity thieves would be interested in Social Security Numbers, bank account and credit card numbers, dates of birth etc.

Social engineers depend on being able to fool people into believing they have a legitimate right to information. The deception often works best if they look just like us: they dress like us, talk like us, behave like us. Which social engineer do you think would be more successful at ‘tailgating’ (following an employee into a building): someone who appears to be just another regular employee or someone wearing a stripy top and black face mask and carrying a bag marked SWAG? What about someone dressed as a maintenance engineer or policeman: would you refuse to let them pass? The deception is even easier on the telephone or email, since there are no visual clues to a person’s identity.

December’s NoticeBored security awareness module
identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.

[Please see December’s NoticeBored newsletter for more background and an analysis of the social engineering threat.]

21 Nov 2007

One in two Brits at risk of identity theft, admits HM Government

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.

Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.

The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.

Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.

20 Nov 2007

Password video

Watchfire's latest awareness video offers advice on choosing a strong password, in the style of a 1950's public service announcement (but with modern day video effects: look out for the steaming hot coffee and more).
Watch as hapless Bud makes every password mistake in the book! Shudder as he blunders through one near calamity after another. Chuckle at the painful familiarity of his plight. Will Bud ever succeed in his quest to LOG IN?

Short videos like this are good to break up security awareness/training presentations.

19 Nov 2007

Singapore sling

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

ISSA eSymposium on PCI compliance

ISSA has a “PCI Compliance” webcast on December 6th 2007. Speakers will present "live and online" giving you the opportunity to interact in real-time from the convenience of your desk. Register for this free event.

9 Nov 2007

Attention fellow CISSPs, SSCPs and CAPs - a call to action

Voting for the ISC2 Board elections will start in just a few days (Nov 16th). If you have the slightest interest in ISC2, your qualifications and your future career in information security, this is important.

The ISC2 bylaws allow the sitting Board to nominate a bunch of candidates for the election without reference to the membership. Naturally, they tend to put themselves forward for re-election and/or propose their colleagues who, generally speaking, are similar to themselves in background and outlook. In practice, this means the Board is very conservative and favours the status quo. I personally have no issue with stability and continuity unless it prevents ISC2 from responding appropriately to changes in the environment. There comes a point when stability becomes inertia that stifles all innovation and creativity.

If you are entirely happy with the way ISC2 is run right now, if you feel you are getting the best possible value from your membership dollars, and if you see no need to change the way ISC2 is operated and managed, then go back to sleep: you need do nothing at all. Like a giant supertanker, ISC2 will continue indefinitely in the same direction without you doing anything.

However, if you want ISC2 to change for the better, then you have to do something about it, now.

In addition to the Board-nominated candidates, members can stand for election provided they gain sufficient support from the membership (meaning at least 1% must sign their petitions to stand). For obvious reasons, the sitting Board doesn't exactly go out of its way to help independent candidates contact the membership or canvass for the necessary level of support and votes. Electioneering is explicitly banned on CISSPforum, for example, and there have even been accusations of bias in the way candidate profiles/manifestos are presented on the ISC2 website. Nevertheless, a few valiant membership-supported candidates (precisely three out of the 12 on offer) have made it onto the slate and they need our votes to make a difference to ISC2.

Turnout for the ISC2 elections is traditionally extremely poor (though it's hard even to squeeze this little piece of information from ISC2 management). What this means is that your vote counts more than ever.

I'm not going to recommend any particular candidates at this point (maybe later!) but encourage you to do the following:

1. Sign-in to the ISC2 website. Please note: without informing the membership, ISC2 management has recently implemented some significant changes to the website including a new login process - you should be able to login with your original password but using "the primary email address on file with ISC2" instead of your member/certificate number. Several members have had difficulties with this process (e.g. forgetting which email address they originally nominated), requiring support calls to ISC2 that can take days or weeks to resolve. DO THIS NOW to avoid delays that might prevent you from voting when the poll opens.

2. Once logged-in, visit the page listing the 12 candidates and read their submissions. Think very carefully about what they are proposing to do for ISC2 and the certifications in the future. Look for clues as to whether they merely support the status quo (same old same old) or want to do something new and worthwhile for the members. If you agree with the general thrust of what they are proposing, make a note of the candidates' names.

3. If you are interested enough to want to discuss the elections, interact with the candidates and clarify what they really stand for, join the discussion at cissp elections, a mailing list established specifically for that purpose (simply email a polite request to cissp-elections-subscribe@yahoogroups.com). Perhaps you might like to explore issues such as:
- Why the current management recently changed the rules for CPEs, requiring a minimum number of CPEs in every year instead of during a 3 year period.
- Whether the candidates are happy with the way ISC2 communicates important changes (such as the above) with members, if not actually involving them in the decision-making process;
- Relaxing the tight control over CISSP training courses and coinfidentiality of the CBK, limiting the opportunities for other/non-ISC2 training providers and exams in other locations;
- How come volunteers for ISC2 duties such as exam proctoring, and the speakers' bureau, never seem to get anywhere?;
- Membership meetings - ways for CISSPs and others to meet face-to-face in Real Life;
- Other things that concern you about ISC2, the profession and your career.

ISC2 belongs to its members. Its future is in our hands. Don't let this chance to make things better just slip by without raising a finger.

8 Nov 2007

Who's responsible for security awareness?

