Welcome to the SecAware blog

I spy with my beady eye ...

31 Dec 2015

Information risk and security tools

We've just completed and delivered a brand new NoticeBored awareness module for January 2016 concerning the tools supporting information risk and security:

Scope of the awareness module

There are literally thousands of tools in the information risk and security space. One of the more technical awareness papers in the module discusses some 68 types of tool - that not merely 68 actual products but 68 categories with numerous tools in each. We could have kept going but 12 pages was more than enough for a 'briefing'!
In scoping, researching and preparing to write the module, we faced up to the possibility that the awareness materials might inadvertently spark an interest in the dark side among our customers' workforces. Many of the sexiest tools in the toolbox could be classed as dual-use weapons technology, valuable for good and evil purposes. In fact, many of them owe their very existence to the crucible of creativity and passion that is hacking. Our response was to be open about the concern, and suggest a means of keeping the lid on it through a policy to control security tools - a governance tool that is.
'Tools' is the 58th topic in our bulging awareness portfolio. It is gradually becoming harder year-by-year to find new angles on information risk and security but we're certainly not done yet! We routinely scan the crystal-ball-gazers' pontifications at this time of year, looking for hints on what might be galloping over the horizon towards us. Looking back at the year just gone, we picked up on information risk, the Internet of Things and cybersecurity for the first time, as well as updating the content on another nine awareness modules. Keeping up with constant developments in the field is what keeps me going, stops me getting bored stiff.
What about you? What excites or indeed scares you about working in this field? What do you see in the way of emerging threats, new challenges and novel approaches as we nudge over into 2016? What's keeping you awake at nights?

Happy new year!
Gary (Gary@isect.com)

24 Dec 2015

Air Canada phone scam takes off

If someone from Air Canada calls you about a flight booking, there's a good chance it's a social engineer trying to steal your credit card number and/or other valuable info.

I guess the scammers in this case might be calling people totally at random on the off-chance that some of them have recently booked flights on Air Canada, but given the specificity of the scam, it's more likely they are working their way through a list of Canadians who routinely travel by air, or at the very least people with Canadian phone numbers. Possibly they have discovered a way to identify specifically those people who have booked with Air Canada. Maybe the info is deliberately published on a public website or service for some reason (e.g. for passenger safety or visa checking?). Maybe Air Canada's booking systems have been compromised/hacked, or those of an intermediate such as a travel agent, booking agency, flight scheduling company, airport, loyalty card scheme, or ISP or .... well that's the point really: there are lots of people, organizations, systems, networks and services involved in the process, all of which need to be well secured. All it takes is one teeny leak to bring the entire dam crashing down.

By the way, the same concern applies to other airlines besides Air Canada, and to many other kinds of booking systems/processes (hotel bookings, hire car hirings etc.). In fact the fundamental security issue is much broader: virtually any situation in which someone hands over or submits online their credit card number or other info could be used by social engineers as a pretext to call or email or text them "to check a few things" or "audit the records" or "correct an error" or "re-run a failed transaction" or "run a quality check" or "do a quick customer survey" or "offer a free entry in our prize draw" or whatever. The door is wide open for creative social engineers, and don't they know it.

What makes this worse is that many organizations routinely contact their customers for legitimate reasons in ways that are practically identical to competent social engineering attacks. The savvy ones are concerned to identify the customer on the other end, typically asking personal questions ... which is of course an excellent pretext used by social engineers. Few organizations, even the good ones, consider the customer's security/privacy perspective. 

If someone claiming to represent, say, my bank or insurance company calls or emails me about something, how am I meant to determine that they are genuine? 

If I have done something recently through the bank, and if they refer to that specifically up front in the call or emails, I'm more likely to assume it is a genuine contact ... but as the Air Canada scam demonstrates, that's a rotten control. The same issue applies to phishing emails which just happen to come from a company that I've been dealing with around the same time. By sheer coincidence, there's a higher than normal probability of me swallowing the bait.

Some organizations have thought this through and have the capability for mutual authentication. A pretty good technique is to offer a 'secure messaging' facility through their websites, so on receiving an ordinary phone call or email from them, customers can authenticate the website (e.g. by checking its URL and SSL certificate), login (i.e. identify and authenticate themselves), then access the secure messaging function to interact and deal with issues online. But social engineers can exploit that rigmarole (e.g. classic phishing emails with URLs to fake websites that capture the credentials from people who don't check the true destination), and it delays and complicates the process.

Another technique is for the organization to hold and prove ownership of a unique password for each customer, in much the same way that customers present their unique passwords at login ... but this is also vulnerable to social engineers who first make one or more calls to the organization to capture that password, then call the customer and 'authenticate' with the captured password (an example of a TOCTOU attack that exploits the time delay between Time Of Check and Time Of Use). Mutual authentication needs to be simultaneously performed in both directions, or at least in the course of a single interaction.

