Welcome to the SecAware blog

I spy with my beady eye ...

28 Oct 2010

Security awareness versus social engineering

The thumbnail above shows the first of a series of 6 posters in November's NoticeBored security awareness module on social engineering.  It's a particularly important topic for us because security awareness is by far the most important control against social engineering.  Alert employees who appreciate the threat and know what to do if they feel they are being targeted stand a much better chance of resisting attacks than those who remain blissfully unaware throughout.

As always, the NoticeBored newsletter sets the scene for the topic and outlines the risks associated with exploiting people rather than technologies. 

The social engineering capture-the-flag competition at this year's DefCon hacker conference was a real eye-opener for many: we couldn't help but notice a number of prominent organizations hastily sending out warning notices to their employees ahead of the CTF competition, even though the rules of the game were strictly limited to keep the event ethical and educational.  What's more, not all the competitors were experienced social engineers - many were beginners - yet ALL of the targets were successfully compromised.  If management feels so worried about a mere game, how come they seem to be ignoring the real-world social engineering attacks from accomplished and determined social engineers who don't care about rules?  How bizarre!

If social engineering is of concern to your organization, please get in touch whether you would like to purchase just this awareness module, or perhaps take out a full subscription to the monthly NoticeBored service.  We'd love to help you deliver a best-in-class security awareness program.


The decade ahead

I wrote the following piece in response to a request for input by David Lacey on his blog.  David and other luminaries in ISSA-UK had a meeting to discuss what they feel are the biggest security challenges we'll face in the decade ahead.  An ISSA White Paper is planned at the end of this year, so it would be good for the wider infosec community to collaborate on this.

I composed the following as a reply to David's blog but for some reason the ComputerWeekly site refuses to accept it.  Perhaps it's too long or goes against their editorial principles, who knows?   Anyway, here's what I wrote ...

FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harvest the real gold out there: the major corporates with lax security, negligible security monitoring and mostly not a clue that they might even be in the gunsights.  There's a positive feedback loop at play: as the black hats successfully exploit small targets and get away with it, so they build up their resources (knowledge and cash) to invest in attacking bigger targets with more advanced weaponry.  They can afford the R&D.  We can't.

At the same time, the white hat community has basically stalled.  So long as you and others continue to press the line that legal/regulatory compliance is the most effective way to make corporates become more secure, we're on a hiding to nothing as far as I'm concerned.  Compliance achieves the least amount required, and that under sufferance.  It's hardly destined to show senior management The Light, namely that strong security makes good business sense, enables them to do more stuff safely, protects their most important and valuable corporate assets, and gives them a substantial commercial advantage over their insecure peers who are 'accidents waiting to happen'.  Security-for-compliance is just a nasty, inconvenient and distracting annonyance, a cost of doing business.  It's a bit like 'tidying the place up because the auditors are coming' as if a tidy office will distract them from seeing the fundamental flaws all around them. 

The black hats love compliance, so long as that means they can safely assume their targets will have made the least possible effort to meet the bare minimum standards to the letter, while largely ignoring all the supporting things (such as the human factors - security awareness, competence, training, qualifications, procedures and all the other good stuff in your book!) that are actually required to become secure.  If those are not mandated, they evidently don't matter so they aren't being done.  That's the dark underbelly of compliance.

As an ardent fan of ISO27k, I'm dismayed, not to say horrified at the general lack of uptake of the ISMS approach.  With just a few thousand organizations certified to ISO/IEC 27001 so far, and a few tens or hundreds of thousands more using the standards without being formally certified, this is barely scratching the surface of the millions of organizations Out There and all those accidents-in-waiting.  Most managements will spend as little as they possibly can for PCI-DSS or privacy/data protection compliance, but won't take the next bold step of consolidating all those point solutions into a coherent information security management system, and working to fill the gaps.  One of these days, they will run out of fingers to plug the holes in the dam.

Oh well, I guess you can lead a horse to water ...


21 Oct 2010

Complex passwords - easy peasy

Thanks to someone on CISSPforum, here's a gift idea for busy, well-connected friends on your holiday list - a password directory:
"There are user IDs and passwords to remember everywhere you turn. There are codes and passwords for a variety of Web sites, bank accounts, frequent traveler programs and voicemail systems. It's tough to keep track of them all! Our Password Directory can help. It's alphabetically organized to log the user name, password or a password hint for any number of applications. It's a thoughtful gift for the busy, well-connected friends on your holiday list."  
Unbelievable!  Well, actually it's entirely credible.  Worryingly, there probably is a market for products like this, at least among the clueless buying for the security unaware.