A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.

No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).

To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.

7 Nov 2007

New PCI security standard

The Payment Cards Industry (PCI) Security Standards Council (SSC) is adopting Visa's Payment Application Best Practices (PABP) standard as the Payment Application Data Security Standard (PA-DSS). It is due to be finalized and released early in 2008. Anyone wishing to access and contribute to the draft standard must join the PCI SSC (i.e. this is not an open standard).

PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC.

It will complement the existing PCI Data Security Standard (PCI DSS).

6 Nov 2007

Chicago data center robbed, again

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.

Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).

Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?

3 Nov 2007

IT audit checklist on privacy/data protection

A new checklist from the IT Compliance Institute on privacy and data protection suggests some 270 items to check, and offers advice and tips on the associated controls. It also gives hints on what the auditors do/don't expect to see, good for getting your house in order before they call.

National paranoia index

Unisys is using market survey techniques to assess public perceptions of the state of security in various nations. I'm not entirely clear quite what the survey tells us (other than the general state of paranoia in the countries surveyed), or what use it is (apart from the pharmaceuticals companies selling brain-calming drugs), but no doubt selected numbers will magically appear in assorted PowerPoint slide decks in due course supporting all sorts of hypotheses.

New US infosec laws

SecurityCatalyst blogs on two new US information security laws. Minnesota's Plastic Card Security Act adds a legal mandate to PCI DSS. The Identity Theft Enforcement and Restitution Act gives victims of identity theft compensation rights. I'm hunting for more information on both of these and will provide an update if I have add anything to add to SecurityCatalyst's post.

31 Oct 2007

A virtuous circle for information security management

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.

Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!

[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

Creatures of the Net

Spooks everywhere will enjoy the University of Arizona's novel take on Hallowe'en. Four ghostly hours of security awareness on a ghoulish theme.

Now that's an idea ...

Which is the real First Niagra?

A trademark spat between two financial services companies reveals a deeper issue.

First Niagara Insurance Brokers use the domain FirstNiagra dotcom. First Niagara Financial Group, previously known as Lockport Savings Bank, changed its name in 2000 and tried to purchase FirstNiagra dotcom from the present owners, who refused. They then registered First-Niagra dotcom as their address for emails.

Customers of First Niagra Financial Group sometimes forget to include the crucial hyphen when emailing them, so their emails end up at First Niagra Insurance Brokers. Some emails contain sensitive information because (shock! horror!) customers sometimes send Social Security Numbers etc. in plaintext emails.

With clear evidence that customers are being confused by the similar domain names, the trademark infringement issue should't be too taxing on the judge, but this case may perhaps open Pandora's box on similar cases.

30 Oct 2007

ITCi Journal

The IT Compliance Institute's journal should be on your reading list if compliance is on your radar screen. The Fall 2007 issue has good articles on ISO/IEC 27001 & 27002 vs. NISTs SP800 series, symmetric encryption key management and eDiscovery.

The piece 'Holding auditors accountable for data security' is not about making internal auditors accountable for the organization's information security, but rather about the obligations on external auditors to secure privileged information they obtain during the course of audits. For a while it seemed de rigeur for big name auditors to lose laptops containing confidential client information but I can't recall any similar breaches since about 18 months ago. Did the audit firms clean up their act, or are these stories no longer newsworthy? Being of a cynical nature, I suspect the latter. Anyway, the article advises great caution when handing highly sensitive business records to the auditors, for example requiring that they are reviewed on-site and not taken away. I can almost feel the wave of horror passing across any auditors in the audience! If the organization has a strong information security policy, perhaps in response to its compliance obligations under SOX and PCI DSS, management should indeed be extremely cautious about handing information to any third party. On the flip side, though, the auditors need to be able to do their jobs and won't appreciate (further) constraints, although I guess they may just 'add it to the bill'. It is not unreasonable to insist that security compliance, confidentiality and liability aspects are incorporated in suitable clauses in the audit contract, for example by insisting that the auditors should be ISO/IEC 27001 certified. In fact, why not have your CEO formally express the importance of information security to the audit team before they start work? That's one way to make an impression ...

Standards are for everyone else, not BSI

When I tried to notify BSI-Global (formerly the British Standards Institute) about a possible phishing email using them as a lure this morning, their automated mailing system sent me the following curt response:

"This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.


So much for standards. RFC 2142 has only been out there for ten years. Perhaps BSI is above the standards that apply to us lesser mortals?

Resistance is useless

You know you want to. Visit the NoticeBored website to find out about the new security compliance module. We have stripped down and completely rebuilt the 'laws, regulations and standards' awareness module last delivered 3 years ago and soon realized what business people mean when they complain about the compliance load. When you look into it, there's a huge pressure to comply with externally-mandated laws, regulations and standards, plus the rules organziations make up for themselves, the strategies, policies and contractual terms.

Being a security awareness service, we focus on the information security rules of course but I believe there are possibly one or two non-information-security laws, regs and standards out there too ...

27 Oct 2007

Iron Mountain security failures continue

Iron Mountain Inc. is back in the headlines again - this time a customer's storage media went missing from an Iron Mountain truck when the driver "did not follow established company procedures when loading the container onto his vehicle".

