Was invited to talk to the Chartered Institute of Internal Auditors today, at their annual even. This was hosted at the Hilton in Dunblane (lovely setting, by the way - I recommend it!)
The theme of the event was around the auditor being a 'critical friend' which supports a large proportion of the work I do with audit, IT, security, risk, compliance and governance teams, namely:
Leveraging the skill sets of these teams and communicating will help you understand risks in your organisation!
With the rate of change of technological advances, and the associated new risks, your audit team are not in an ideal position to know about the new security risks a particular technology brings. But your security team may well know all about them already. So they should talk to each other.
In the echo chamber that is the security industry we harp on about this a lot - we understand security and often seem puzzled why others don't 'get it' but it is because we have our own peculiar jargon, terms, ratings etc.
The focus of my talk was on communication - being able to translate this jargon into business language. This goes for all specialist teams, to be honest - you all need to be able to get your information across to the FD, the COO, the business unit lead or whoever, in their terms, otherwise you will be ignored!
It was perhaps a challenge, being placed right after lunch, and right before Karl Snowden's political awareness talk, but I enjoyed myself, and I had enough people come to talk to me about the subject that it must have resonated with a few of the attendees.
Many thanks for inviting me, hosting an excellent event, and I must congratulate the venue on the awesome chocolate chip cookies!
(My only problem now is that with KPMG sponsoring this event, I now have an EY umbrella and a KMPG umbrella - and with my OCD I'm going to have to complete the Big-4 set!)
Thursday, November 01, 2012
Friday, June 15, 2012
e-Crime Scotland Summit
On the 21st of May I presented a short talk at the inaugural e-Crime Scotland Summit, hosted by RBS at their excellent conference centre in Gogarburn. This event was introduced by Kenny MacAskill, Minister for Justice and boasted a wide range of high profile security professionals from the Police, consultancy, financial services, retail, penetration testers, audit and CISOs. Some talks were quite technical, and some at very high level - such as Richard Hollis' "Zen and the art of Threat and Risk assessment"
280 attendees registered for the event, which was reported in local and national news, and the feedback is incredibly positive - the aims of e-Crime Scotland are to equip Scottish businesses with the knowledge and tools to be "aware, vigilant, informed and ultimately safe from the destructive effects of e-crime in all its forms."
There were core themes running through the event - the key threats from organised crime, the technological capabilities of attackers and defenders, and the value of awareness training for all staff.
I spoke on Scams, Phishing and Malware - and the majority of my talk was aimed at describing just how reliant the majority of attacks are on people. While there are technical controls which can mitigate risks - which are used by many organisations - getting the people side right is critical!
I also used some of the results from PwC's biannual Information Security Breach survey to demonstrate why this should be of interest to all the attendees, who included heads of security, CISO's, CIO's, auditors, FD's, police officers and others.
The report includes some interesting numbers in the executive summary:
- 93% of large companies had at least one breach last year
- The median number of attacks last year was 54 for large companies
- The cost of the biggest breach averaged between £110,000 and £250,000
- 45% of large companies had breached data protection laws in the last year (one in ten of these said it happened at least once a day)
- 73% of large companies outsource business processes, but carrying out checks of providers has not kept pace
Friday, November 18, 2011
Alter Ego - Boosted
My band, Metaltech, supported the mighty KMFDM this week at the Classic Grand in Glasgow. Now this was by no means the biggest gig we have played, having had successful gigs at the Wickerman, Belladrum and Rock Ness festivals etc., but in terms of pure awesomeness it wins hands down.
Trauma Inc. - a local Glasgow band kicked off, despite one of their number being hospitalised earlier in the week with an extreme allergy. Their sound is becoming more polished every gig.
Our gig was the best we have ever had - the house sound and light guys did us proud, we had an amazing mix, and KMFDM's fans really got into our set. Having them crammed down the front jumping (and singing) along really took us to a new level of excitement and fun. Our dancers, the Kamikaze Girls, from Edinburgh attracted a lot of attention too - big thanks to them for spicing up the dance floor! Barry, who runs the Classic Grand, made the entire evening run well, including an excellent after party. As ever Barry - apologies for the general mess we tend to leave...
And huge thanks have to go to Sascha, Lucia, Steve, Jules and Andy and their road crew for not only being an utterly lovely bunch of people and superb musicians, but for making us feel like part of the family for an evening. They delivered the promised Ultra Heavy beats, and made time to party with their fans, the support acts and generally hang out. Despite the obvious KMFDM influences in Metaltech's beats, I had never seen them live and I was soooo impressed at the skill each individual had (including Sascha and Lucia's wee daughter who joined in with soundcheck, despite being only 4 - there's a girl who is destined to be on stage!)
