Welcome to the SecAware blog

I spy with my beady eye ...

31 Jan 2011

Free awareness poster on IPR

Organizations like us - practically all organizations in fact - create, own, share and exploit a vast wealth of valuable information known as intellectual property (IP).  IP generally deserves and often requires proactive protection against threats such as plagiarism and piracy , even if it is deliberately published or disclosed: IPR is more than simply a confidentiality or secrecy issue.  IPR infringements cause both direct and indirect impacts on the rightful IP owners, including loss of income, brand devaluation and competitive disadvantage.  These are serious commercial issues.

If awareness of the risks associated with disclosing IP is an important first step on the way to securing it, finding out how to bring the risks under control and enforce your IPR is step two.

IPR-related laws such as copyright, trademarks and patents are the most obvious type of IPR controls but others are covered by agreements and contracts.   Prosecution under IPR and contract laws can carry civil and criminal penalties including substantial fines, costs, and damages.  These too are serious commercial issues, with the added threat of jail time for IPR infringers bringing a sharp personal edge to the issue.

On top of all that, there are significant ethical aspects to IPR.  Piracy and plagiarism, even on a personal scale, deprives creative artists of their rightful reward for the intellectual effort involved in creating IP, and in so doing discourages them from producing more.  However, piracy and plagiarism are quite widespread in practice, implying perhaps that society does not fully support IPR.

Creative IPR awareness materials for three distinct audiences

February’s NoticeBored security awareness module contains security awareness materials on IPR for the following three audiences:
  1. In the general employees’ stream, our primary focus is on encouraging staff to respect third parties’ IPR, for example avoiding piracy by complying with the terms of license agreements covering software and information content such as MP3s, JPGs, videos and text downloaded from the Web.  Informed and aware staff also have a valuable role to play in identifying and reporting possible infringements of the organization’s IPR by third parties.
  2. The awareness materials encourage managers to ensure both that organization and its employees comply with their obligations to third parties under the IPR laws, and also that third parties respect the organization’s own IPR.  These are the flip sides of the compliance coin.  It is considered good practice in IPR circles to institute both defensive and offensive controls where appropriate to manage risks on both sides.
  3. For IT professionals, the materials mostly stick to the topic of software licensing (which is of course personally relevant to software developers and other creative technologists) and technical IPR controls such as Digital Rights Management (DRM).
The three streams are intended to stimulate thought within, and discussion between, the three audience groups.  In this way, the awareness program extends beyond the presentations, briefings, posters and other materials supplied, taking in formal and informal communications around IPR in the business context.

Gary (Gary@isect.com)

PS  The poster graphic thumbnailed above is available this month for free download as a read-only PDF.  If you need to customize the graphic, you'll need to contact us for the US$195 JPG version.

23 Jan 2011

The most challenging parts of ISO27k

What are the most challenging aspects of ISO/IEC 27002 implementation and ISO/IEC 27001 compliance?   The following typical issues are summarised from a paper published in the ISSA Journal by Bil Bragg, a senior consultant from Dionach Ltd., who drew up the list by examining the gap analyses conducted for 20 client organisations. 

The first two concern mandatory requirements for ISO/IEC 27001 certification:
4.2  Establishing and managing the ISMS: few organizations had formally stated the scope of their ISMS or documented their risk assessment method and risk acceptance criteria in accordance with the standard.

6.0  Internal ISMS audits: only one organization had an internal ISMS audit program, and none had undertaken a management review of the ISMS.
The information security controls succinctly listed in Annex A of ISO/IEC 27001 and explained in more detail in ISO/IEC 27002 are not strictly mandatory for certification but are widely implemented and generally accepted as good security practices.
A.6.1  Internal organization: few organizations (especially SMEs) had an information security committee or forum, and had nominated a manager for the ISMS.

A.6.2  External parties: identification and treatment of risks relating to suppliers (including IT outsourcers) and customers was sporadic or missing.

A.7.1  Responsibility for assets: few organizations maintained inventories of intangible information assets.

A.9.1  Secure areas: while physical security gaps varied, they should have been identified through the ISMS risk  assessment.

A.10.7  Media handling: most lacked formal security policies and/or procedures for handling and disposing of media such as USB flash memory sticks.

A.10.8  Exchange of information: many organizations have neither an information exchange policy nor agreements with customers and suppliers on transferring confidential information securely (e.g. emailing confidential information).

A.10.10  Monitoring: few system clocks were time-synchronised, other than on MS Windows systems.  This is obviously important on security systems such as CCTV.

A.11.1  Business requirement for access control: few organizations had systematically documented user and system admin roles for their business applications.

A.11.2  User access management: few organizations regularly and systematically reviewed access rights across all IT systems.