The backup device belonging to the Louisiana Office of Student Financial Assistance (LOFSA) contained thousands of names, birth dates and Social Security numbers. It was unencrypted - evidently LOFSA is "working on a plan to encrypt all backup data stored off site". It was also "in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan".

23 Oct 2007

Yet another redaction failure

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs.

Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible.

Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé.

The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen -> scan -> load' method.

UPDATE: a man has been arrested in Bangkok following release of the unredacted photo.

20 Oct 2007

Automated field gun kills 9

This tragic story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun during a live-firing military exercise, the gun turned to the left and fired a rapid burst of ½kg cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all.

According to news reports, "Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an inquiry.

Don't the procurers of such automated weaponry specify mechanical safety interlocks capable of physically preventing the turret from turning beyond set azimuth (and perhaps elevation) limits?

19 Oct 2007

Tips for physically securing your IT equipment

A page from the University of Bristol's new security awareness site, aimed at students, offers some worthwhile advice on avoiding physical damage or loss to your IT equipment, things like:
- Don't cover the PC or monitor with anything (fire risk)
- Don't drink near the system (water damage risk)
- Don't be in a rush (a common explanation for why laptops etc. get left on public transport is that the owner was in a hurry ... I suspect asking students to get out of bed 5 minutes earlier is a bit of a tall order).

The rest of the site is straightforward enough - basic advice on antivirus, firewalls, patching, backups and so on. Not a bad start.

Who owns what you throw away?

An interesting angle on the dumpster-diving craze comes from Singapore. A judge has previously ruled that confidential information discovered in the trash cannot be used against someone, but the issue is to go to appeal.

It seems to me the burden is and should be on the person discarding information to take care to make it unreadable, for example by cross-cut shredding and burning. It seems fair to me that it's their fault if they fail to take sufficient physical security measures to protect the information.

Top ten employee security gaps

The IT Compliance Institute's top ten list of 'employee security gaps' makes sense, expanding on five key areas (training, policies and procedures, disaster recovery and business continuity planning, audits and risk analysis) that seem to be common to most organizations.

My favourite, of course, is number ten:

Train, train, and train some more

If there’s a common thread the experts all agree on in addressing each of these issues, it’s the importance of education and training. Poor training and unaware employees lie at the root of many if not most employee security breaches. All three of the interviewed security experts emphasized one point: Use real-life examples from today’s headlines to shake employees out of security complacency and to help make your points. Unfortunately, there’s no lack of those stories into the foreseeable future.

Global Security Challenge grand final

The Global Security Challenge grand final conference takes place in London on November 8th.

Global Security Challenge is an annual business plan competition to find the most promising security technology startups in the world. The winners of three semi-finals (!) in Europe, Asia and the U.S. stand to win a $500,000 grant in prize money and mentoring.

Keynote speakers and judges include:
- Sir Richard Dearlove, former Chief of the UK's Secret Intelligence Service (MI6)
- Ken Minihan, former Director of the U.S. National Security Agency (NSA)
- Alastair MacWillson, Managing Partner, Accenture
- Jeff David, Deputy Director, TSWG, US Department of Defense
- Stephen Bonner, Global Director, Barclays

One-click becomes none-click

Amazon's 1997 patent on the 'one click' system has been successfully challenged by a New Zealander who has studied commercial law and lists 'American patents' as a hobby. Peter Calveley of Auckland discovered a prior claim. In 2005, Peter filed a challenge with the US Patent Office that has now overturned Amazon's patent. Amazon say they will appeal the decision.

17 Oct 2007

New ISF standard released!

The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:

1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!

2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.

The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.

I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.

12 Oct 2007

Award winning awareness program

On reading that the University of Notre Dame's security awareness program won an an Award of Excellence from the Special Interest Group on University and College Computing Services (SIGUCCS), I took a look at their website. I can't access the university-only security awareness materials, of course, but the public materials and the site's design demonstrate its winning ways. Striking graphics and easy navigation, clearly-written guidelines and policies, a decent range of security topics, an FAQ and more.

Well done University of Notre Dame. Nice work.

Tips for your next black bag run

Rebecca Herold lists some 18 common security breaches to look out for when undertaking an office physical security review out of hours (also known as a black bag run when the reviewer/auditor collects up and quarantines sensitive/valuable materials left on desks).

We'll be looking at office information security specifically in January's NoticeBored Classic awareness module but Rebecca's list is an excellent starting point. It's hard to think of other breaches.

10 Oct 2007

Secure disk erasure how-to

Anyone who sells a used hard drive, or a system containing one, should follow the step-by-step guide to using DBAN (Darik's Boot And Nuke), a great free program to securely erase everything, BEFORE packaging and sending the goods to an anonymous eBay or car boot sale buyer.

DBAN does a good job but overwriting the entire disk surface several times with random data is not a quick five-minute-or-less job - it may literally take hours to do thoroughly. Don't leave it to the last minute and don't cut it short if there is anything vaguely incriminating on the disk.

Oh and don't try this on any disk drive whose contents you actually still might need (doh!).

Creativity unleashed

Anyone who has been in a medium or large company for more than a few months has no doubt been subjected to the tyrrany of "team building" and "vision sharing" sessions in which ideas for unlocking employee's inner strengths are shared with the 'team' by some eager HR person or on-something training consultant. These can be great fun if the facilitator is full of life and the 'team' is in the mood for it. They can also be painfully lame.