Hanging out with Lucia.
Already acquired the KMFDM WTF? t-shirt, so am a happy bunny
Steve, Lucia and Sascha rocking out!
The energy KMFDM have is amazing. This gig is 5 from the end of a long tour and they still give it everything...even through technical difficulties (a mic failed halfway through)
Aside from a gig tonight at the Cabaret Voltaire, I think Metaltech's 2011 live shows are at an end (next one isn't until January) but it has been an awesome year, with our album launch, festivals, loads of headline gigs, our Acoustech sideline and now this.
Let's see what 2012 brings for Metaltech.
Trauma Inc. - a local Glasgow band kicked off, despite one of their number being hospitalised earlier in the week with an extreme allergy. Their sound is becoming more polished every gig.
Our gig was the best we have ever had - the house sound and light guys did us proud, we had an amazing mix, and KMFDM's fans really got into our set. Having them crammed down the front jumping (and singing) along really took us to a new level of excitement and fun. Our dancers, the Kamikaze Girls, from Edinburgh attracted a lot of attention too - big thanks to them for spicing up the dance floor! Barry, who runs the Classic Grand, made the entire evening run well, including an excellent after party. As ever Barry - apologies for the general mess we tend to leave...
And huge thanks have to go to Sascha, Lucia, Steve, Jules and Andy and their road crew for not only being an utterly lovely bunch of people and superb musicians, but for making us feel like part of the family for an evening. They delivered the promised Ultra Heavy beats, and made time to party with their fans, the support acts and generally hang out. Despite the obvious KMFDM influences in Metaltech's beats, I had never seen them live and I was soooo impressed at the skill each individual had (including Sascha and Lucia's wee daughter who joined in with soundcheck, despite being only 4 - there's a girl who is destined to be on stage!)
Hanging out with Lucia.Already acquired the KMFDM WTF? t-shirt, so am a happy bunny
The energy KMFDM have is amazing. This gig is 5 from the end of a long tour and they still give it everything...even through technical difficulties (a mic failed halfway through)
Aside from a gig tonight at the Cabaret Voltaire, I think Metaltech's 2011 live shows are at an end (next one isn't until January) but it has been an awesome year, with our album launch, festivals, loads of headline gigs, our Acoustech sideline and now this.
Let's see what 2012 brings for Metaltech.
Monday, September 12, 2011
So Alsop Consulting is on hiatus for a bit
I have happily taken on a new role - back in Big-4 consultancy - despite really enjoying owning and running my own company, and despite proving to myself that it is more relaxing and more profitable to run my own company!
After the experience of the best part of ten years working in, and then leading Ernst & Young's security team in Scotland, I was pleasantly surprised to be offered a very similar role in PricewaterhouseCoopers - to build and lead an information security team in Scotland.
The remit is nice and wide, the market is good, and I can draw on the experience and skills of a wide UK and global team in the short term while I grow local capability and resource.
Really looking forward to the next couple of years!
After the experience of the best part of ten years working in, and then leading Ernst & Young's security team in Scotland, I was pleasantly surprised to be offered a very similar role in PricewaterhouseCoopers - to build and lead an information security team in Scotland.
The remit is nice and wide, the market is good, and I can draw on the experience and skills of a wide UK and global team in the short term while I grow local capability and resource.
Really looking forward to the next couple of years!
Friday, July 08, 2011
Exciting Happenings in Security Stack Exchange
You are probably aware I am one of the pro-tem Moderators for the global Security expert knowledge exchange Security.StackExchange.com, which was created as a public beta in November.
Well, we are almost at the stage of graduating to full Stack Exchange membership, with over 3000 users, and around 1000 visits a day, and the growth is increasing. Like the parent Stack Exchange group (currently with 57 sites live and over 19 million unique visitors) this question and answer site provides valuable information and guidance from experts and experienced professionals to a wide range of users.
A very cool visual identity has been crafted, and is almost finalised - check it out in this post by Jin.
To support this growth and transition to a full site, we have also created the Security Stack Exchange Blog - we went live this week. Check out the About page for a list of topics we are likely to cover, or request topics, either relating to questions, through our Question of the Week posts or by asking in the DMZ, our chat room.
