More and more people are working from home, and since an article I wrote for the Financial Times a few years back I have had more and more people ask about what can be done to make their home environment a little more secure without breaking the bank.
After some of the discussion on IT Security Stack Exchange, and especially this question, I thought it would be worthwhile popping the link up here, as it is likely to generate a fair amount of traffic, whether it be opinion, fact or discussion.
Go have a look.
Monday, December 20, 2010
Friday, December 17, 2010
Being Prepared
With this winter in Scotland already a repeat of the freezing conditions of last year we are still astonished at how many people leave themselves at risk by being entirely unprepared. Not only does this cause them problems, but it also causes some impact to those who are prepared. So here are a few notes on how to minimise the impact from adverse weather and foolhardy unprepared individuals on the roads.
Obviously the simplest solution is don't go outdoors - get stocks of food and drink in and batten down the hatches. Cosy, but not always a workable solution, so lets have a look at what you can do if you do need to go somewhere.
Practice:
Okay, so I'm is a petrolhead, and so I take any opportunity to go out on a racetrack, but knowing how to handle ice is within anyone's grasp. While the Andros Trophy could be a little excessive, having at least one skid pan session under your belt will get you through a lot of ice. You'll learn how to use the right amount of torque - unlike the many people we have seen over the last couple of weeks trying to drive under full power, wheels spinning and sliding - resulting in some interestingly stuck vehicles! The driving test in Finland requires a test on a slippery course - is it any wonder they do so well in the World Rally Championship?
Planning the route:
Look at an OS map to understand the hills. Last winter I had a very tense hour driving the last couple of miles to Drumoak in Aberdeenshire as I didn't prepare his route (but trusted a Tom Tom... mistake!) - I ended up descending a very steep slope using the ditch on the right hand side of the road as a runner to stop the car sliding off the left hand side of the road, which had no barrier other than some trees further down the slope. Learnt that lesson now, but wouldn't ever want to go through it again.
Avoid motorways - you would think they would be fine as the inclines are minimal, and they are wide, but unfortunately they are not sheltered, and when conditions deteriorate it is all too easy to be caught out, or get stuck behind someone else who does. When the inevitable crashes happen, you can't get off a motorway easily, and being stationary in heavy snow can lead to being stuck there for many hours.
Mechanical:
Defrost/de-ice your car every day. Not only will this help you avoid having to call out the AA/RAC/equivalent for your country, but you will avoid the doors freezing solid, ice buildup inside (which can easily damage wiring.) In addition you'll find it much easier to keep all your windows and lights clear of snow and ice - this doesn't seem to be understood by many road users. Personally we like to be able to see everything around us, and ensure they can see us - don't want to be anywhere near another car with the windows all frosted up and just a small patch on the windscreen for them to peer out! Minimising risk here is a good thing (tm)
At the start of winter you really want to ensure the car is properly serviced. Fresh tyres, new wiper blades, engine oil, antifreeze levels correct. Then take every opportunity to fill up the petrol tank - just in case you need to run the engine for warmth while stuck for days! In the more remote areas you should consider snow tyres, snow socks or even chains - they can make all the difference.
Supplies:
Everyone should have a blanket, sleeping bag or slanket in their car anyway. They are so cheap or even free at garages that you might as well. Not just an essential to keep you warm if you do have to overnight in the car, but they are really useful to give you grip if you are really stuck - tucking a blanket or rug under the tyres can give a lot of traction.
Gloves and Hat - yep, simple, but if you are trying to dig yourself out and the temperature is down below minus 15 you want to conserve heat! Possibly a Cthulhu Balaclava is the best solution.
YakTrax Ice Grips - get yourself a set of these essential accessories.
Snow shovel - if you can find one! The telescopic ones can easily be stored in the boot.
Drinks - would be really nice to have a flask of hot coffee or soup, but realistically you can keep juice or cans in the car really easily. You can dehydrate very quickly when stationary and running the engine to keep the car warm. Keep some bottled water as well, and ideally some coffee powder (see below)
Food - cereal bars or chocolate are easy to store in a car for long periods of time.
The important bit - Geek essentials:
An inverter - ideally reasonably high wattage, so you can charge your laptop.
Torch - ultrabright LED torch, or for extra bling, one of these 10 Million Candlepower torches.
High gain antenna (at least 9dB) and 802.11 card if necessary. How are you going to update your blog, check out your Stack Exchange posts and twitter feed, follow the Met Office updates detailing the cold and ice coming your way, or keep yourself entertained with iPlayer if you can't connect?
Immersion heater - either a 12v car version, or a 240v one to run off the inverter - so you can make coffee.
USB Handwarmers - keep your typing speed up. Or your strafe speed in Brink!
eBook Reader - whichever flavour floats your boat.
In car mp3 player - you don't want to run out of tunes before help arrives! Ideally at least a half a terabyte of music will avoid any risk of boredom.
Best wishes for the festive season - see you in 2011
Obviously the simplest solution is don't go outdoors - get stocks of food and drink in and batten down the hatches. Cosy, but not always a workable solution, so lets have a look at what you can do if you do need to go somewhere.