A.11.3  User responsibilities: very weak or default  passwords were common on subsidiary and older systems, including network devices, databases and physical access control systems.  Compliance with clear desk and clear screen policies was very weak in practice.

A.11.7  Mobile computing and teleworking: few organizations had formal policies and procedures for mobile computing and teleworking.

A.12.3  Cryptographic controls: there was seldom a consistent approach to managing encryption methods and keys. 

A12.5.5  Outsourced software development: contracts did not stipulate intellectual property rights, escrow, quality and security requirements nor a right to audit the supplier.

A12.6  Technical vulnerability management: configuration management and security patching processes often neglected utility software such as Acrobat Reader.

A.13.1  Reporting information security events and weaknesses: many organizations lacked formal procedures for reporting security events, and mechanisms to quantify and monitor incidents.  [Cumulative security incident costs are an important strategic metric that helps management justify continued investment in the ISMS, while the detailed cost breakdown focuses attention on aspects requiring improvement.]

A.14.1  Information security aspects of business continuity management: business continuity plans were often either absent or outdated, while continuity exercises were irregular and unrealistic (e.g. limited scope).

A.15.1  Compliance: no organizations had identified all the information security-relevant laws and regulations, and established mechanisms to stay up-to-date on changes.
Many thanks to Bil for permission to share this list.  Bil’s original article in ISSA Journal, available online to ISSA members, is well worth reading for additional details and guidance on this.

Without neglecting the other requirements, it's worth double-checking that your ISMS implementation project plans do in fact allocate sufficient resources and time to tackle all the issues identified here.

Kind regards,
Gary (Gary@isect.com)

PS  I have added this to the ISO27k FAQ

20 Jan 2011

Digital redaction

Receiving the first working draft of new international standard ISO/IEC 27038 on digital redaction this morning prompted me to think about the risk associated with redaction, more specifically the information security risks associated with the redaction of electronic documents and other digital data files (e.g. digital still photos and video images; spreadsheets and numeric/statistical data sets and databases).

Two cups of tea and a bit of head scratching later, here's my 'top 10' list of information security risks associated with redaction:
  1. Failing to identify correctly all the sensitive data that must be redacted.
  2. Failing to delete all the sensitive data e.g. overlaying or modifying rather than actually deleting the sensitive data using methods that can be completely or partially reversed; accidentally leaving one or more copies of the sensitive data completely unredacted; partially deleting the sensitive data leaving data remnants or cached copies, or sufficient information to ‘undelete’ the data; or neglecting to redact sensitive metadata (e.g. in document properties or reviewer comments, or alternate data streams).
  3. Excessive redaction, removing more than the specific sensitive items that were supposed to be redacted.
  4. Inappropriately altering the meaning of the remaining data as a result of contextual issues (e.g. deleting specific data records may invalidate statistical analysis of the remainder), or by causing collateral damage to the file structure (such as file integrity issues and inappropriate formatting changes) during the redaction process.
  5. Leaving sufficient data in the file to enable recipients to infer sensitive information, perhaps in conjunction with other available information sources (e.g. replacing people’s names with anonymous labels in a redacted file but separately disclosing the relationship between labels and names; disclosing anonymous statistical data on known small populations).
  6. Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately.
  7. Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks!).
  8. Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters).
  9. Placing excessive reliance on redaction, believing it to keep sensitive data totally confidential under all circumstances whereas technical and process failures are possible and incidents sometimes occur in practice, or conversely placing zero reliance on redaction, believing it to be totally incapable of protecting sensitive information (governance and assurance risks).
  10. Confidentiality failures that are incidental to the redaction process (such as sending the original file, redaction instructions or redacted file to the wrong email address or these being intercepted by a third party en route to the right person);
While I press ahead with other things, I'd be interested to know what digital redaction risks you think I've either missed or miss-stated.  I'd also love to hear from you about redaction incidents, particularly those involving digital files but even those old-skool hardcopy redaction failures can be quite illuminating.

Gary (Gary@isect.com)

PS By all means Reply on this blog if you have something to say, or better still join the discussion on the ISO27k Forum or CISSPforum.

15 Jan 2011

Golly, another stolen laptop and no backups

The victims of another all-too-common physical security incident involving the theft of a laptop are devastated by the loss - not so much the physical value of the Macbook taken from the back seat of a car (doh!) but the far more valuable scientific research data on prostate cancer that it held. 

There were no backups. 

The victims' offer of a $1,000 bounty for the return of the laptop is presumably based on the assumed value of the stolen hardware to the thief.  If what they claim about the data is true, it's a small fraction of the true value, but still a substantial sum to them (being poor research scientists) and to some crack-head opportunist.