On twitter, follow the hashtag #stacksecurity
Well, we are almost at the stage of graduating to full Stack Exchange membership, with over 3000 users, and around 1000 visits a day, and the growth is increasing. Like the parent Stack Exchange group (currently with 57 sites live and over 19 million unique visitors) this question and answer site provides valuable information and guidance from experts and experienced professionals to a wide range of users.
A very cool visual identity has been crafted, and is almost finalised - check it out in this post by Jin.
To support this growth and transition to a full site, we have also created the Security Stack Exchange Blog - we went live this week. Check out the About page for a list of topics we are likely to cover, or request topics, either relating to questions, through our Question of the Week posts or by asking in the DMZ, our chat room.
On twitter, follow the hashtag #stacksecurity
Tuesday, July 05, 2011
The White Hat Rally 2011
The 2011 Carry-On themed White Hat Rally was fiercely fought last weekend, with teams from all over the UK taking part, and raising money for and the NSPCC's Childline, with a total raised by Sunday topping £25,000.
Across the sunniest 3 days this summer we travelled from Brighton to Blackpool, following clues, competing in challenges, suffering japes, sabotage and mechanical issues, and enjoying the hospitality of towns along the way, as well as getting to know a like-minded bunch of security professionals all trying to make a difference.
I joined the NUKSG team in Leeds on Thursday, and we drove the Yellow Peril (an ancient Dodge Caravan bought for £350, bright yellow with an interior entirely covered in red velour) down to Brighton, where we met the other teams for a pleasant social...quite late on, due to starter motor issues, traffic, and the Yellow Peril's lack of a top speed (among other issues)
Day one - we met up at Brighton beach, a motley collection of classic cars, sports cars, agricultural and emergency vehicles and bangers. The day involved a lovely journey across the South Downs, following clues and ending up in Cheltenham. Each team had GPS tracking apps to allow the organisers and families to see how we were doing. At our first checkpoint stop the Pirates O' Pentest opened up the back of their ambulance to display a fully featured and functional cocktail bar - which went down very well at each stop for the next 3 days - raising extra money for charity. Lunch was hosted at Brooklands Museum, the birthplace of British motorsport and aviation, and included a speech by the Green Goddess, who also led us in some mild aerobics, despite being in her 70's. I was delighted to sit on the banking, poke around the classic cars and aircraft and play on the F1 simulator.
Due to a minor organisational hiccup, The StoryTeller restaurant in Cheltenham were not made aware of the party of 67 until a couple of hours before we arrived, but they coped amazingly well - getting us all seated and providing a lovely dinner.
The Scavenger Hunt in Cheltenham attracted a few entrants, but we didn'tfind out the results until Sunday night.
Saturday saw us winding through the countryside up to the oldest brewery in the UK, the Three Tuns in Shropshire, for lunch, a tour of the brewery and tasting of some new brews. I also met the lovely Clare Marie - the hostess of Dr Sketchy's London art events. The afternoon drive then led us up to Buxton and the Palace Hotel for our evening stop. Once again we were provided with an excellent dinner, this time at the Railway, and a Carry On quiz.
Sunday was a relatively short run, with some straightforward clues that got us to Blackpool, and the Big Blue hotel - which is where we were finally joined by 2 of our number we hadn't seen for the entire event...because they cycled the entire way!! Fancy dresses were out in force, and everyone had a great time on the rollercoasters and rides before dinner (can't believe I stayed on the Big One for 3 laps - I'm terrified of heights!) and prizegiving at the White Tower.
Team NUKSG did not win best dressed car, best fancy dress, or prize for quiz or scavenger hunt, however we did raise the most money so we were the overall winners and took home the star prize - a bottle of the Three Tun's Cleric's Cure each!
We are obviously keen to keep raising money so please visit our sponsorship page.
I will edit pictures in here, but the official picture page is here at Picasa.
Many thanks again to my sponsors:
The Scavenger Hunt in Cheltenham attracted a few entrants, but we didn'tfind out the results until Sunday night.
- Virgin Money - Virgin's banking department, and the providers of Virgin Money Giving - the only not-for-profit charity payments site.
- Security Stackexchange - Global security Q&A and education site
- Metaltech - my Rock band, preparing for new album launch party in August (@metltek and #burnyourplanet on Twitter)
Tuesday, June 28, 2011
Security & Cybercrime Symposium
Slides from my presentation at the Security & Cybercrime Symposium are up.