Well, here's a shortcut - a wiki on creative thinking techniques. Explore the ideas in the safety and comfort of your very own private cubicle, with no need to disclose your innermost fears in public, play ridiculous rigged games, sing 'team' songs, raft whitewater rapids, rappel down a precipitate cliff in your underpants and generally make a blithering idiot of yourself in front of the office belle (or beau).

Physical security podcasts

Podcasts at SecurityInfoWatch cover topics such as voice recognition biometrics, CCTV camera technologies, terrorist threats and more. They are mostly interviews with representatives of companies selling associated products and services (i.e. advertorials or infomercials) but still the information content may be just what you need.

9 Oct 2007

Attn: beneficairy!

Another vaguely amusing 419 email arrived in my bulging inbox last night. I won't bore you with all the details about the large unclaimed inheritance awaiting my instructions as a "beneficairy", but the following paragraph made me smile:
"You may have also been directed to visit different cities and countries with the instruction that your fund would be released at such payment post or that your fund could be delivered to you at your residence. All these are cooked up Stories from impostors who wish to extort money from you while they do not have any knowledge of the true position of your fund transfer."

So, impostors are cooking up Stories, eh? Would you believe it!

7 Oct 2007

Top secret NSA data lost on thumb drive

It's not A Good Idea to lose a USB memory stick containing top secret data from the NSA, even if you are a foreign citizen working at the Hague in Holland.

Similarly, it's not A Good Idea to shred your top secret papers with a plain cut shredder and hand the shreddings to an untrustworthy Taiwanese courier.

Security camera security

If your CCTV security camera system uses IP transport to cut costs, don't forget to factor the cost of network and device security into the mix. It has long been known that many IP-enabled CCTV cameras are pumping live video onto the Web with no encryption or access control. It now appears that exploiting security vulnerabilities in the camera controllers may allow hackers (or bank robbers) to manipulate the video stream, for example replacing it with a 'blank scene' while they crack the vault.

Boeing sacks whistleblower

A press report about Boeing firing an IT auditor for blowing the whistle on alleged mishandling of SOX compliance work by Boeing's IT Department is troubling on a number of levels:

1. If the allegations are true, Boeing may have internal control problems affecting its governance, financial accounting systems and/or reporting.

2. Nothing else matters as much as the truth of point 1.

Instead of firing the auditor, Boeing management should face up to the charge and clarify their position. Control problems that are acknowledged can be fixed. Sweeping things under the carpet, shooting the messenger of bad tidings and intimidating his (former) colleagues is hardly 'facing up'.

Auditors are professionally obliged to act in the best interests of their employers or clients. On rare occasions, this includes blowing the whistle on malpractice or incompetence. If employers/clients can simply dismiss whistleblowers, it is a very brave (and self-confident) auditor who has the nerve to speak out and risk losing hiss/her job ... so the question comes down to whether we believe in the professional integrity and ethics of the auditor or that of the employer/client. An honest disclosure of the facts of the alleged control issue will surely resolve this one way or the other?

Password protected =/= Hacker proof?

Gosh: another stolen laptop contains personal data. But it's OK, we're told, because the laptop is "password protected".

"Password protected" could mean a BIOS boot password, a hard drive access password, a Windows/UNIX user login password, or a data encryption key. Using hacker or forensics techniques, all but the latter control can be broken, and even encryption can often be brute-forced given enough time and a weak pass phrase. If the laptop's data or entire hard drive had been strongly encrypted, we'd presumably have been told so and the people whose personal data are on the stolen laptop could sleep easier.

Call me paranoid but "password protected" sounds very much like "insecure" to me.

At least the Gap company 'fessed up that their stolen laptop was unencrypted.

UPDATE Dec 9th 2007: after a laptop was stolen from a Citizens' Advice Bureau employee's car, the CAB confirmed that it was protected with "a high level of encryption". Presumably 'high level' means strong encryption using a current encryption algorithm (such as AES) with a long key length (at least 128 bits, ideally 256 or more) and a strong password/passphrase policy, ruthlessly enforced (long non-dictionary phrases). Anyway, if it were my personal data on the laptop, the fact that the PR people specifically state that the laptop was encrypted would give me a lot more confidence than the usual mention of "password protection".

This is doubly important if you are, say, a government that regularly loses hundreds of laptops and desktops per year.

Data recovery from 'erased' CD-RWs

Picking up on a technique used to retrieve MP3s from an 'erased' CD-RW disk, a forensic investigator has succeeded in retrieving incriminating data from 'erased' CD-RWs, sufficient to secure the defendant's prosecution in a child abuse case.

The news article barely outlines the method: it appears to involve writing a new file to the 'erased' CD-RW but interrupting the write process. I presume the first part of the write creates the 'lead-in' file system synchronization and identification data. If interrupted soo after, the PC can presumably be fooled into reading the rest of the disk.

Presumably, also, if 'erasing' a CD-RW only involves wiping the disk sync and ID part leaving all the data intact just waiting to be overwritten by the next write operation (rather like deleting the directory on a hard drive), then surely it ought to be possible to manufacture forensic CD/DVD software or drives that sync directly to the data tracks to make their bitwise copies, all without having to overwrite the lead-in part of the (evidential) disk? Indeed, a very quick Google query reveals that one can buy data recovery software for damaged CDs. I wonder if the 'clever officer' in the news story tried such an approach?