I urge all of you reading this to stop whatever you're doing for a moment and consider what will happen when your IT systems are stolen, go up in flames, get flooded out, are dropped on the concrete floor, get hit by static or struck by lightning, fail spectacularly in a strangely beautiful shower of sparks, are run over by a Chieftan tank manned by an irate neighbor high on booze, or get eaten by little green men from the Tharduriz galaxy over here on a secret fact-finding mission and just feeling a little bit peckish.

Imagine for one horrible second that it's true.  It's happened.  The bits n bytes are even now being consumed by alien digestive juices.  OK, what have you just lost?  Think about it.  Picture yourself as the unfortunate victim.

Now tell me you "don't have the time" to take backups or "need to buy some more CDs".

The Tharduriz scouts are right behind you.

Gary (Gary@isect.com)

PS  Make it a new year's resolution to back up your data if you like.  Worst case you'll lose a whole year's data, still terrible, tragic maybe but hopefully not completely disastrous.  Oh and by the way, do check that yourbackups are sound by testing your ability to restore the data - NOT over the top of the live drive (a failure in that case would be doubly tragic).

Casino heist

The robbery of a Vegas casino reminds us not to over-rely on high-tech security controls (such as automatic face recognition systems) if that means neglecting basic physical security.

It's also a puzzle that the casinos still use chips.  I wonder why they haven't migrated to electronic cash systems, using smartcards?  A well-engineered and properly-implemented smartcard system would avoid the need to have cash or chips in the casino.

Ah, hang on, I see the problem: 'well-engineered and properly-implemented' is a stretch even for the banks.

Gary (Gary@isect.com)

Fraud detection successful

Here's something we don't often see: a fraudster caught by strong anti-fraud controls.

He was an IT worker for a British supermarket chain who misused his privileged systems access to set up false accounts to receive stolen loyalty card points worth over £8k. 

Interestingly, he didn't try collecting on the cards until a few years later, and then just a few trial purchases.  Fraudsters commonly test out their scams tentatively at first, building their confidence before pressing ahead with The Big One once they know the tests have succeeded.   Only in this case, he was caught early.

For obvious reasons, we're not told much about the anti-fraud controls in the news story so what follows is pure conjecture.  Due to the delay between setting up, filling and then using the cards, it looks to me as if the purchases might have triggered some additional fraud checks, perhaps because of an unusual type or value of purchases; otherwise, they may have detected the fraud initially but had to wait for him to start using the cards before acting on it.  Presuming that the fraudster was intelligent enough not to have registered the cards in his own name with his home address etc., they still had the problem of linking the fraudulent purchases back to him.  Perhaps they were able to identify him at the point of sale - maybe he used his personal credit/debit card at the till at the same time, or perhaps he was filmed on CCTV and someone recognized him.  Discovering all his fraudulent cards would have been another challenge: I guess that would have involved painstakingly checking the logs regarding the original card setups (assuming he was unable to cover his tracks there using his privileged access), or some good ol' fashioned Police work might have caught him in possession of a number of cards.  I know of at least one fraudster who kept meticulous computerized records of his crimes, making the investigation relatively easy although there is always the possibility that fraudsters might use strong encryption, or exploit 'plausible deniability' by retaining an insecure dummy set of records pointing to a trivial crime as a cover for the well-secured real ones.

Anyway, well done to the fraud team, auditors and Police involved in this case.  Good work!

Gary (Gary@isect.com)

7 Jan 2011

Make them concentrate harder!

A counterintuitive result emerged from experiments evaluating the best kinds of font for classroom presentations.  Fonts described as 'difficult to read' presumably made students concentrate harder.  They scored better on subsequent tests than their peers using elegant, easy-on-the-eye fonts such as Arial. 

Of course it could also be that those 'difficult to read' fonts gave a welcome boost to the banality and blandness of most presentations.  We do our level best to make the NoticeBored security awareness seminar slides more interesting and engaging to stand out from the norm.  We mostly avoid bullet points, preferring images and mind maps to put across important information such as the relationships between parts of the topic at hand, not just the words themselves.  Where appropriate we enjoy using simple visual trickery to emphasize the most important bits, but most of all we research the content to make it relevant and hence inherently engaging to our customers' audiences.

Nevertheless, customers who wish to try nasty bold italic script fonts are very welcome to edit the PowerPoint presentations we supply, but please don't blame us for any adverse comments about it on your presenter feedback forms!

Gary (Gary@isect.com)

PS  Thanks to The Last Word On Nothing blog for bringing this up.

5 Jan 2011

Physical security incident resolved using Facebook

CSO Mag is reporting that an inept thief who stole a flat-screen TV from a US service station (after paying for his fuel with his own credit card - doh!) was befriended on Facebook by staff and asked to return the stolen set.  After he refused and un-friended the staff, they passed his details, including photographs of him they had already downloaded from his Facebook page, to police who promptly arrested him.