Practice:
Okay, so I'm is a petrolhead, and so I take any opportunity to go out on a racetrack, but knowing how to handle ice is within anyone's grasp. While the Andros Trophy could be a little excessive, having at least one skid pan session under your belt will get you through a lot of ice. You'll learn how to use the right amount of torque - unlike the many people we have seen over the last couple of weeks trying to drive under full power, wheels spinning and sliding - resulting in some interestingly stuck vehicles! The driving test in Finland requires a test on a slippery course - is it any wonder they do so well in the World Rally Championship?
Planning the route:
Look at an OS map to understand the hills. Last winter I had a very tense hour driving the last couple of miles to Drumoak in Aberdeenshire as I didn't prepare his route (but trusted a Tom Tom... mistake!) - I ended up descending a very steep slope using the ditch on the right hand side of the road as a runner to stop the car sliding off the left hand side of the road, which had no barrier other than some trees further down the slope. Learnt that lesson now, but wouldn't ever want to go through it again.
Avoid motorways - you would think they would be fine as the inclines are minimal, and they are wide, but unfortunately they are not sheltered, and when conditions deteriorate it is all too easy to be caught out, or get stuck behind someone else who does. When the inevitable crashes happen, you can't get off a motorway easily, and being stationary in heavy snow can lead to being stuck there for many hours.
Mechanical:
Defrost/de-ice your car every day. Not only will this help you avoid having to call out the AA/RAC/equivalent for your country, but you will avoid the doors freezing solid, ice buildup inside (which can easily damage wiring.) In addition you'll find it much easier to keep all your windows and lights clear of snow and ice - this doesn't seem to be understood by many road users. Personally we like to be able to see everything around us, and ensure they can see us - don't want to be anywhere near another car with the windows all frosted up and just a small patch on the windscreen for them to peer out! Minimising risk here is a good thing (tm)
At the start of winter you really want to ensure the car is properly serviced. Fresh tyres, new wiper blades, engine oil, antifreeze levels correct. Then take every opportunity to fill up the petrol tank - just in case you need to run the engine for warmth while stuck for days! In the more remote areas you should consider snow tyres, snow socks or even chains - they can make all the difference.
Supplies:
Everyone should have a blanket, sleeping bag or slanket in their car anyway. They are so cheap or even free at garages that you might as well. Not just an essential to keep you warm if you do have to overnight in the car, but they are really useful to give you grip if you are really stuck - tucking a blanket or rug under the tyres can give a lot of traction.
Gloves and Hat - yep, simple, but if you are trying to dig yourself out and the temperature is down below minus 15 you want to conserve heat! Possibly a Cthulhu Balaclava is the best solution.
YakTrax Ice Grips - get yourself a set of these essential accessories.
Snow shovel - if you can find one! The telescopic ones can easily be stored in the boot.
Drinks - would be really nice to have a flask of hot coffee or soup, but realistically you can keep juice or cans in the car really easily. You can dehydrate very quickly when stationary and running the engine to keep the car warm. Keep some bottled water as well, and ideally some coffee powder (see below)
Food - cereal bars or chocolate are easy to store in a car for long periods of time.
The important bit - Geek essentials:
An inverter - ideally reasonably high wattage, so you can charge your laptop.
Torch - ultrabright LED torch, or for extra bling, one of these 10 Million Candlepower torches.
High gain antenna (at least 9dB) and 802.11 card if necessary. How are you going to update your blog, check out your Stack Exchange posts and twitter feed, follow the Met Office updates detailing the cold and ice coming your way, or keep yourself entertained with iPlayer if you can't connect?
Immersion heater - either a 12v car version, or a 240v one to run off the inverter - so you can make coffee.
USB Handwarmers - keep your typing speed up. Or your strafe speed in Brink!
eBook Reader - whichever flavour floats your boat.
In car mp3 player - you don't want to run out of tunes before help arrives! Ideally at least a half a terabyte of music will avoid any risk of boredom.
Best wishes for the festive season - see you in 2011
Wednesday, December 08, 2010
Business Continuity - Personal
I don't know if you noticed, but Scotland is suffering a bit of a cold snap - to such an extent that many normal activities are halted. Normally we would expect a temperature of around 6 degrees Centigrade at this time of year. It has been below freezing for 9 days now, with a low of minus 12 today, and so far we have had around 3 1/2 feet of snow fall, so transport has been very difficult, shops have had no stock, power supplies have suffered and in general it has been tough on people.
Luckily I didn't take the M8 on Monday, otherwise I could have been one of those stuck there for nearly 48 hours.
I'm rambling - what I'm getting at is being prepared makes the difference between what was for me a time to catch up on playing with the kids, enjoying some snow activities, keeping cosy indoors and working from home on pieces of work which I could bring forwards (such as documentation, marketing planning etc) as I had sensible stocks of food in, warm clothing and a network set up to allow me to connect remotely to the servers I need.
Some people I know had no tinned food, and no transport so had to walk to the shops, which were already sold out of essentials, through thigh high snow!
