Welcome to the SecAware blog

I spy with my beady eye ...

31 Jul 2007

New awareness module on protecting trade secrets

August module
Continuing the flow of innovative security awareness materials, we have released another completely new NoticeBored Classic module about protecting trade secrets. This module complements and extends May’s module on insider threats and June’s on privacy and data protection. Organizations need to protect valuable information assets including sensitive commercial or proprietary information such as descriptions of their unique business processes and ingredients, customer lists, product and corporate development plans, financial models and results. The module looks at practices ranging from competitive intelligence at one end of the ethics/legality scale to industrial espionage and information warfare at the other, covering all points in between. It’s important to realize that competitors may not share our moral values and respect for the law so do pay attention: forewarned is forearmed!

19 Jul 2007

ID theft leads to prison ...

... for the victim, not the perpetrator in this case.

A BBC man on holiday in Slovenia spent 2 nights in prison there as a consequence of an identity theft incident stemming from the theft of his passport years earlier. He was accused of having defrauded a German company of €450k.

Identity theft is clearly more than a financial crime. Is it any wonder that people feel personally violated when someone assumes their identity?

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."

The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

IT Security: The Data Theft Time Bomb

The 10th annual Global Information Security survey conducted by Accenture for Information Week compared responses from ~3,000 companies in US and China.

'Spreading security awareness' is the fifth biggest security challenge identified by respondents. Amazing! [To stage left: "Get their addresses someone, I need to send them a leaflet"].

In commenting on the data, the report's authors go well beyond simply re-stating the statistics. Their analysis warns complacent information security managers to pay more attention, keep up with current threats and prepare for tomorrow's.

"It seems as though security pros are missing the point, choosing to focus on the security threats with which they're most familiar as opposed to emerging threats designed to cash in on the value of customer data and intellectual property. A careful reading of our survey's results, however, indicates that organizations are waking up to just how vulnerable their customer information and intellectual property are to data thieves."


"Some security pros may be blissfully ignorant. Botnets, which can take control of IT resources remotely and can be used to launch attacks or steal information, debut as a concern in this year's survey, though only 10% of U.S. respondents and 13% of Chinese respondents rank them as a top three problem. This may be because companies are often unaware that they've been infiltrated by botnets, which is exactly what bot herders are counting on."

If you need more gen than the article provides, the report itself costs $499 or just under $12.80 per page.

"The most inept 419er" competition entry

Here's the latest entry in our previouly-unpublicised competition to find the world's most inept 419 scammer, direct from our inbox:

[Name of lure here]

Good day dear clients,
We are sorry to inform that the fraudulents with the accounts of our bank have recently increased. That is why our bank changes the security system, which will provide maximum security to our clients if the accounts are used by frauds. You will receive a special program to your e-mail this week, as well as the instruction how to use it. With its help you will have an opportunity to make payments. Without this program no one will be able to transfer money from your account. If you lose the program, you will have to pay $4,99 and we will send you the copy of it. To confirm the registration of this anti-fraud program visit this web-site and complete the necessary forms: [Displayed URL here] [Different actual URL here]

Bank Administration

We haven't decided on the prize yet. What would you suggest?

17 Jul 2007

State of the art security metrics

Dan Geer has been extremely generous in posting Measuring security, a presentation/training course (350 slides with readable speaker notes!) on the application of mathematics to information security. It neatly exploits ideas from statistics and other fields of study in the context of information security, revealing a wealth of creative ideas - so much so that I spent most of my afternoon reading it cover-to-cover and thinking about the practical applications.

Dan's summary slide hardly does it justice but might be just enough to intrigue you into downloading the presentation if "security metrics" is your thing too:

• The field is a mess, but progress can be made in any direction
• State of the art is the inequality and the ordinal scale, but those suffice for much decision making
• Consistency beats clever, and trend accuracy beats point precision

Dan refers more than once to the discuss@securitymetrics.org mailing list: guess I'll have to join up if that is a guide to the level of discussion!

13 Jul 2007

Boeing insider charged

A remarkable insider threat story involves allegations that an auditor at Boeing systematically trawled the network for sensitive data, copied it to a USB memory stick, took it off-site and disclosed it to newspaper reporters.