I'm puzzled as to the evident lack of general interest in or uptake of secure 'password vault' programs which neatly solve the most awkward and annoying aspects of the password issue.   Not only do password vaults store passwords securely (the best using strong encryption such as AES, and insisting on a good user password to generate the encryption key needed to unlock the vault) and recall them automatically when the user returns to a password-protected web page, they also offer to generate ridiculously long, complex passwords for those enlightened websites that don't hamstring the user with stupid rules such as 8 characters maximum.  Speaking personally, there's NO WAY I could remember my current crop of ~150 strong passwords without a vault.  To be honest, I'd struggle to recall even a handful, forcing me to either use short/weak passwords, or to re-use a few passwords on multiple sites, both of which significantly weaken the value of passwords as authentication mechanisms. 

It's not as if there's any shortage of password vault programs Out There ... but before you choose one, just remember that you are entrusting it with the keys to your virtual identity, so be extremely careful to check out the supplier's trustworthiness and product's security. 

And if that's too hard for you, perhaps that Password Directory is just up your street.


13 Oct 2010

Should Compliance be part of Information Security?

The first recommendation in Verizon's latest report on PCI compliance reads:
Don’t drive a wedge between compliance and security.  Whatever your stance on the “compliance vs. security” debate, hopefully we can all agree that intentionally keeping them apart doesn’t make sense from either a compliance or a security perspective.  Why force a false dichotomy between two concepts that should, in theory, be in alignment?  After all, they both have the goal of protecting data.  Sure, maybe you’ll need to do some things for compliance that you wouldn’t do for security (based on risk assessment or tolerance) or vice versa, but it’s hardly an either-or situation across the board.  The overall direction of managing compliance should be in line with the security strategy.  Is your compliance management team the same as your security management team?  If not, is there a concerted effort to collaborate when and where possible or do both sides govern their own private islands with no trade routes between them?  If the latter situation is truer of your organization, perhaps you should ask why and whether it’s best for it to remain that way.
I guess one reason why an organization might want to keep [security] compliance and [information] security totally separate is essentially the same argument that separates Audit from the operational business: independence helps the function see things for what they truly are.  In this structure, the compliance function is therefore operating like audit, assessing compliance and, presumably, persuading information security, IT or other functions to do whatever needs to be done to achieve compliance, rather than doing those things itself.  It's not much of a stretch, then, to make this kind of compliance function a part of audit.

Another legitimate reason for separating the two is that compliance issues are far broader in scope than merely [information] security.  Organizations are for instance obliged to comply with health and safety, tax and human resources legislation, plus all manner of commercial/contractual obligations and industry regulations that fall well outside the sphere of information security, as well as those that span the boundary or fall entirely within it.

Anyway, that said, I agree with the thrust of Verizon's recommendation that close collaboration between compliance and security functions, if not full integration, is important.  I would add that close collaboration is equally important with numerous other functions, such as IT, physical/site security, risk management, HR and in fact "the business", meaning the organization's profit centers.  It's hard to imagine how they could work productively otherwise.  In fact, this whole issue might be merely a blinkered view of the formal stovepiped organization chart, whereas in reality the informal network of colleagues, peers, influencers and decision makers implies working relationships between a wide variety of people having some level of professional interest in information security, and myriad other things.  Contrary to the org chart's satic, flat appearance, organizations are in reality fluid, multidimensional systems. 

Regards, Gary

PS  Being picky, I might challenge Verizon's assertion that protecting data is a goal of compliance.  It seems to me that compliance aims to ensure that the organization fulfills its obligations, which is essentially a matter of risk management (do the projected benefits of compliance outweigh the projected costs of noncompliance?).  To what extent that includes data protection depends on the obligations, not on the compliance function's mission statement.

Snooping on students costs school district $610k

Wired.com is reporting that the Lower Merion school district found guilty of invading its students' privacy by spying on them through webcameras installed in the school-issued MacBook laptops, has to pay $610,000 to settle lawsuits brought by two students. 

The school district claims not to have been deliberately spying on students in a non-specific way (a 'dragnet' operation).  However, the fact that a secret photo was used by the school as evidence to discipline a student indicates that, at the very least, it was deliberately and consciously using the software to snoop on the student concerned. 

Snooping facilities of this nature are normally intended to obtain evidence and so help recover stolen computers.  This begs questions about whether such evidence might open the door to privacy complaints by those accused of stealing or using stolen computers.

Furthermore, this case potentially has implications for other situations in which an organization, or indeed an individual, provides someone with IT gizmos and facilities such as email, phones, PCs, PDAs etc. that enable them to snoop on users.  Targeted, covert observation may be permitted for certain law enforcement and other evidentiary purposes (e.g. to prove theft or fraud or some other serious crime) but dragnetting is probably illegal (IANAL!  This is not legal advice!  Ask a real lawyer about that!).