I mean, I am definitely not a pessimist in this (I know individuals with enough stocks to cope with the Fimbulwinter if need be) but there are some planning concepts which shouldn't just be in the realm of business continuity, but should be accepted as essential in everyday life.
For example - looking at the slight outliers from business as usual we can plan for extreme weather putting a hold on transport, power supply failures, food supply failures etc., and it doesn't take much resource.
Similarly, for a business to plan for continuity, an initial analysis to identify those slight outliers which could occur with reasonable likelihood can be very quick and simple for a small business. Large scale organisations almost always do this, but there is no reason why small businesses shouldn't do something in a similar vein.
Oh, and of course owning Subarus is planning of a different nature - getting the basics right makes life much simpler!
Luckily I didn't take the M8 on Monday, otherwise I could have been one of those stuck there for nearly 48 hours.
I'm rambling - what I'm getting at is being prepared makes the difference between what was for me a time to catch up on playing with the kids, enjoying some snow activities, keeping cosy indoors and working from home on pieces of work which I could bring forwards (such as documentation, marketing planning etc) as I had sensible stocks of food in, warm clothing and a network set up to allow me to connect remotely to the servers I need.
Some people I know had no tinned food, and no transport so had to walk to the shops, which were already sold out of essentials, through thigh high snow!
I mean, I am definitely not a pessimist in this (I know individuals with enough stocks to cope with the Fimbulwinter if need be) but there are some planning concepts which shouldn't just be in the realm of business continuity, but should be accepted as essential in everyday life.
For example - looking at the slight outliers from business as usual we can plan for extreme weather putting a hold on transport, power supply failures, food supply failures etc., and it doesn't take much resource.
Similarly, for a business to plan for continuity, an initial analysis to identify those slight outliers which could occur with reasonable likelihood can be very quick and simple for a small business. Large scale organisations almost always do this, but there is no reason why small businesses shouldn't do something in a similar vein.
Oh, and of course owning Subarus is planning of a different nature - getting the basics right makes life much simpler!
Wednesday, November 17, 2010
Security in Scotland
A topic very dear to me is the development of the Information Security profession, but specifically in Scotland, and I thought it would be worthwhile posting some information on initiatives in Scotland that help with this aim, as well as discuss areas where stronger involvement from the wider industry would be welcomed. We have selected a few of the key organisations and events, but if you feel we another is key, please let us know and we'll update this post.
The Institute of Information Security Professionals, of which Rory Alsop is the Scottish chair, is providing support and guidance to universities and companies across the UK through the Graduate Development Scheme, Academic Partnerships, the Accredited Training Scheme and the IISP Skills Framework. The IISP's mission is to be the authoritative body for information security professionals, with the principal objective to advance the professionalism of the industry as a whole. Whilst the existing IISP membership in Scotland is strong I would encourage individuals and companies to visit the website or speak to representatives to understand what they can get out of membership (at all levels from student through to full membership) and more importantly for the industry what they can offer in return from their own experience or skills. The IISP always welcomes speakers who have a story to tell in the information security space, so please get in touch if you would like to present at one of our quarterly events.
Similarly, ISACA aims to define the roles of information systems governance, security, audit and assurance professionals. Through close links with local industry, ISACA Scotland provides guidance, benchmarks and effective tools for organisations in Scotland. The majority of members in Scotland have the CISA certification so here there is a very strong focus on audit and control, but we are seeing increasing numbers in security management, governance of enterprise IT and risk and information systems control. Like the IISP, ISACA Scotland would welcome guest presenters or new members - the global knowledge base and information flow are extensive and the opportunities for networking are invaluable.
The Scottish Universities, under the guidance of Professor Buchanan have created the framework for a Centre of Excellence in Security and Cybercrime in Scotland - with strong links already forming between academia, law enforcement, industry and professional bodies such as the IISP. One goal is to provide academia with a greater awareness of real world security issues and activities through a number of avenues including volunteer work, summer placements, guest lecturers etc. From the perspective of your organisation, if you find that when hiring software developers, for example, you need to give them additional training in secure development or spend resource remediating vulnerable code, the argument for providing a small amount of resource to help develop coursework in these subjects, or to provide the odd guest lecture is a very strong one. As an industry we can make great improvements by simply providing the new entrants with the benefits of at least some of our years learning the hard way.
The e-Crime Scotland website was officially launched at the Scottish Financial Crime Group Conference on the 28th of October. Currently this has been set up with support from, and using the framework developed by the Welsh Assembly, demonstrating an excellent level of sharing of expertise and resource. This website provides a portal of information on e-crime, a reporting mechanism and is planned to develop as Scotland takes greater ownership of content.
The Scottish Financial Crime Group, under the ownership of the Scottish Business Crime Centre, has been working with law enforcement and clearing banks for the last 35 years, but more recently through the annual conferences and an active presence in many forums has been in a good position to draw on expertise from a wide range of specialist individuals and organisations to develop opportunities to disrupt the criminal element in our society. Membership of the SFCG or at the very least, attendance at the annual conference is invaluable both from a learning perspective and an opportunity to influence discussion relating to financial crime.