"A disgruntled Boeing employee was charged Tuesday with 16 counts of
computer trespass for allegedly stealing more than 320,000 company files
over the course of more than two years and leaking them to The Seattle
Times. Gerald Lee Eastman, who was a quality assurance inspector at Boeing at
the time of the thefts, is slated to be arraigned on July 17, according
to a spokesman for the King County Prosecuting Attorney's Office. He
faces up to 57 months in prison if convicted on all counts ... Eastman used what prosecutors called his "unfettered access to Boeing systems" to download large amounts of data from information stores he had no legitimate reason for accessing, according to the criminal complaint."

The article claims that the man was aggrieved at Boeing:

"The complaint noted that Eastman told detectives he was disgruntled with
Boeing because he had brought several issues related to parts
inspections to the attention of both the company and the FAA. He said
none of his concerns had been addressed to his satisfaction. The report
contends he said he collected data to back up his claims that there were
problems with the inspection process."

If that's true, passing proprietary information to the news media seems a rather unconventional way for an auditor to 'blow the whistle'.

12 Jul 2007

Metrics to improve infosec and risk management

A thoughtful and well-written paper by David Lacey is strong on linking infosec/risk management metrics to organizational objectives, and on using them to improve security practices. David references a paper from the 1930 stating that for every significant safety incident there are around 20 minor incidents and 300 near-misses - an interesting analogy that reminds me of the "days since a lost time accident" boards outside many British factories in the latter half of the 20th Century. I can just imagine a "Days since a major security incident" counter on the corporate intranet, with a click-through to suppporting details on the nature of the last incident and a count of minor incidents, or perhaps even a "security events seismograph" showing the incidence and gravity of incidents. Implicit in this kind of approach, of course, is that someone needs to know about all the incidents and ideally the near misses, meaning that internal reporting must be mandatory. The same principle applies in the public context, hence the reason that many US states already mandate disclosure of privacy incidents, and the UK's Information Commissioner is considering a similar approach.

A few of the infosec metrics suggested in David's paper could be accused of falling into the trap of being easy to count or measure but providing limited value to management, whereas most are more worthwhile. I'm constantly on the lookout for 'elegant' metrics - things that are not too difficult to count, measure or calculate and that have been shown to indicate genuinely useful facets of the efficiency or effectiveness of the organization's information security management system. One of my favourites is the proportion of all system changes processed by IT as emergency changes: this has been shown to correlate closely with the department's process maturity and, I believe, closely reflects the stability and security of the systems.

I like David's suggestions to track compliance exceptions for various categories of control. That ties in neatly with the concept of accountability, namely that anyone who requests a policy exception has to accept personal accountability for the associated risks, quite a burden for any manager. Measuring and reporting exceptions thus provides a mechanism to remind those people carrying the burdens until the exceptions are cleared (either by upgrading the controls or, potentially at least, downgrading the policy requirements) or until incidents occur and they are 'called to account' (aka walked off site).

[For those who don't recognize the name, David Lacey is a visionary, one of the founding fathers of BS 7799 (now the ISO/IEC 27000 family). The first version of 7799 was largely based on the internal security policy manual generously contributed by David's employer at that time - the Royal Duitch/Shell Group.]

Logo competition for Global Security Week 2007

Graphic artists, including skilled amateurs and students, are encouraged to design a logo for this year's Global Security Week. The theme of this year's event is "Privacy in the 21st Century". As always, the event itself takes place in the week leading up to September 11th but entries for the logo competition must be submitted by July 20th.

The competition rules are here.

The prize includes a $100 Amazon voucher plus global recognition for the designer of the winning artwork.

If graphic art is not your area of expertise, maybe you can help by supplying written awareness materials on the privacy theme? Every year a range of generic awareness materials are offered through the site to encourage and support those planning local, national and international security events during Global Security Week.

The business case to protect PII

I'm impressed by a Ponemon Institute study into the business costs incurred through US data breaches involving disclosure of Personally Identifiable Information PII. Ponemon investigated around 80 reported braches, analyzing costs that are often hard to quantify such as customer defections. The results are fascinating: an average breach costs over $4m or ~$180 per record lost. Customer defections (and presumably a reduction in the number of new customers) are the main impact.