Anyway, the take-home-message is not to discard even 'erased' CD-RWs that might contain valuable or sensitive data. Shredding/grinding/physical disintegration and burning remains the safest option.

5 Oct 2007

Nigerian scammers head for the slammer

A major police operation has blown open a Nigerian 419 scam ring and seized thousands of fake cheques, passports and other collateral worth ~US$16m.

"The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents. UK officials are working with agencies in the US, Holland, Spain and Canada to tackle "mass marketing fraud". A handful of people have been arrested in the UK with almost 70 more held overseas."

As usual, the scammers have been exploiting naive victims using social engineering techniques, sometimes using dating websites (where people seem naturally more vulnerable to being spun a lie).

6th October update: Reuters reports:
"An international crackdown on Internet financial scams this year has yielded more than $2.1 billion in seized fake checks and 77 arrests in the Netherlands, Nigeria and Canada, U.S. and other authorities said on Wednesday."

The seized assets appear to have swollen from $16m to $2.1bn in a few days, an alarming rate of inflation.

4 Oct 2007

Information Asset Protection guideline

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Physical & information security convergence

A security page at the ISACA website links to three resources on convergence between physical and information security:

1. A survey by Deloitte & Touche addresses the value of security as part of enterprise risk management and the benefit of a converged view of security in managing enterprise risk. Security executives provided insight into the general state of security convergence, integration of converged security as part of ERM, the role of risk councils and the benefit that a strategy for converged risk management plays in breaking down communications barriers.

2. Convergent Security Risks in Physical Security Systems and IT Infrastructures describes how enterprises are facing the risks that arise when physical and IT security risks collide.

3. Convergence of Enterprise Security Organizations is a Booz-Allen-Hamilton study examining how enterprises are addressing the converged issues surrounding their security.

Podcast on security awareness

I was interviewed for a podcast by Scott Pinzon at Watchfire. Hear how to make security awareness programs more effective by engaging managers, IT professionals and general employees, linking security in home life with security at work, and combining communications methods.

Suspected chemical attack on London

Since this month's awareness topic is physical security, I guess a story about a suspected chemical attack in London is not too far off-topic.

The subtext is that London remains on high alert for terrorist attacks.

2 Oct 2007

Economic spies charged

Two US citizens have been charged with economic espionage, theft of trade secrets and conspiracy to steal microchip designs from Netlogics Microsystems, their employer, and Taiwan Semiconductor Manufacturing Corporation, to sell to the Chinese army. If convicted, they could be sentenced to 15 years in prison.

Physical security awareness module

Lock up your assets
October's NoticeBored security awareness module covers the physical aspects of information security e.g.:
- Physical access controls such as fences, walls, doors, locks, security cables etc.
- CCTV, security guards, staff passes, visitor procedures, intruder alarms
- Environmental controls and supplies for the computer equipment e.g. UPS, air-conditioning, fire/smoke & flood alarms.

Since first writing and delivering this module in 2004, we've added a stack of new materials so the whole module now contains over 80Mb of rich content.

Do let us know if there are any physical security links to add to our links collection.

26 Sept 2007

Credit card numbers posted on eBay forum

Someone appears to have posted a load of personal data including credit card numbers on an eBay discussion forum, paradoxically one on trust and safety. Around 1,200 eBay users' details may have been compromised.

Why anyone would do this remains a mystery. Is it just some sort of publicity stunt, or a hacker's brag?

eBay shut down the forum and pulled the pages about an hour after being informed of the incident. There's more about the incident on an eBay blog.

"eBay spokesperson Nichola Sharpe said Tuesday afternoon that posts made on the Trust & Safety board early this morning contained name and contact information for 1,200 eBay members and called the person posting the information a "malicious fraudster." She said the incident was not the result of a security breach from eBay and could have been obtained as part of an account takeover."

It's possoble that a merchant's account may have been compromised, I guess.

25 Sept 2007

Putting a mole in the camp for awareness purposes

Fellow blogger Jason Bevis set me thinking today with a paper suggesting that one might deliberately seed a 'mole' in a software development project team whose job is secretly to exploit his colleagues using social engineering techniques. The idea, then, is that the results of his/her underhand activities would provide enlightening and motivational fodder for security awareness/training sessions.

You'll see from the discussion on the paper that I'm dubious about the possibility of even being allowed to do this as a deliberate ploy, although I agree that 'catching people in the act' can provide good case study-type materials. I've suggested that similar information can be obtained openly using typical penetration testing, audits, management reviews etc., without the need for cloak-and-dagger stuff that can so easily backfire ... but what do you think? Would you try something along these lines?

23 Sept 2007

Windows security spec with free audit tool

The US Government's plans to use standardized Windows desktop environments has advantages for non-US Government entitities also. The Federal Desktop Core Configuration (FDCC) specifies reasonable Windows XP and Vista security settings, and application software vendors are encouraged to make sure their products work on a standard spec PC. Tools such as Secutor Prime (free for non-commercial use) will audit a PC against the FDCC and report discrepancies, with enough details for a competent sysadmin to resolve. It's not quite point-n-click one-button-security for the masses but is useful for those who want to improve security of their own Windows systems. Companies that rollout standardized Windows desktops would be well advised to check their standard builds against FDCC too.