The National Information Security Conference is held in St. Andrews each summer and provides speakers renowned within their field, education and an excellent networking opportunity to meet like minded individuals from industry and security experts. This three day residential event attracts many security professionals who are trying to drive the industry forwards and should not be missed!
On the more technical front, the Scottish OWASP chapter, headed up by Rory McCune is a growing group of individuals from across various industries focused on improving web application security. Join the mailing list to find out about meetings, initiatives etc. The scope of interest includes everything from SCADA to online banking and from smart meters to social networking.
The Institute of Information Security Professionals, of which Rory Alsop is the Scottish chair, is providing support and guidance to universities and companies across the UK through the Graduate Development Scheme, Academic Partnerships, the Accredited Training Scheme and the IISP Skills Framework. The IISP's mission is to be the authoritative body for information security professionals, with the principal objective to advance the professionalism of the industry as a whole. Whilst the existing IISP membership in Scotland is strong I would encourage individuals and companies to visit the website or speak to representatives to understand what they can get out of membership (at all levels from student through to full membership) and more importantly for the industry what they can offer in return from their own experience or skills. The IISP always welcomes speakers who have a story to tell in the information security space, so please get in touch if you would like to present at one of our quarterly events.
Similarly, ISACA aims to define the roles of information systems governance, security, audit and assurance professionals. Through close links with local industry, ISACA Scotland provides guidance, benchmarks and effective tools for organisations in Scotland. The majority of members in Scotland have the CISA certification so here there is a very strong focus on audit and control, but we are seeing increasing numbers in security management, governance of enterprise IT and risk and information systems control. Like the IISP, ISACA Scotland would welcome guest presenters or new members - the global knowledge base and information flow are extensive and the opportunities for networking are invaluable.
The Scottish Universities, under the guidance of Professor Buchanan have created the framework for a Centre of Excellence in Security and Cybercrime in Scotland - with strong links already forming between academia, law enforcement, industry and professional bodies such as the IISP. One goal is to provide academia with a greater awareness of real world security issues and activities through a number of avenues including volunteer work, summer placements, guest lecturers etc. From the perspective of your organisation, if you find that when hiring software developers, for example, you need to give them additional training in secure development or spend resource remediating vulnerable code, the argument for providing a small amount of resource to help develop coursework in these subjects, or to provide the odd guest lecture is a very strong one. As an industry we can make great improvements by simply providing the new entrants with the benefits of at least some of our years learning the hard way.
The e-Crime Scotland website was officially launched at the Scottish Financial Crime Group Conference on the 28th of October. Currently this has been set up with support from, and using the framework developed by the Welsh Assembly, demonstrating an excellent level of sharing of expertise and resource. This website provides a portal of information on e-crime, a reporting mechanism and is planned to develop as Scotland takes greater ownership of content.
The Scottish Financial Crime Group, under the ownership of the Scottish Business Crime Centre, has been working with law enforcement and clearing banks for the last 35 years, but more recently through the annual conferences and an active presence in many forums has been in a good position to draw on expertise from a wide range of specialist individuals and organisations to develop opportunities to disrupt the criminal element in our society. Membership of the SFCG or at the very least, attendance at the annual conference is invaluable both from a learning perspective and an opportunity to influence discussion relating to financial crime.
The National Information Security Conference is held in St. Andrews each summer and provides speakers renowned within their field, education and an excellent networking opportunity to meet like minded individuals from industry and security experts. This three day residential event attracts many security professionals who are trying to drive the industry forwards and should not be missed!
On the more technical front, the Scottish OWASP chapter, headed up by Rory McCune is a growing group of individuals from across various industries focused on improving web application security. Join the mailing list to find out about meetings, initiatives etc. The scope of interest includes everything from SCADA to online banking and from smart meters to social networking.
Monday, November 08, 2010
Key Security Risks and Practical Remediation - ISACA Event notes - October 26 2010
In my role as Vice-President of ISACA Scotland and chairman of the Scottish branch of the IISP I chaired a joint session titled "Key Security Risks and Practical Remediation." Audit Scotland hosted the session, and we had a good turnout representing the financial and government sectors as well as law firms and retail.
A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.
For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.
We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:
Input Validation
Very old news, but:
The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue
This is a relatively easy area to improve on:
Popular frameworks have input validation modules – why not use them
With modern applications, a call to an input validation module is often straightforward
Never trust the client – validate all input at server side
White listing or black listing - both are acceptable and have their own pros and cons
Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.
Brute Force and Dictionary attacks
More old news, but:
The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
Humans are still pretty bad at choosing strong passwords
Remediation should be in a number of areas:
Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect
Prevalence of 0-day exploits
For organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.
Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.
Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side Attacks
Krebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).
Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.
The simple answer is to remove Java from machines. Most do not need it!
For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.
As part of audit look at the budget assigned for product maintenance or ongoing development
The Cloud
Moving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.
Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team
Good practice includes the following steps:
Model the new architecture on existing good practice
Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
Understand segregation of duties needs between administrators
Widespread DDoS
WHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:
Blackmail, especially of internet gambling sites is on the increase
Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
Bot net slots available for hire at cheap rates
(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)
It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?
