Welcome to the SecAware blog

I spy with my beady eye ...

29 Feb 2008

Targeted malware

A helpful if rather technical explanation of targeted malware attacks takes a look at some remote control Trojans. These open the victim's machine to powerful local commands submitted by a remote hacker over a control channel. Clever stuff. The piece is a little light on the infection part of such attacks and the mechanisms used to target specific organizations or individuals, although it does outline some of the potential controls against this kind of attack and provides references for further reading.

27 Feb 2008

Unannounced DCP testing a no-no

If you are tempted to spring an emergency drill or contingency test on the organization without properly pre-announcing it, be prepared for the emotional fallout from those who are duped into believing the incident is real ... especially if your scenario involves a gunpoint hostage seige ...

25 Feb 2008

Malware awareness module released

We have updated and reissued the NoticeBored security awareness module on malware, one of our 'core modules' covering a topic that features heavily in all security awareness programs.

As part of the research to update the module, I've been reading lately about 'virtual malware' or, more accurately, rootkits that target not just the operating system kernel but the underlying hypervisor software used on virtualization systems. To those without a technical background, this may seem like angels dancing on a pinhead but to us nerdy geeky types, virtualization is cool and virtual malware is uber cool.

By coincidence, an article on The Register discusses a vulnerability in VMware, one of the virtualization systems. This could be Big News for anyone using VMware in a production environment, such as many ISPs for example. Various technical security bloggers are deep in discussion.

23 Feb 2008

Plan B includes not being able to get to work

A former director of FEMA, the US Federal Emergency Management Agency, promotes the value of planning for employees being unable to get to the office in an emergency.

"Everyone will tell you: I have a risk manager, a safety manager, we have contingency plans in place for their business. What plans do they have in place for the workforce? Because if those people cant get to work, those other plans dont do them any good. One of the things that federal government does and state government does is they really try to drive home this concept of being prepared at home. I think businesses should do the same thing, regardless of the size. The better prepared employees are in the neighborhood they live in, the more likely they are to get back to work quicker, the more likely they are to be more loyal to you because youve helped them be more prepared in the neighborhood where they live."

22 Feb 2008

Does your DCP cover frozen hydrazine tanks crash-landing?

A US spy satellite "the size of a bus" (the SI unit of satellite size) that went out of control shortly after being launched a year ago, has been blasted by a US missile over the Pacific Ocean. They aimed (literally) to blow the satellite to smithereens (the SI unit of satellite size following missile impact), ostensibly to prevent the frozen hydrazine fuel tank smashing to Earth and giving someone a nasty surprise. Any secret weaponry allegedly on board would also, presumably, have been destroyed.

What if the missile had missed its target or they had not been able to fire the missile for fear of creating an international security incident amid fears of the Star Wars initiative? And what if the spy satellite had landed, intact, on your data center? What if the missile landed on your data center? What if ...?

Now I don't expect your contingency plans to mention falling spy satellites, frozen hydrazine or missiles explicitly, but that's really not the point. The point is that your plans perhaps ought to mention and should definitely cover commonplace and credible disaster scenarios, but should also cover the more extreme, outlandish and incredible incidents too, the nature of which is presently unknown and, in fact, unknowable. That is the essence of true contingency planning: "We don't know exactly what might happen but we are as ready as we can ever be to cope with any disaster that comes our way."

The US military's contingency plan for the spy satellite going out of control presumably reads:
- Have large missiles available in strategic locations worldwide
- Launch large missile at satellite
- Handle PR nightmare as well as can be expected given circumstances
- Reassure Chinese and Russians that WW3 is not declared
- Fire designers and builders of out of control spy satellite

For you and me, a specific contingency plan to cover the spy satellite scenario might read something like:
- See flaming ball of fire approaching at 22,000 mph
- Take cover under large immovable object, quickly
- Hear flaming ball of fire explode, releasing no-longer-frozen hydrazine gas
- Hold breath
- Crawl out from under large hot immovable object
- Staunch bleeding, dampen fires
- Seek fresh air
- Call insurer to make incredible claim

A more general plan might read:
- Have large immovable object or similar, under which to take cover
- Have first aid kit with all essentials
- Have disaster survival kit with all essentials
- Have insurance policy
- Watch for news of imminent disasters, Google "hydrazine" and refine/enact plan accordingly

17 Feb 2008

Don't forget to lock the office ...

... especialy if you are a banker.

A 5 year old boy who discovered that his local bank branch was closed but unlocked was awarded a paltry £10 (US$20) by HSBC, one of the world's largest banks that makes obscenely large annual profits, for letting them know. HSBC say the electronic door lock system failed. I presume bank staff neglected to check the lock, in other words the bank's security procedures also failed.

12 Feb 2008

Do your contingency plans cover mice and snakes?

Physical security incidents are one class of incident that virtually all contingency plans cover, but are your plans broad enough to cater for the full range of potential physical security incidents? Here are some classic photographs of actual incidents that might make you re-think your approach:
- Mice nesting inside a system, using a handy computer manual as nesting material
- A snake living inside a nice warm system box
- Lightning/storm damage to electronics
- Inept maintenance and repairs
- Equipment overheating

There are more photos of this nature at the Microwave Mortuary if you need something to spice up your awareness program.