I had a bit of a hectic day, having hosted the ISACA Scotland AGM in the morning, but I made it to Napier University in time to catch the majority of the speakers, as well as to present my piece on where we need to fix the problems with IT and Information Security.
Bill Buchanan and team did a grand job of organising the day - it was an excellent networking opportunity and had some thought provoking presentations.
The list of speakers was:
Tony Mole - Head of the Scottish Drug Enforcement Agency (SCDEA)
Ian Bryant - Principal Information Security specialist at HM Government
Fred Piper - Royal Holloway
Don Smith - Dell SecureWorks
Tabassum Sharif - Flexiant
Rory Alsop - Alsop Consulting
Mike Dickson - SCDEA
Alan Moffat - Scottish Information Assurance Forum.
Russell Scott - Scottish Police
Nigel Jones - 2Centre
Martin Borrett - Director of the IBM Institute of Advanced Security in Europe
John Howie - Head of Cloud Services within Microsoft plc
I had a bit of a hectic day, having hosted the ISACA Scotland AGM in the morning, but I made it to Napier University in time to catch the majority of the speakers, as well as to present my piece on where we need to fix the problems with IT and Information Security.
Bill Buchanan and team did a grand job of organising the day - it was an excellent networking opportunity and had some thought provoking presentations.
- Not with eductaion security professionals - we know this stuff - and not with developers - in general developers want to get this right...
- It's persuading the business owners to give a **** about it, to sponsor it, to require secure code, to budget for it etc.
- And to do this we need to get much better at talking their language. No-one in business is going to learn to speak IT Security, so we need to talk business risk, operational risk, real impact to the organisation.
The list of speakers was:
Tony Mole - Head of the Scottish Drug Enforcement Agency (SCDEA)
Ian Bryant - Principal Information Security specialist at HM Government
Fred Piper - Royal Holloway
Don Smith - Dell SecureWorks
Tabassum Sharif - Flexiant
Rory Alsop - Alsop Consulting
Mike Dickson - SCDEA
Alan Moffat - Scottish Information Assurance Forum.
Russell Scott - Scottish Police
Nigel Jones - 2Centre
Martin Borrett - Director of the IBM Institute of Advanced Security in Europe
John Howie - Head of Cloud Services within Microsoft plc
Sunday, May 29, 2011
White Hat Rally for Childline - 32 days to go
Many of you will know of the White Hat Ball and the White Hat Rally - professionals from the information security world raising money for Childline. I have attended the ball a couple of times, but always in the past I have missed out on the rally so I'm delighted that this year I'm taking part.
This year the theme is Carry On Driving, running from Brighton to Blackpool from the 1st to 3rd of July and I have joined team "8485 80085" the Northern UK Security Group (NUKSG) team.
I will obviously be looking for as much sponsorship as possible, and there are a couple of options open - donations through the Virgin giving site, or sponsorship to get your logo on the car, on our t-shirts etc:
- the donations page
- corporate sponsorship
All donations welcome!
This year the theme is Carry On Driving, running from Brighton to Blackpool from the 1st to 3rd of July and I have joined team "8485 80085" the Northern UK Security Group (NUKSG) team.
I will obviously be looking for as much sponsorship as possible, and there are a couple of options open - donations through the Virgin giving site, or sponsorship to get your logo on the car, on our t-shirts etc:
- the donations page
- corporate sponsorship
All donations welcome!
Monday, May 23, 2011
Moving on from 7 Elements
So - we have come to the end of the wee project we set up last year, and I thought I should pop down some of my lessons learned and my thoughts on my next moves:
For me, the contrast between the global world of Ernst & Young, and our local 7 Elements world has shown that some things are the same at any scale. Interestingly the same people engaged me working as a small company as I would have expected from my previous role leading a team across multiple countries. The key is the people relationship - if someone likes and trusts you they will want to work with you.
I have definitely discovered what I enjoy least and most in day to day infosec work, and confirmed what is most valuable to me - my family first, then my profession. Being able to take my kids to school most days is a wonderful return to sanity.
I really enjoy meeting people who are either committed to security or those who aren't really security literate but want to understand and implement secure code or controls. It's also very rewarding to come into a 'greenfield' environment and make a distinct improvement in their security posture (I know, I used the 'P' word...)
OnStartups - part of the StackExchange family has been an incredibly good source of information. Kind of wish I'd hung out there before we founded 7 Elements!