I won't go into the downside of encouraging a PC monoculture at this point but leave that for your homework, and Google.

21 Sept 2007

SCO loses the will

An extended intellectual property/copyright dispute between SCO Group (Santa Cruz Organization) and Novell over Unix and UnixWare has resulted in SCO's defeat in court. It has now filed for Chapter 11 bankruptcy protection from its creditors, partly due to losing the copyright case but also it appears because of its failure to adapt to the open systems form of software licensing. Linux companies generally provide their operating systems software for free (or near enough), making their money from support services. SCO stuck with the older model, charging heavily for the software itself, and has paid the price in the long run.

19 Sept 2007

Spam experiment on video

Will a can of spam blend? Find out here.

PS No matter how much you want to, don't try this at home.

18 Sept 2007

CSI's 12th Annual Computer Crime and Security Survey

One of many graphs in the survey report
The latest Computer Crime and Security Survey from America's CSI (Computer Security Institute - not the TV show) is a handy source of statistics to consider and perhaps spice up your security awareness materials. The survey is well respected, being vendor independent, having just under 500 responses and being consistently designed from year to year.

Key findings:
- Since last year, the estimated average loss has nearly doubled to $350k per organization per annum
- Nearly 1 in 5 respondents who suffered security incidents said they’d suffered a "targeted attack" i.e. a malware attack aimed exclusively at them or similar organizations
- Financial fraud caused the greatest financial losses
- Insider abuse was the most prevalent security problem
- Just under half of respondents said they had suffered security incidents, similar to but slightly less than the past 2 years
- 29% of organizations report security incidents to law enforcement

Being a security awareness specialist, the following caught my beady eye:
"Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. While this may be the case simply because some forms of awareness training (such as putting reminders on corporate intranet sites) aren’t expensive, one is tempted to conclude that while the industry talks a good game about teaching users how to be good stewards of company network resources, they don’t yet put real dollars behind the proposition."

~Half spend less than 1% of their security budgets on awareness! Golly! Given that security budgets are around 10% of IT budgets, there must be a lot of managers out there that are so frugal on security awareness that they 'squeak when they walk'. Our very own security awareness products typically cost about the same as a single cup of coffee per employee per annum, barely enough to merit a budget line item. Cost is surely not the issue: many organizations evidently don't appreciate the potential business benefits of a well-run security awareness program. Perhaps they think employees will just 'be secure' without any guidance? Flying pigs optional. Security incidents averaging $350k p.a. are (at least partly) the inevitable result of such wishful thinking.

419ers' conference

Such a shame: I missed the opportunity to attend a conference for Nigerian 419 scammers in Nigeria back in 2003. The 3rd Annual Nigerian Email Conference was held at the Abuja Sheraton, famed for its amenities.

eCriminals teaming up for more chaos

Symantec has disclosed some data supporting the widely-held belief that electronic crime is on the up, with eCriminals teaming-up to leverage their skills and information."

More worryingly, said Mr Beer, were signs that different sections of the underground economy were starting to collaborate to improve their chances of catching people out. Hi-tech criminals with information culled from job sites, online games or social networking sites were teaming up with phishing gangs and spammers, said Mr Beer. The end result was well-crafted e-mail campaigns that gained a gloss of credibility by combining several different bits of data.

Narrowly targeted phishing emails ("spear phishing") use information that the victims believe 'must be legitimate' to fool them into opening infected attachments, visit phishing/infected websites etc.

Email users must:

1) Avoid opening executable email attachments that turn up unexpectedly, even those that appear to come from a legitimate source such as someone they know (if they intend to open executable attachments, users should first phone the sender to confirm what was sent);

2) Avoid following URLs provided in emails, and watch out for URLs ;

3) Make sure their antivirus software is maintained constantly up-to-date;

4) Not fiddle with the security configuration of antivirus, personal firewall, email, browser and other software;

5) Take regular off-line backups of all important data, making sure that the data are correctly stored and can in fact be retrieved if (when!) needed;

6) Run anti-phishing utilities such as phisher site warning add-ons for browsers;

7) Most of all, remain alert to email security threats. Be EXTREMELY wary of providing any personal data (names, addresses, passwords, PIN codes, credit card numbers etc.) to a website or form provided by email. Corporate email users should report suspicious events to their IT Help/Service Desk or information security function the sooner the better - it may not be too late to prevent further damage.

ISMS documentation checkllist

If you are planning or just starting out on your ISO/IEC 27002 implementation project, this may be just what you need. The ISMS Documentation Checklist is simply a list of the documents typically required by and/or created by an Information Security Management System. Your project plans should include researching, drafting, reviewing, approving, publishing and promoting your own suite of ISMS documents, so it helps to know what is typically expected.

The list was created by a team of ISMS users on the ISO27k implementers' forum, a mailing list run at ISO27001security.com

Phase 2 of this collaborative project involves collecting and publishing examples of each of the documents in the checklist. If you would like to get involved in the project, please contact me (Gary@isect.com) to join the fun. We anticipate publishing example documents gradually between now and the end of the year.