7 Feb 2008

BCP auditing the IIA way

"During their planning cycles, many companies around the world evaluate how prepared they are to handle disasters as well as the effectiveness of their business continuity and disaster recovery plans. As part of this process, internal auditors can help organizations establish effective business continuity management (BCM) programs. To do this, auditors need to understand what is involved in developing a BCM program and the steps they should take to evaluate the effectiveness of existing programs that incorporate necessary business continuity, disaster recovery, and crisis management efforts."

I'd like for you to be able to read what the Institute of Internal Auditors, or more precisely author Mark T Edmead of Control Solutions International, advises IT auditors to look for when reviewing business continuity arrangements. Unfortunately, the IIA article has dropped off the Web in the past few days. Sorry.

Mark's advice is sound but stops well short of the audit-style Internal Controls Questionnaire provided in this month's NoticeBored security awareness module. Still, it validates and summarizes the approach detailed in our ICQ and is an interesting piece.

1 Feb 2008

A modern Doomsday

Middle-Eastern Internet services have been severely disrupted by the failure of an undersea cable linking Egypt to Italy. There are backup connections, of course, including satellite and other cable connections but their capacity is limited, hence Internet traffic in some countries in the region is experiencing delays and probably failed connections due to timeouts.

Thanks to packet switching technology and multiple routes, the Internet as a whole is highly resilient. Undersea cables can often be repaired within days or weeks. But imagine what would happen if the Internet went down, and stayed down. Not 'stayed down for a few minutes' or hours or even days, but for an extended period perhaps indefinitely.

There are various horrific scenarios that could cause this to happen e.g.:
- Widespread technology failure, disrupting the packet switching backbone;
- Deliberate action by one or more nation states in wartime, severing critical connections and/or injecting massive amounts of spurious traffic at multiple points to disrupt;
- Natural events such as solar flares/X-ray emissions from the sun, storms etc. damaging critical equipment and links;
- Cyberterrorist attacks on the Domain Name Systems or other critical elements of the Internet, perhaps combined with conventional terrorist attacks on key nodes, cables and satellite ground stations;
- Worms or other malware, in other words, software agents swamping or damaging the network;
- "Something else" - the classic contingency planning scenario. We don't know exactly what might happen. It could be something completely novel and unanticipated or a chance combination of more than one type of event, known as 'bad luck'. For true contingency planning purposes, the exact cause and nature of the incident is irrelevant: we need to be ready to cope with whatever actually happens.

With a moment's thought, the horrendous consequences of such an incident start to become clear. The developed nations are highly reliant on the Internet and would suffer economic and social consequences very quickly. Developing nations are also actively using the Internet for eCommerce and communications with the rest of the world. The Internet has penetrated even the least developed third-world countries, and disruption to first world aide programs would have consequences there too.

We're hardly on the same scale as Google, eBay and Amazon but at a local level, our own small business would suffer within days if the Internet went down. We use the Internet for marketing and promotion, sales and delivery, research and communications. There are fallback delivery mechanisms - sending CD-ROMs in the post or direct dial-up access - both of which are limited, wouldn't work very reliably and would increase our costs. We could resort to old-fashioned research methods but would miss the ready, free access to up-to-date information security news from around the globe. Our marketing and sales would suffer the most as conventional print, TV and radio advertising is far more expensive and limited in scope. That, in a nutshell, is our own risk assessment.

Larger e-enabled businesses (such as the entire financial services industry) would su=ffer immediate problems, others might hardly notice at first, at least until their suppliers, partners and/or customers started to fail. Government departments and utilities would suffer quite quckly, causing knock-on effects as the national infrastructures started to unravel. If petrol companies and airlines were disrupted, well we'd have to get used to walking or cycling to work, if indeed work existed. Civil disruption could have serious consequences for personal safety and security.

We're just a few paragraphs into this very brief overview but the 'worst case scenario' is shaping up badly. This is starting to sound like one of those science fiction doomsday stories.

On the upside, TV, radio and print media would be severely disrupted too so we might not get to hear too much about the civil disruption outside our barricaded front doors. Some of us will retreat to our caves.

What kind of contingency plans would or could you make for "the Internet is down"? Some of the more obvious things might be to retain or stockpile ordinary modems (assuming that the telephone networks are running ... but, oh dear, they are using VOIP and, no doubt, sharing a lot of the Internet technologies and links) and generally retain (or rather rebuild) the ability for non-electronic commerce and communications.

More resourceful organizations might build their own private networks to run in parallel with the Internet - such as the financial services, military and other special purpose networks. These are expensive but the greater concern is to ensure they are adequately isolated from the Internet in fact. Supposedly private bank ATM networks have been known to crash due to Internet worms so finding and closing those worm-holes must be a priority. That's definitely something we can do today.

What else would you suggest in the way of contingency measures? Any ideas you'd like to share? Just post a comment ... while your Internet connection is still running, please.