So, not exactly sure what is happening now. Am looking at two sets of options - couple of really interesting permanent roles are being created at the moment, and a few companies have asked if I can do some consulting work over the next few months. So I guess we'll see. If it's consulting I have my Alsop Consulting company - check out www.alsop.net and if it's full time then I'll let you know:-)
For me, the contrast between the global world of Ernst & Young, and our local 7 Elements world has shown that some things are the same at any scale. Interestingly the same people engaged me working as a small company as I would have expected from my previous role leading a team across multiple countries. The key is the people relationship - if someone likes and trusts you they will want to work with you.
I have definitely discovered what I enjoy least and most in day to day infosec work, and confirmed what is most valuable to me - my family first, then my profession. Being able to take my kids to school most days is a wonderful return to sanity.
I really enjoy meeting people who are either committed to security or those who aren't really security literate but want to understand and implement secure code or controls. It's also very rewarding to come into a 'greenfield' environment and make a distinct improvement in their security posture (I know, I used the 'P' word...)
OnStartups - part of the StackExchange family has been an incredibly good source of information. Kind of wish I'd hung out there before we founded 7 Elements!
So, not exactly sure what is happening now. Am looking at two sets of options - couple of really interesting permanent roles are being created at the moment, and a few companies have asked if I can do some consulting work over the next few months. So I guess we'll see. If it's consulting I have my Alsop Consulting company - check out www.alsop.net and if it's full time then I'll let you know:-)
Penetration Testing? A Taxonomy
Initially while I was at Ernst & Young, then through my 7 Elements time, and with the help of many others from vendors and industry have been putting some thought into how penetration testing is currently sold and delivered and how we can improve the process for customers and suppliers. This is a consolidation of posts from other areas, and ideally should be built into the process along with the Penetration Testing Execution Standard.
One of the key issues that we see is that there are different reasons to go broad, or deep. A wide review could aim to identify a range of areas which should be improved, whereas a targeted attack simulation could give good information on what an attacker could do with an opening in the perimeter, combined with weak access controls for example, but may not find many vulnerabilities.
The second issue is with vendors that sell you a "penetration test" but only deliver a lower level of assessment and this can lead to a false sense of security.
So the problem with the "penetration test" term is that most people associate it with this idea that you'll also get coverage of security issues, rather than a focus on specific weaknesses and how they're exploitable.
At the end of the day, an attacker only needs to find one exploitable vulnerability, so while there are certain situations where allowing security testers free reign to go for the crown jewels may be the best option, due to the prevalence of the perimeterised "hard on the outside, soft on the inside" security model, organisations may find a broader approach provides greater assurance for the same budget.
So there is almost a forked model of testing. Typically you would begin with discovery, scanning for common vulnerabilities, and then assessment of those vulnerabilities. After this, the split could be towards Security Assessment (the broad review to find as many vulnerabilities as possible and assess the risk to the business) or towards Penetration Testing (the attempt to exploit and penetrate the organisation to gain access to a particular target).
There will be occasions where these two forks could join up again, where you want a broad review with added information on the extent to which a real world attacker could penetrate.
In order to make it easier to discuss the various stages, our taxonomy is as follows. Please leave comments if you feel improvements are required, and we will develop the taxonomy accordingly:
Discovery
The purpose of this stage is to identify systems within scope and the services in use. It is not intended to discover vulnerabilities, but version detection may highlight deprecated versions of software / firmware and thus indicate potential vulnerabilities.
Vulnerability Scan
Following the discovery stage this looks for known security issues by using automated tools to match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor. This can be supplemented with credential based scanning that looks to remove some common false positives by using supplied credentials to authenticate with a service (such as local windows accounts).
Vulnerability Assessment
This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context.
Security Assessment
Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorised access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to.
Penetration Test
Penetration testing simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage.
Security Audit
Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterised by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed (vulnerability assessment, security assessment, penetration test).
Security Review
Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilises build / code reviews or by reviewing design documents and architecture diagrams. This activity does not utilise any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit)
One of the key issues that we see is that there are different reasons to go broad, or deep. A wide review could aim to identify a range of areas which should be improved, whereas a targeted attack simulation could give good information on what an attacker could do with an opening in the perimeter, combined with weak access controls for example, but may not find many vulnerabilities.
The second issue is with vendors that sell you a "penetration test" but only deliver a lower level of assessment and this can lead to a false sense of security.
So the problem with the "penetration test" term is that most people associate it with this idea that you'll also get coverage of security issues, rather than a focus on specific weaknesses and how they're exploitable.