Incident costs within IT are negligible - the costs fall primarily on the rest of the business. In extremis, it could be said that IT doesn't care about privacy breaches. Therefore, the onus is very firmly on the rest of the business, not IT, to cost-benefit justify investment in better privacy controls. If the budget is forthcoming, I'm sure IT will happily evaluate, select and implement better privacy controls: if not, they won't. It's that easy.

This clearly demonstrates the distinction between IT security, a function sitting within IT and working on behalf of IT to secure the IT infrastrucutre and services, and information security, a function with responsibilities across the entire organization to protect information assets, not just technology.

Best of all, the Ponemon report provides useful data to build the business case for control improvements. Let's say we anticipate one notifiable serious data breach involving PII every 5 years, at $40m per incident that makes an average cost of $8m per year. So, controls costing up to $8m per year are justified. $8m would buy a lot - it's probably more than enough to implement whole disk encryption for laptops, for example. It's WAY more than enough to implement a security awareness program focusing on protection of PII.

10 Jul 2007

Guide to critical power

A 66-page guide to critical power from BITS, although intended for US-based financial institutions, is broadly applicable. It outlines the electric grid system and points out that much of the critical infrastructure is exposed to adverse weather and even terrorist attacks. It goes on to provide a 225-question checklist but without model answers (though it's not exactly hard to figure them out).

On page 15, the guide points out a hidden drawback in over-engineering power systems:
"For modern critical facilities, the benchmark availability is in the range of 99.999% (“five nines”) to 99.9999% (“six nines”). To achieve six nines availability, the engineered systems will have to incorporate designs that include system+system [2(N+1)] redundancy. It is worth noting that engineered systems in a critical facility are often over-designed to include too much redundancy. That is, systems become more complex than they need to be, which leads to decreased reliability."

5 Jul 2007

Information security year in review - 2007

Over several years, Professor Mich Kabay of Norwich University has built a sizeable database of annotated abstracts of relevance to his information security students. From the database, Mich extracts an annual dump - the latest one is here. It's essentially a massive reading list but the annotations allow users to search for relevant material using keywords. I'm sure I'll be using it frequently when researching new or updated NoticeBored security awareness modules.

3 Jul 2007

User authentication module released

Authentication of users is one of our core security awareness modules, updated and re-released annually. Last year, the module focused on identity theft. This time around, we concentrate on multifactor authentication using security tokens and biometrics. We still provide basic advice on choosing good passwords and keeping them secret, naturally, but we think it's time for management and IT, in particular, to look seriously at upgrading the old username/password systems.

Failure to authenticate and thus distinguish genuine from bogus users can potentially cause devastating impacts on business critical systems, especially for privileged users and those with access to key transactions. On most systems today, the only real barrier to hackers, industrial spies, malicious insiders and fraudsters with access to the login prompt is the time and effort it takes them to guess the correct combinations of username and password: with automated password crackers, that control is barely even a speedbump on the information superhighway.

Cryptographic smart cards, digital certificates, syncrhonized pseudo-random password generators, fingerprint readers, iris scanners and so forth are certainly not perfect at authenticating users but, like the only house on the street with a burglar alarm, there's a reasonable hope that most hackers will move along to easier targets. If your organization isn't already using multifactor authentication, you're putting yourself in the firing line.

2 Jul 2007

ID theft study in Chicago

A study on nearly 29,000 identity theft reports filed with the Chicago Police Department from 2000 to 2006 revealed (among other things) that:
- Women, African-Americans and adults between the ages of 20 – 44 have an increased risk of ID theft.
- Most victims only discovered the fact after being notified by credit card companies. Less than 10% discovered the theft on a credit report. Almost 20% first learned of the theft when they were served with legal process or received a collection notice.
- Where the cause/source of the ID theft was known, the victim’s identity was stolen by a friend, relative or person otherwise known to the victim in 60% of cases, through burglary or robbery (~17%) and stolen mail (less than 5%).
- Despite ID theft’s reputation as a “high tech” crime, in less than 5% of the cases was a computer or the Internet involved.
- Where the ID theft victim knew the perpetrator, they were most often a member of the victim’s family (33% of cases) or a boyfriend/girlfriend (~13%).
- Credit card fraud was the most common crime (over 25% of cases), acquisition of mobile phones or services the next most common.