Welcome to the SecAware blog

I spy with my beady eye ...

31 Mar 2011

SaaS is great - says Google-sponsored survey

Call me a cynic ("You're a cynic, Gary!") but are we really meant to swallow whole a research report on the use of SaaS, plus perceptions about the security aspects, that has been sponsored by Google?

As with so many of these vendor-sponsored "surveys", we're presented with a potted selection of data (basically a handful of bar charts), some analysis and discussion, next to no information about the research methods - in short, not much to go on.   There is none of the modelling, hypothetical predictions, experimental evidence and rigorous scientific analysis that a genuine research report would be expected to contain, so the end result is basically just a marketing exercise.

That said, I'm intrigued to see that the very first bar chart in the report clearly identifies the widespread belief that security and privacy are worse with SaaS than with traditional in-house IT approaches:

The survey report is free and short, so by all means take a look and make up your own mind about its value.

Personally, I'm happy to use SaaS (including Google apps) for some specific, limited situations where the utility of SaaS outweighs the security concerns, but I steer well clear of it for a whole load of other applications.  We have already seen a number of serious security incidents reported with cloud computing and I don't expect them to stop coming any time soon.   There's a very obvious difference of scale between security incidents affecting global SaaS apps and those affecting an organization's internal IT systems, so the major SaaS vendors have to clear a high bar for their customers to remain secure.  In reality, the SaaS vendors are just as reliant as the rest of us on their technologies and their people, so incidents are inevitable.

Gary (Gary@isect.com)

Cloud computing security awareness materials

Download this poster image for free
Cloud computing has emerged and grown steadily over the past few years.  While at first the cynics among us treated the announcements and advertisements as blatant marketing hype, many have quietly started using cloud applications such as Google Docs, Google Earth, online storage, webmail and so on, some without even appreciating that they are using cloud computing.  Meanwhile, Google, Amazon and many other suppliers have been building up their portifolios of cloud services and signing up customers.

Cloud computing involves the provision of Internet-based information processing services.  It gives ‘access from anywhere’ and service elasticity or flexibility - worthwhile business benefits and, in part, security benefits too.  However, it’s not all roses.  The security issues associated with cloud computing and the virtualization and network technologies that underpin it are significant, and not necessarily entirely obvious due to the fact that cloud computing is still novel and still developing.

To find out more about the new awareness module, please visit the NoticeBored site.  To subscribe to the NoticeBored service, please email me for details. 

Gary (Gary@isect.com)

16 Mar 2011

New SME infosec standard

A new draft information security standard for Small to Medium-Sized Enterprises has been released for comment by my friends in ISSA-UK.

The standard, called "ISSA 5173", is short - just 4 pages plus 6 pages of preamble (!).  It promotes a structured, risk-based approach to managing information security, not altogether unlike ISO27k.  It offers high level advice rather than listing lots of specific controls: the idea is basically that SMEs need to figure out their security requirements and then put them in place.  The management system it promotes is essentially about 'figuring out security requirements and putting them in place'.  Information security requirements derive from some understanding of the risks facing the SME, plus compliance obligations.

I will be fascinated to see how this develops over the next few months and, time permitting, I'll contribute my ideas too.  I encourage you to at least download and read the draft but by all means join the ensuing discussion on the ISO27k Forum and through your local ISSA chapter.

Gary (Gary@isect.com)

11 Mar 2011

ISO27k success story from Malta

Thanks to a small team from the Information Security Department, the Malta IT Agency has successfully implemented ISO27k and been certified compliant with ISO/IEC 27001.

Getting MITA's widespread engagement with the project was a challenge, helped by overt support from above:
"Getting resources on board and having information security recognised as a priority for teams who work to deliver a service was the main challenge encountered by the project team throughout the process.  A key to successfully retain the certificate is the ongoing support received by senior management both at a department level but also at a CEO/board level.

ISO27001 brought staff closer to security than ever before. MITA clients and suppliers see certification against such a professional standard as a proof of employing good security practices."
Well done MITA!