IPv4 Address Space Exhaustion
Little bit more off the wall –
Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.
The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.
Review your networks to understand the security structures in the infrastructure and protocol stacks
Work with your telecommunications and network service providers to ensure you are prepared
More Generally
I would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.
Work in partnership with IS specialists to:
Add value to audits and gain a more holistic picture of the current state of security
Understand new threats and risks
Always take a holistic look – what are the threats to the business, not just to IT
Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently
Threats will continue to develop – aim for resilience!
References
OWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Verizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Krebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdf
Potaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html
A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.
For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.
We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:
Input Validation
Very old news, but:
The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue
This is a relatively easy area to improve on:
Popular frameworks have input validation modules – why not use them
With modern applications, a call to an input validation module is often straightforward
Never trust the client – validate all input at server side
White listing or black listing - both are acceptable and have their own pros and cons
Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.
Brute Force and Dictionary attacks
More old news, but:
The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
Humans are still pretty bad at choosing strong passwords
Remediation should be in a number of areas:
Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect
Prevalence of 0-day exploits
For organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.
Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.
Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side Attacks
Krebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).
Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.
The simple answer is to remove Java from machines. Most do not need it!
For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.
As part of audit look at the budget assigned for product maintenance or ongoing development
The Cloud
Moving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.
Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team
Good practice includes the following steps:
Model the new architecture on existing good practice
Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
Understand segregation of duties needs between administrators
Widespread DDoS
WHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:
Blackmail, especially of internet gambling sites is on the increase
Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
Bot net slots available for hire at cheap rates
(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)
It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?
IPv4 Address Space Exhaustion
Little bit more off the wall –
Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.
The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.
Review your networks to understand the security structures in the infrastructure and protocol stacks
Work with your telecommunications and network service providers to ensure you are prepared
More Generally
I would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.
Work in partnership with IS specialists to:
Add value to audits and gain a more holistic picture of the current state of security
Understand new threats and risks
Always take a holistic look – what are the threats to the business, not just to IT
Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently
Threats will continue to develop – aim for resilience!
References
OWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Verizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Krebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdf
Potaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html
Sunday, October 31, 2010
Discussion re the Penetration Testing Industry
Chris over at Catch22 just posted up this excellent blog article.
A huge amount of commonality in thinking - Some extra thoughts on this:
Communication - over the last 12 or so years I have tried various training for testers along business lines etc., and there are very few who I would say are at the top of their game in both testing and reporting in business language. The few around are worth their weight in gold, but very rare, so my fallback solution was always to have a member of the team responsible for business QA and reporting. They'd still need to be at a high level of technical expertise, but the focus is different. (I do like Chris's idea of a tech reporting course though!)
Relevance - understanding the customer's needs is definitely key. As we've discussed, working with the customer so they understand what their options are, the value in different services etc., should be a part of every engagement.
Accountability - two thoughts on this. One is the name and shame as Chris mentions, but there are bound to be legal challenges, so the alternative is to use certifications (eg CREST, SANS etc) to be able to demonstrate to board level that you chose the right testers for the job, as the certification is effectively the entry qualification to the industry. In addition, you could go down the route of extensive logging (also would help for the repeatability section below) so you can prove every step.
Standards - absolutely! See our earlier posts on taxonomy and nomenclature to understand an element of where we see standards going, and we are planning to continue to work with a good range of experienced security individuals to define a set of industry standards.
Repeatability - I think where possible a number of organisations already do this. On a recent project, my customer wanted at least a minimum (including the parameters used and screenshots) to allow them to replicate the issue. That is only applicable for certain types of tests, but it goes a long way to help, and it is relatively light on resource so shouldn't price you out of the market.
The great thing is that more and more people are aiming the same direction. This has been a long time coming, but with passionate individuals, organisations and bodies, I think moving from the end of 2010 into 2011 will see a step change in the professionalisation of the industry.
A huge amount of commonality in thinking - Some extra thoughts on this:
Communication - over the last 12 or so years I have tried various training for testers along business lines etc., and there are very few who I would say are at the top of their game in both testing and reporting in business language. The few around are worth their weight in gold, but very rare, so my fallback solution was always to have a member of the team responsible for business QA and reporting. They'd still need to be at a high level of technical expertise, but the focus is different. (I do like Chris's idea of a tech reporting course though!)
Relevance - understanding the customer's needs is definitely key. As we've discussed, working with the customer so they understand what their options are, the value in different services etc., should be a part of every engagement.
Accountability - two thoughts on this. One is the name and shame as Chris mentions, but there are bound to be legal challenges, so the alternative is to use certifications (eg CREST, SANS etc) to be able to demonstrate to board level that you chose the right testers for the job, as the certification is effectively the entry qualification to the industry. In addition, you could go down the route of extensive logging (also would help for the repeatability section below) so you can prove every step.
Standards - absolutely! See our earlier posts on taxonomy and nomenclature to understand an element of where we see standards going, and we are planning to continue to work with a good range of experienced security individuals to define a set of industry standards.