17 Sept 2007

Viagra spam from Pfizer computers

A story in Wired shows that even major corporates are vulnerable to hackers and spammers. At least 138 Pfizer computers have been blacklisted for distributing spam for drugs such as Viagra, a Pfizer product, and Cialis, a competitor's product. The computers have presumably been taken over as 'bots' or 'zombies', remotely controlled by the hackers and used to distribute spam. It is entirely possible that the compromised machines have access to Pfizer's valuable proprietary information. Previous stories about Pfizer employees using peer-to-peer software, for example, indicate the kinds of information security weaknesses that could have led to the infections but, not surprisingly, Pfizer is not saying much about it.

14 Sept 2007

McLaren fined $100m

The McLaren-Ferrari industrial espionage incident is drawing to a close with McLaren being fined $100m by the FIA and losing all their points in the constructors' championship. McLaren's drivers who top the drivers' championship have been spared the whip, thanks in part to their cooperation with the FIA's investigation.

4 Sept 2007

Privacy in the 21st Century

This week is the third annual Global Security Week. This year's topic is Privacy in the 21st Century. For information on GSW events, free awareness materials to download and links to further privacy resources, visit the GSW website.

There's also a GSW blog: I've just posted the following item to the GSW blog and there are contributions from supporters of GSW.

Does your organization have a policy on promptly informing those affected by privacy incidents and, where necessary, disclosing breaches to the proper authorities? If not, a privacy incident at John Hopkins Hospital might make you think again:
"A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft. The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen."

Another suggestion is to make sure your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances.

1 Sept 2007

STBO on email security

A report into email vulnerabilities, 'sponsored' by a handful of email security companies, is available for free until 21st September although one has to register and is supposed to provide one’s email address plus other personal information to obtain it ... to save you the bother and risk that that entails, here are the report's three stunning conclusions:

"Develop comprehensive email security strategies that address both inbound and outbound vulnerabilities; Actively monitor, assess and address email vulnerabilities on an ongoing basis – new threats appear daily; Include email vulnerability assessment in an overall threat analysis, looking at threats across email and the Web as well as across desktops, laptops, servers and networks."

The report demonstrates a circular/specious argument by pointing out the differences between what "best in class" organizations are doing versus the rest. If one takes the trouble to wade through the report to find out how "best in class" organizations are identified, one finds (surprise surprise) that they are those who demonstrate the very practices that are called out. This is like me lining up a bunch of people against a wall by height, then making a big song-and-dance about the fact that the people towards one end of the bunch are 'height advantaged' or 'height challenged' (depending on which end I'm talking about) compared to the rest.

Of course the report is replete with plenty of impressive-looking statistics and graphs which are no doubt being quoted as fact ... by those email security companies who 'sponsored' the study.

Good thing it's free.

[STBO = Statin The Bleedin Obvious]

Email encryption

A short piece at Enterprise IT Planet looks briefly at the technical architecture options for email encryption e.g. endpoint-to-endpoint vs. endpoint-to-email-gateway. Thanks to input from the company behind PGP, the article only mentions PGP but similar principles and concerns apply to other email encryption protocols.

29 Aug 2007

Beware free l(a)unches

Skimming through my inbox and spam box today, I've seen a few phisher emails like the following example:

Phisher example

The emails vary slightly in the names of the "beta software" (e.g. Investment Developer, Cooking Helper, Home Reno Planner etc.) and of course the senders and subject lines vary.

They all seem to point to an executable file at a numeric IP address, which is most likely another Trojan dropper.

This looks to me like another generation of the STORM worm.

Full disclosure on Wall Street Journal

I've been watching the brouhaha over the article in WSJ for most of a month now, with some bemusement. Essentially, 95% of the 'informed opinion' in the infosec blogosphere has been along the following lines:
- The WSJ is irresponsible to have published this piece;
- The journalist is even more irresponsible to have penned it;
- It is outrageous!! Something Must Be Done!! Prepare the noose!!

What I haven't seen anyone cover in depth as yet is the concern that information security controls on the corporate desktop are so pathetic that an editorial piece in WSJ can blow them wide open. Que? Aren't the bloggers completely missing the point?

I've never bought the argument of 'security by obscurity' which they seem to be arguing for. We in the infosec profession should be redoubling our efforts to design and apply sound desktop security controls, not bleating at the journalist who says "The King has no clothes". As to those 'infosec pros' who are baying for her blood, shame on you. Shooting the messenger won't alter the fact that desktop security stinks.

Isn't this just the same argument as with full disclosure of security vulnerabilities? Most of the profession are outraged that someone would even consider posting an exploit in a public forum, let alone doing so without giving the relevant party time to analyse it, create and test a fix, and then wait N months for everyone to implement the patch. Hackers, meanwhile, argue very convincingly that if they do not at least disclose exploits "responsibly", they will never be fixed because vendors are far too busy adding new bells and whistles. They say that crackers, the criminal underground and 'terrists' will eventually discover the self-same vulnerabilities and exploit them for criminal purposes and the world as we know it will come to a sticky end. Both points of view have merit but the real issue is that FAR TOO MUCH SOFTWARE HAS BLATANT BUGS THAT CREATE SECURITY VULNERABILITIES BECAUSE SECURITY IS NOT A DEVELOPMENT OR SALES IMPERATIVE. In that context, the full/responsible disclosure argument is simply irrelevant bickering.

I'm looking forward to the WSJ's forthcoming editorials blowing open web security, multifactor authentication, database security and all those other oxymorons so beloved of the 'infosec profession'.

Go ahead, shoot me if you like.