Gary (Gary@isect.com)
Join the ISO27k Forum

8 Mar 2011

Insider virus hits Whac-A-Mole

A long-term contract programmer working for the company that produces the Whac-A-Mole arcade game is accused of planting viruses in the code, perhaps as revenge against plans to end his contract, perhaps as a cunning plan to steal his client's business.

Reading between the lines, it seems likely that the programmer was in a position of trust, established over the past 30 years.  If the company had any controls against viruses being included in its code, they evidently failed to detect the infection and/or notify management - perhaps the programmer could disable or bypass the controls?  More likely they had no such controls at all.  Inspecting source code for malware is neither a trivial nor a cheap exercise, although there are several potential benefits from this control aside from malware detection e.g. identification of redundant code, potential buffer overflows, undefined variables, bugs, design flaws and general code quality improvement. 

The financial impacts on the company in this case appear to be of the order of $100,000.  If the incident had affected the average financial, government or military institution, the impact could have been disastrous.

Gary (Gary@isect.com)

6 Mar 2011

Mac Trojan

A new Mac Trojan has been discovered in the wild.  Sophos' analysts believe it is a beta test.
"Its functions include:
  • Placing text files on the desktop
  • Sending a restart, shutdown or sleep command
  • Running arbitrary shell commands
  • Placing a full screen window with a message that only allows you to click reboot
  • Sending URLs to the client to open a website
  • Popping up a fake "Administrator Password" window to phish the target"
While almost all malware attacks Windows systems, owners of Apple Macs, iPad, iPhones, UNLIX and Linux systems, smartphones and even Siemens Industrial Control Systems should not be too smug. 

Sophos' excellent Naked Security blog is also reporting a rash of malware affecting social applications on Facebook.  In other words, it's possible to pick up malware even if the technology exists only in the cloud (something we'll be covering in more depth in April's awareness module).

Gary (Gary@isect.com)

Dust:, a physical security risk

If you have ever worked in an IT operations or PC support role, you will probably recognize these filthy PCsdust-encrusted fans, cases and circuit boards.  If not, have you ever looked inside your own PCs and servers?  Are they running slowly, perhaps making strange noises or smells?  Perhaps it's time to get the lid off and give them a good clean out before something truly awful evolves in there.

The physical threats - accumulated dust, hair and miscellaneous critters - are pretty obvious.  Most would qualify as biohazards.  The vulnerabilities mostly relate to the need to pass lots of cooling air across the heat sinks keeping the CPU and other hot components from meltdown.  Some might the lack of preventive maintenance and regular cleaning are vulnerabilities too, though personally I'd call those control failures.  The impacts include overheating, fires, short circuits, that sort of thing, leading to unreliability and failure of the equipment and consequential interruption to the business processes that depend upon them. 

IT systems located in places where the dust is conductive are particularly at risk: examples are metalwork and engineering workshops, buildings near the sea and coal-fired power stations (coal dust is mostly carbon). 

ISO/IEC 27002:2005 only mentions 'dust' once.  Section 9.2.1 offers a not-very-helpful sugestion to 'consider controls to protect equipment', saying 'Controls should be adopted to minimize the risk of potential physical threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism'.  It doesn't actually say what those controls might be.

Regular preventive maintenance and cleaning of IT equipment is important, particularly where the risks are significant (e.g. business-critical systems in dusty places), along with additional controls such as dust filters, stocks of spare parts and our old friend, regular offsite backups and business continuity plans.

Hopefully the updated ISO/IEC 27002 will be more explicit on this kind of issue.  I included the following control in a proposed rewrite of the physical security section: "cleaning and other measures to reduce the build up of dust, waste, stores etc. that may occlude air filters, cause electrical short-circuits, reduce the reliability of electronic equipment and may cause safety issues".  Who knows whether my suggestion will be accepted and or what the final version will look like but I hope it will end up being a tad less vague than the current 'controls should be adopted'!

Gary (Gary@isect.com)