Repeatability - I think where possible a number of organisations already do this. On a recent project, my customer wanted at least a minimum (including the parameters used and screenshots) to allow them to replicate the issue. That is only applicable for certain types of tests, but it goes a long way to help, and it is relatively light on resource so shouldn't price you out of the market.
The great thing is that more and more people are aiming the same direction. This has been a long time coming, but with passionate individuals, organisations and bodies, I think moving from the end of 2010 into 2011 will see a step change in the professionalisation of the industry.
Networking in Scotland
I mentioned the networking I have been doing, as any new start-up must, and I have realised the extraordinary variety in how these things work. Last week David and I went to the Banter in Edinburgh and were very impressed at the way Martin has it organised. Free to take part, hosted in a local coffee shop, Very fluid, come and go as you please, grab a coffee before moving into the group, but he watches for new entrants, and for us after a quick chat to ascertain what 7 Elements Ltd does, pointed us at the most likely useful contacts and carried out introductions.
Similarly the New Media Breakfasts hosted by FatBuzz in Glasgow and Edinburgh is a well laid out affair. Small cover charge, but the one I went to was at the Tower Restaurant, so the bacon butties were superb! The hosts (from FatBuzz and Winning Entrepeneurs) facilitated well, and carried out relevant introductions.
That facilitation role is the key - without it, you can wander aimlessly, fail to make the right contacts, and could leave the event very disheartened.
Similarly the New Media Breakfasts hosted by FatBuzz in Glasgow and Edinburgh is a well laid out affair. Small cover charge, but the one I went to was at the Tower Restaurant, so the bacon butties were superb! The hosts (from FatBuzz and Winning Entrepeneurs) facilitated well, and carried out relevant introductions.
That facilitation role is the key - without it, you can wander aimlessly, fail to make the right contacts, and could leave the event very disheartened.
Saturday, October 30, 2010
IISP event on 4th November 2010
The next Scottish branch of the Institute of Information Security Professionals (IISP) event on the 4th will be kindly hosted by Napier University in Edinburgh (room F.29 at the Merchiston campus) and will have 2 speakers:
IISP Member - Matthew Pemble: "Preparing for the End - Data Destruction". Matthew is a popular speaker at many conferences and events and from two aspects of his day job has a pretty unique take on this topic. Find out more at Idrach's website.
IISP Programmes Manager and Chief Operations Officer - Triona Tierney: "The IISP Graduate Development and University Outreach Programmes" - if seriously considering information security as a career this talk could be invaluable.
Kickoff is from 6 for 6.30. Please do come along and support your local branch, join in the lively discussion, and meet fellow IISP members in your area. For more information and to register for this meeting, please email events@instisp.com
The best source for joining instructions/maps etc is the Napier Merchiston page - it includes a link to Google Maps.
IISP Member - Matthew Pemble: "Preparing for the End - Data Destruction". Matthew is a popular speaker at many conferences and events and from two aspects of his day job has a pretty unique take on this topic. Find out more at Idrach's website.
IISP Programmes Manager and Chief Operations Officer - Triona Tierney: "The IISP Graduate Development and University Outreach Programmes" - if seriously considering information security as a career this talk could be invaluable.
Kickoff is from 6 for 6.30. Please do come along and support your local branch, join in the lively discussion, and meet fellow IISP members in your area. For more information and to register for this meeting, please email events@instisp.com
The best source for joining instructions/maps etc is the Napier Merchiston page - it includes a link to Google Maps.
Friday, October 29, 2010
Scottish Financial Crime Group Conference Highlights 2010
This year's SFCG Conference was held at the Corn Exchange in Edinburgh yesterday and was a great success, with a wide range of delegates from Financial Services, Consultants, Vendors, Academia, Public Sector and Law Enforcement (Scottish and Welsh police, and the FBI)
For me the key highlights included:
A presentation by Robert Hartman of KPMG on Bribery and Corruption in the Financial Sector. Some very worrying statistics, but also a down to earth approach to the problem. Robert also highlighted to useful sources of information: Transparency International and Trace Compendium.
A presentation on the risks around Social Media by DI Keith McDevitt of the SCDEA, a topic which is close to my heart and one which I still hope to present on to one of the winter New Media Breakfast Briefings. Lots of interest in this area, and I had a good discussion with a number of delegates afterwards.
The launch of the e-crime Scotland website - with a huge amount of support from the Welsh Assembly Government, who launched theirs some time ago, Scotland now has it's own portal for information on e-crime, a reporting mechanism, and a gateway into the topic.
There was also a surprise talk by Professor Martin Gill, of the University of Leicester, who stepped in when one speaker was held up in transit. He spends a lot of his time interviewing criminals in prison and taking them to the crime scene to demonstrate how and why they commit their crimes. Some of his findings seem very non-intuitive, for example when confronted with the automatic lights homeowners may have fitted to the outside of the house, most burglars use them to scope out the property, identifying tools, escape routes, entry points etc. Not one stated it would put them off, as no-one ever checks when an automatic light comes on! Similarly CCTV was not seen as an issue.