A line from the story bears repeating: "He hid the TV under his shirt and took off".  That's a 27" flat screen TV!  I wonder if perhaps the cheeky chappie was somewhat circumferentially challenged?  Not that I can talk after the obligatory Christmas feast. 

Gary (Gary@isect.com)

I must clear this debts!

Normally I ignore the banale 419 & phishing emails that usually plop unceremoniously into my junk mailbox, but this one caught my attention for a couple of reasons.

Firstly, it's the most bizarre hook I've seen so far - a warning email from IATA that I might not be able to fly my planes across Europe.  Mmm.  Last time I checked the IsecT hangar, our enormous fleet of extremely well-appointed executive jets was mysteriously absent.  Perhaps they are all right now circling EU airspace, negotiating with the air traffic controllers for permission?

Second I couldn't help but notice the name of the sender.  That's either a terrible typo or a most unfortunate job title.

Gary (Gary@isect.com)

2 Jan 2011

Terrorist threats to physical security

A rather vacuous story in The Mirror concerning the discovery of vulnerabilities at England's Sellafield nuclear plant is a timely reminder of the extreme risks towards the right hand end of the risk-control spectrum diagram in January's NoticeBored security awareness module.  The news piece, such as it is, reports that after a military "red team" discovered issues at the plant, security is being 'urgently reviewed' to address the risk of a terrorist attack.
"The policing watchdog, in consultation with MI5, will now carry out a review to boost protection of the site, to prevent a “terrorist spectacular”."

The journalist casually mentions:
"An al-Qaeda cell caught plotting to blow up jets in 2006 also had nuclear sites on its hit-list."
I would have thought that 'nuclear sites' (presumably meaning nuclear generators as in this case) were rather low on the terrorist hit list, given the preponderance of much softer yet eqaully high profile critical infrastructure targets capable of causing just as much terror and publicity, plus the rather obvious deterrent effect of strong physical security at 'nuclear sites'.  But what do I know?  I'm no expert at assessing the terrorist threat.

Gary (Gary@isect.com)

PS  On October 19th 2010, eWeek Europe reported that someone left behind in a local hotel an unencrypted USB stick with information about staffing and health & safety at the plant - not especially sensitive, perhaps, but it is another physical security breach. 

Physical security issue leads to 35,000 privacy violations

InAudit reports that:
"Grupo Santander, a banking firm based in Spain, has reported to the Financial Services Authority (FSA) a system glitch with its printers that led to the distribution of 35,000 bank statements to wrong recipients, risking millions of pounds in fine for the data breach."
Whether this would be classed as a physical or IT or privacy incident is a moot point: there were elements of all three.  Arguably it might even represent the failure of integrity checking on the mainframe or printing subsystems that should perhaps have identified and blocked the duplication of 35,000 records.

Banks generally take care over physical security - after all, it has been core business for them for centuries.  However when it comes to sending confidential information to customers, they still rely heavily on the ordinary post.  New credit and debit cards, for example, are commonly sent out by post but the recipients are normally required to acknowledge receipt in order to activate the cards, and the acknowledgement process includes some authentication albeit relatively weak.  Alternatively the banks could send new cards to the customer's nearest branch for collection, where a stronger form of authentication (perhaps an official photo ID or passport) would be possible.  However, the customer inconvenience factor evidently outweighs any reduction in card fraud due to the interception and misuse of new cards in the post.  When it comes to sending out bank statements, the argument for postal delivery is even stronger ... but in the Santander incident, the privacy disclosure could prove very costly for the bank and its customers.

There are numerous security vulnerabilities in the postal system.  Here are just a few to illustrate my point:
  • Post can be wrongly addressed or delivered to the wrong address
  • Post sometimes goes missing or gets delayed (that is, delayed even longer than it normally takes to deliver a letter given that the postal system does not run on Internet time!)
  • Post can be redirected, perhaps maliciously (although most post offices do at least make an effort to validate redirection requests)
  • Post can be stolen or tampered with by postal workers, couriers or other carriers, including 'authorized interception' by the security services or other authorities (e.g. in prisons)
  • Post can be stolen or tampered with in the sender's outbox and/or the recipient's inbox (unlocked post boxes are highly vulnerable to this)
  • Junk mail was the original spam.
Despite these issues, the relatively low cost and high convenience of postal delivery means it is as popular as ever, even taking into the account the amount of messaging that now takes place electronically through SMS, email etc.

Speaking personally, I prefer to get my bank statements electronically through an encrypted network connection.  Not only is it more secure, I'm also helping to cut CO2 emissions and save the planet one electron at a time.  I hope the bank's savings on postal fees contributes to reducing their charges, and not just to increasing their profits.

Gary (Gary@isect.com)