25 Aug 2007

Awareness and training surveys in EU and US

Two survey reports into information security awareness and training practices offer insights into the state of the art.

The first report from the European Network and Information Security Agency ENISA is Information security awareness initiatives: current practice and the measurement of success.

Although the survey and case studies are European in origin, I'm sure the general discussion and ideas on the thorny issue of measuring information security awareness programs, and in fact measuring information security as a whole, are broadly applicable. Three-quarters of the Europeans surveyed said they have to do security awareness as a compliance requirement. I didn’t realize it was such a high proportion.

References in the report to the lack of consensus and evolving good practices indicate the variety of awareness and metrics techniques in use. I was interested to see markedly different opinions on the value of CBT (Computer Based Training) or posters, for examples, and ambiguity throughout the report about "training" vs "awareness" (NIST SP800-50 speaks to the difference, as does the NASCIO report noted below). I heartily agree with the implication that security awareness should be a rolling year-long event, continually updated to reflect current issues, rather than a sporadic/once-a-year training course (the dreaded 'sheep dip'!) or, even worse, the once-a-career induction course, no matter how effective is classroom-based training.

The awareness topic list on page 5 of the report seems 'about right' to me although there are many other topics perhaps worth covering (e.g. software development, database security, privacy ...) if you are creative about it, which also helps keep the program fresh and interesting. All in all, it's 20 pages well worth reading.

The second report from NASCIO (an organization representing chief information officers, information technology executives and managers from US state governments) is IT Security Awareness and Training: Changing the Culture of State Government. The authors promote security awareness as a preventive control that can help to avert major crises caused by serious information security incidents.
"Since a holistic approach to security revolves around people, cultural change is needed to truly ensure that employees and contractors understand their IT security responsibilities and take them seriously."
The report promotes the value of continuous, long-term, broad-based security awareness activities in addition to more narrowly focused and spasmodic training activities.
"Continuous and ongoing awareness and training activities for state employees (and contractors) could help prevent a major state crisis ... Cultural change to the fabric of the state government workforce is needed to make IT security and the ethical use of state IT resources as ubiquitous as technology. Since that cultural change involves changing the way that state employees perceive IT security, consistency and patience are necessary ingredients. Isolated presentations or training sessions, while a good start, will not lead to the creation of a long-term culture of IT security. After all, state employees, like everyone else, have many plates to juggle and may not retain the entirety of the aweareness and training content to which they hjave been exposed, expecially upon the passage of months or years. Hence, regularized and constant reminders in mand forms are needed the enact this cultural shift ... Consistency is a key factor. One isolated presentation does not make for adequate awareness. Presentations on a more frequent basis can help to keep IT security at the forefront of government officials' agendas so that executive and legislative support does not wane over the long term."
Absolutely! This is probably the key reason that old-fashioned "security awareness" programs (usually consisting of sporadic and uncoordinated security training sessions in fact) do not achieve the instant results that are anticipated. People who naively expect security awareness to turn things around within a few weeks or months are missing the point: genuine cultural change takes continuous gentle pressure in the right direction over years not weeks.
"Innovative approaches may serve to spark IT security awareness in the minds of many state employees. By starting with a marketing campaign of sorts for IT security, a state can start to build a culture of IT security vigilance."
Again, I agree wholehartedly. With the marketer's hat on, NoticeBored's security awareness posters (for example) are efffectively 'advertizing' information security as a whole, with a touch of humor and a little information on the monthly awareness topics for good measure. A distinctive logo on all the materials helps bind them into a whole, while the underlying messages in all the materials reinforce the fundamental core values in information security such as: confidentiality, integrity and availability; risk and control; and prevention, detection and correction. This is quite clearly a branding technique. [By the way, that idea suggests to me a novel way of measuring the effectiveness of security awareness programs, namely using the same techniques that marketers use to assess the effectiveness of advertising programs. Surveys might for example assess the recall of key program images, sayings and messages by representatives of the target audiences, and measure the retention of information security concepts compared to 'competing' awareness initiatives such as health-and-safety or legal compliance.]

As you read the report, do check out the sidebars with numerous examples of security awareness activities from several states. Many of them have a public outreach element with security awareness activities targeted beyond satte employees.

The NASCIO report quotes Insider Security Threats: State CIOs Take Action Now! published earlier this year from which the graph above is taken. The obvious increase in incidents on the graph presumably reflects better incident reporting processes (otherwise there seems to have been a severe lapse of security since 2005) but the proportion of insider vs external hacker attacks is interesting. Insiders, of course, have ready access to the information required to do their jobs and often much wider access to information due to the practical problems of trying to enforce 'need to know' outside of a military context. When insiders go bad, therefore, they can cause a lot of damage without triggering the intruder alerts that (some) hackers trip. Other insiders are often best placed to identify and report internal security incidents, provided they are aware of their responsibilities and know what to look out for - in other words, security awareness is a very important element of control against the insider threat.
The report also touches on the difficulties of getting executive support for security awareness and offers some practical tips, essentially starting with specific high-level security awareness activities targeting the very executives who should understand and fund awareness.

Go ahead: print out both reports, sit yourself down somewhere quiet with a cup of coffee, red-pen them and cogitate. There are good ideas and complementary approaches in both of them. I certainly came away with a number of interesting thoughts and quotations that will appear on the NoticeBored site and our awareness materials in due course.