Another useful point which came up was that when asked what they thought the likelihood of getting caught was (when given the options high, medium, low, none) they laughed at the question and said "zero likelihood" otherwise they wouldn't commit the crime, so the corollary to this is if we can persuade offenders that they will get caught at the time they are about to commit the crime then they are very unlikely to do it.
Although his talk was mostly about burglars, shoplifters and murderers, the same concepts hold true for white collar crime, so can we find ways to make criminals less certain they will get away with it at the time?
A member of the local fraud squad did tell me his solution was to push for removal of property under the Proceeds of Crime act, as going in to prison without the reward of a couple of million pounds at the end of the term can suddenly be a less enjoyable prospect, and letting criminals know that 'getting away' with a small stretch is no longer profitable can be a valuable deterrent.
Caught up with Lindsay Hamilton of Cervello - his company carries out database auditing (in fact he has joined forces with The Pete Finnegan to offer an awesome tool for Oracle auditing)
Some interesting exhibitors this year - M86 Security (the guys who incorporated Finjan into their product line) had some good chat around secure web gateways.
It was as ever a great networking opportunity - I always meet a lot of old friends and colleagues, as well as clients old and new, and these events give a good chance to catch up. One individual surprised me, as out of context I did not recognise her - a detective constable with the Specialist Fraud Unit. Turns out she sings with the Lothian and Borders Police Choir (who I play session guitar for on an occasional basis)
For me the key highlights included:
A presentation by Robert Hartman of KPMG on Bribery and Corruption in the Financial Sector. Some very worrying statistics, but also a down to earth approach to the problem. Robert also highlighted to useful sources of information: Transparency International and Trace Compendium.
A presentation on the risks around Social Media by DI Keith McDevitt of the SCDEA, a topic which is close to my heart and one which I still hope to present on to one of the winter New Media Breakfast Briefings. Lots of interest in this area, and I had a good discussion with a number of delegates afterwards.
The launch of the e-crime Scotland website - with a huge amount of support from the Welsh Assembly Government, who launched theirs some time ago, Scotland now has it's own portal for information on e-crime, a reporting mechanism, and a gateway into the topic.
There was also a surprise talk by Professor Martin Gill, of the University of Leicester, who stepped in when one speaker was held up in transit. He spends a lot of his time interviewing criminals in prison and taking them to the crime scene to demonstrate how and why they commit their crimes. Some of his findings seem very non-intuitive, for example when confronted with the automatic lights homeowners may have fitted to the outside of the house, most burglars use them to scope out the property, identifying tools, escape routes, entry points etc. Not one stated it would put them off, as no-one ever checks when an automatic light comes on! Similarly CCTV was not seen as an issue.
Another useful point which came up was that when asked what they thought the likelihood of getting caught was (when given the options high, medium, low, none) they laughed at the question and said "zero likelihood" otherwise they wouldn't commit the crime, so the corollary to this is if we can persuade offenders that they will get caught at the time they are about to commit the crime then they are very unlikely to do it.
Although his talk was mostly about burglars, shoplifters and murderers, the same concepts hold true for white collar crime, so can we find ways to make criminals less certain they will get away with it at the time?
A member of the local fraud squad did tell me his solution was to push for removal of property under the Proceeds of Crime act, as going in to prison without the reward of a couple of million pounds at the end of the term can suddenly be a less enjoyable prospect, and letting criminals know that 'getting away' with a small stretch is no longer profitable can be a valuable deterrent.
Caught up with Lindsay Hamilton of Cervello - his company carries out database auditing (in fact he has joined forces with The Pete Finnegan to offer an awesome tool for Oracle auditing)
Some interesting exhibitors this year - M86 Security (the guys who incorporated Finjan into their product line) had some good chat around secure web gateways.
It was as ever a great networking opportunity - I always meet a lot of old friends and colleagues, as well as clients old and new, and these events give a good chance to catch up. One individual surprised me, as out of context I did not recognise her - a detective constable with the Specialist Fraud Unit. Turns out she sings with the Lothian and Borders Police Choir (who I play session guitar for on an occasional basis)
Wednesday, October 27, 2010
Been having an interesting time over the last couple of weeks meeting people at networking events. It is very reassuring to me that the basic business model underpinning 7 Elements Ltd appears to fit the needs of so many organisations.
We are providing services that are practical and effective for small or large organisations - and that work even in the current economic environment.
I presented for 45 minutes last night on behalf of ISACA Scotland to an audience, mostly from IT audit, from a range of organisations with a strong Scottish presence, and I have never seen so many people take notes throughout an entire talk! Usually a particular segment may interest one person, and another will want something else, but I think we got the right balance. The topic was "key security risks, and practical remediation steps" and drew on examples from the OWASP Top Ten, the Verizon data breach survey and the WHID white paper as well as my own experiences to indicate the highest risk areas which can be easily remediated.
The presentation will be up shortly on ISACA Scotland's web site as well as on 7 Elements.
We are providing services that are practical and effective for small or large organisations - and that work even in the current economic environment.