What worries me more is that a substantial proportion of people have absolutely no understanding of, or interest in, this issue. Many of us these days are broadly aware of identity theft in general terms, having experienced it first- or second-hand but I seriously doubt that many appreciate just how creative, cunning and ruthless the social engineers have become, nor how easy it is to create and execute novel scams such as the Air Canada thing. The black hats have the upper hand, leaving us on the back foot. There's only so much we can do in the way of security awareness, even if we utilize social engineering techniques ourselves.


16 Dec 2015

The Realistic CISO

In information security, pessimism goes with the job.  It's one of hazards of our profession. It's pretty much expected of us in fact. As a general rule, we infosec types obsess about downsides - things going wrong; attacks, accidents and other incidents occurring; noncompliance; 'bad luck'. We are openly cynical or dismissive about claims or implications of perfection in our security tools. We sincerely doubt all bases are ever covered. We see little gaps and worry about dark, gaping holes in our defenses. We generally anticipate bad news, honestly believing that our adversaries carry most of the cards (including all the aces!). We long for better security metrics, while delivering a mish-mash of half-baked, partially irrelevant and largely distracting information to management in a failed attempt to compensate for our pessimistic outlook: we feel the need to be able to say "See, I told you so" when bad stuff [inevitably] happens. 

The realistic CISO is, first of all, sufficient self-aware to appreciate his/her inherent pessimism, hopefully well enough to accept that it might be a barrier to success in business and in the profession. We occasionally see little glimpses of light, for instance when we acknowledge that the flip side of risk is opportunity, and that there may be legitimate reasons for management accepting information risks that we personally find uncomfortable ... but then we drop the blinds by insisting that risk owners formally accept the risks, absolving us of all blame if bad stuff eventuates (and, by the way, forgoing a large part of the credit if things turn out OK after all).

Second, the realistic CISO anticipates that although a gazillion things could go wrong, things generally do work out OK, on the whole. The realistic CISO knows that good enough security is not only usually good enough, but way cheaper than striving for perfection (which, of course, is unattainable anyway). It's a pragmatic approach with a valuable bonus: good enough security is generally quicker and easier to implement than perfection, so while it may not achieve the maximum possible level of loss reduction, the benefits start to accumulate earlier and over a longer period while the implementation costs may be substantially lower. Good enough security may in fact be the optimal solution. Gosh, imagine that! Despite the oft-repeated mantra that the black hats only need to find and exploit the gaps with the implication that white hats need to close every gap, the realistic CISO focuses on closing the gaps that really matter, using multiple layers of control to deter, restrict and frustrate attackers and contain the damage within acceptable bounds, rather than forlornly trying to prevent all incidents.

Third, the realistic CISO is sensible enough to juggle competing priorities - not just preventive controls but early incident detection and sound incident management, a strong capability for business continuity (resilience and recovery and true contingency planning), systematic learning and continuous improvement, plus most importantly of all strategic alignment with business priorities. The realistic CISO appreciates that the infosec profession has high ideals with expectations that don't always match the organization's. The realistic CISO knows that the business has numerous objectives, goals and anti-goals, has disparate stakeholders with some conflicting expectations and requirements, and exists in a dynamic context. The realistic CISO is not merely plugged-in to senior management's social network but an integral part of it, helping to formulate strategy and drive the business forward as much as being being driven by it. That takes personal integrity, persuasive skills and aptitudes way beyond the sphere of cybersecurity.

Fourth, the realistic CISO isn't aghast to discover that colleagues may be willing to push things to or beyond the limit, perhaps exceeding the boundaries of ethical and legal behavior in the interests of taking advantage and exploiting opportunities.  

In summary, the realistic CISO is a mature, upbeat, self-aware pragmatist with a strong urge to look into and beyond the looming storm clouds to spot not just bolts of lightning but silver linings. I'm hinting at expunging the final vestiges of The No Department - you know, the security function whose immediate, default reaction to virtually every request or enquiry is a resounding "No!". 

"Instead of saying no to new technologies, ideas and capabilities in the name of security, try to find a way to say yes. Individuals within the organization often assume that the position of the risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace technological changes while at the same time educating the individuals who want to use new technologies about the appropriate information risk and security considerations, concerns and requirements that need to be accommodated as part of their use. This will empower individuals to able to make informed decisions about the use of these resources and, at the same time, ensure they are aware of their risk and security obligations."
John P. Pironti 

Whereas getting to "Yes!" as a stock response may be a step too far, the CISO who tends towards "Yes but ..." or "Yes provided ..." may turn out to be a boon to the organization rather than a barrier, which in turn will unlock some of those relationship benefits I've just mentioned, earning the respect and trust of senior management colleagues.