I presented for 45 minutes last night on behalf of ISACA Scotland to an audience, mostly from IT audit, from a range of organisations with a strong Scottish presence, and I have never seen so many people take notes throughout an entire talk! Usually a particular segment may interest one person, and another will want something else, but I think we got the right balance. The topic was "key security risks, and practical remediation steps" and drew on examples from the OWASP Top Ten, the Verizon data breach survey and the WHID white paper as well as my own experiences to indicate the highest risk areas which can be easily remediated.
The presentation will be up shortly on ISACA Scotland's web site as well as on 7 Elements.
Wednesday, September 22, 2010
Life changing moments:
After 9 1/2 years as Scottish Security Lead with Ernst & Young I've just started a new role as a Director at 7 Elements. Along with two other notable names in Information Security in Scotland we will provide technical security consultancy and penetration testing services.
As part of that we've started up a blog here to talk through some of the ideas we've got for approaching security and testing in a pragmatic way.
There may be the odd post here, but all industry focused stuff will be on the 7 Elements blog or cross posted to twitter.
As part of that we've started up a blog here to talk through some of the ideas we've got for approaching security and testing in a pragmatic way.
There may be the odd post here, but all industry focused stuff will be on the 7 Elements blog or cross posted to twitter.
Tuesday, May 25, 2010
Number theory never ceases to amaze me
Alex Bellos writes in New Scientist :
"I have two children. One is a boy born on a Tuesday. What is the probability I have two boys?"
The first thing to remember about probability questions is that everyone finds them mind-bending, even mathematicians. The next step is to try to answer a similar but simpler question so that we can isolate what the question is really asking.
So, consider this preliminary question: "I have two children. One of them is a boy. What is the probability I have two boys?"
This is a much easier question, you need to first look at all the equally likely combinations of two children it is possible to have: BG, GB, BB or GG. The question states that one child is a boy. So we can eliminate the GG, leaving us with just three options: BG, GB and BB. One out of these three scenarios is BB, so the probability of the two boys is 1/3.
Now we can repeat this technique for the original question. Let's list the equally likely possibilities of children, together with the days of the week they are born in. Let's call a boy born on a Tuesday a BTu. Our possible situations are:
When the first child is a BTu and the second is a girl born on any day of the week: there are seven different possibilities.When the first child is a girl born on any day of the week and the second is a BTu: again, there are seven different possibilities.When the first child is a BTu and the second is a boy born on any day of the week: again there are seven different possibilities.Finally, there is the situation in which the first child is a boy born on any day of the week and the second child is a BTu – and this is where it gets interesting. There are seven different possibilities here too, but one of them – when both boys are born on a Tuesday – has already been counted when we considered the first to be a BTu and the second on any day of the week. So, since we are counting equally likely possibilities, we can only find an extra six possibilities here.
Summing up the totals, there are 7 + 7 + 7 + 6 = 27 different equally likely combinations of children with specified gender and birth day, and 13 of these combinations are two boys. So the answer is 13/27, which is very different from 1/3.
It seems remarkable that the probability of having two boys changes from 1/3 to 13/27 when the birth day of one boy is stated – yet it does, and it's quite a generous difference at that. In fact, if you repeat the question but specify a trait rarer than 1/7 (the chance of being born on a Tuesday), the closer the probability will approach 1/2.
"I have two children. One is a boy born on a Tuesday. What is the probability I have two boys?"
The first thing to remember about probability questions is that everyone finds them mind-bending, even mathematicians. The next step is to try to answer a similar but simpler question so that we can isolate what the question is really asking.
So, consider this preliminary question: "I have two children. One of them is a boy. What is the probability I have two boys?"
This is a much easier question, you need to first look at all the equally likely combinations of two children it is possible to have: BG, GB, BB or GG. The question states that one child is a boy. So we can eliminate the GG, leaving us with just three options: BG, GB and BB. One out of these three scenarios is BB, so the probability of the two boys is 1/3.
Now we can repeat this technique for the original question. Let's list the equally likely possibilities of children, together with the days of the week they are born in. Let's call a boy born on a Tuesday a BTu. Our possible situations are:
When the first child is a BTu and the second is a girl born on any day of the week: there are seven different possibilities.When the first child is a girl born on any day of the week and the second is a BTu: again, there are seven different possibilities.When the first child is a BTu and the second is a boy born on any day of the week: again there are seven different possibilities.Finally, there is the situation in which the first child is a boy born on any day of the week and the second child is a BTu – and this is where it gets interesting. There are seven different possibilities here too, but one of them – when both boys are born on a Tuesday – has already been counted when we considered the first to be a BTu and the second on any day of the week. So, since we are counting equally likely possibilities, we can only find an extra six possibilities here.
Summing up the totals, there are 7 + 7 + 7 + 6 = 27 different equally likely combinations of children with specified gender and birth day, and 13 of these combinations are two boys. So the answer is 13/27, which is very different from 1/3.
It seems remarkable that the probability of having two boys changes from 1/3 to 13/27 when the birth day of one boy is stated – yet it does, and it's quite a generous difference at that. In fact, if you repeat the question but specify a trait rarer than 1/7 (the chance of being born on a Tuesday), the closer the probability will approach 1/2.
Subscribe to:
Posts (Atom)