At the end of the day, an attacker only needs to find one exploitable vulnerability, so while there are certain situations where allowing security testers free reign to go for the crown jewels may be the best option, due to the prevalence of the perimeterised "hard on the outside, soft on the inside" security model, organisations may find a broader approach provides greater assurance for the same budget.
So there is almost a forked model of testing. Typically you would begin with discovery, scanning for common vulnerabilities, and then assessment of those vulnerabilities. After this, the split could be towards Security Assessment (the broad review to find as many vulnerabilities as possible and assess the risk to the business) or towards Penetration Testing (the attempt to exploit and penetrate the organisation to gain access to a particular target).
There will be occasions where these two forks could join up again, where you want a broad review with added information on the extent to which a real world attacker could penetrate.
In order to make it easier to discuss the various stages, our taxonomy is as follows. Please leave comments if you feel improvements are required, and we will develop the taxonomy accordingly:
Discovery
The purpose of this stage is to identify systems within scope and the services in use. It is not intended to discover vulnerabilities, but version detection may highlight deprecated versions of software / firmware and thus indicate potential vulnerabilities.
Vulnerability Scan
Following the discovery stage this looks for known security issues by using automated tools to match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor. This can be supplemented with credential based scanning that looks to remove some common false positives by using supplied credentials to authenticate with a service (such as local windows accounts).
Vulnerability Assessment
This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context.
Security Assessment
Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorised access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to.
Penetration Test
Penetration testing simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage.
Security Audit
Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterised by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed (vulnerability assessment, security assessment, penetration test).
Security Review
Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilises build / code reviews or by reviewing design documents and architecture diagrams. This activity does not utilise any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit)
Sunday, March 06, 2011
Report: Joint IISP and ISACA event in Scotland - 17 Feb
(Copied over from my old blog post)
The Scottish branch of the IISP and ISACA Scotland hosted a joint talk on the 17th of February at the English Speaking Union with our guest speaker, Louise Behan, of the Lothian And Borders Police Specialist Fraud Unit.
Louise described the remit of the fraud unit, which includes investigation of contraventions of the Company, Insolvency and Bankruptcy laws, all public sector corruption enquiries, major or complex enquiries involving offences against the financial industry, major embezzlements, particularly those perpetrated by professional persons such as solicitors, accountants and bank officials, enquiries from government departments, the Procurator Fiscal and the Crown Office Fraud Unit, multiple account enquiries, e.g. cross-firing of cheques, collusive merchant enquiries, counterfeit credit cards, major credit/debit card enquiries as well as complex enquiries from other Forces and Agencies.
A significant amount of casework the fraud squad deals with originates in people misusing systems in place or getting round technical controls. In terms of honesty, Louise pointed out that a recent survey showed that most people (80%) are not 100% honest. When times are hard, as now, crime tends to increase, as people struggle with difficult economic circumstances. Very often, the cases dealt with by the Unit have as their main suspect someone with no criminal record. This also means that profiling fraudsters is hard – and of course the best ones are very good at hiding it.
Louise estimated around a third of the fraud she personally sees is internal – with an employee or manager of a company discovering a weak control that can be subverted, and using their position to hide the evidence of fraud. She provided a quick look at some niche frauds, where a criminal has found an area where they could make money in the short term – such as forging one pound coins. It’s unexpected, and when the fakes were good enough, it remained undiscovered for many years. Even ‘small’ frauds can evidently mount up to significant losses, and so the point is that a long term ‘small’ scheme can have just as much impact as a short term ‘big hit’.
In subverting IT controls for financial gain, the risk can be perceived by individuals as very low, whereas the reward can be very high. For example, mortgage fraud can net large sums of money. For the fraud unit investigating these crimes, the issue is that if the controls are too poor, gaining enough evidence to present a reasonable case can be a challenge – so if you don’t keep solid audit logs and implement strong access controls, this may lead to insufficiency of evidence when your systems are breached, without which the Procurator Fiscal cannot take the case forward to prosecution.
The nature of fraud means that investigations often take some time, and there are evidential requirements which can take some time to fulfil, such as obtaining and executing warrants to obtain information, which requires to be appropriately authenticated, and continuity of evidence ensured during seizure. Recovery of money or loss depends entirely on the criminal - if there are recoverable assets, the police always look at the potential for compensation, however, if the fraud is remote (for eg, perpetrated from outwith the UK) the likelihood of recovery tends to be less. And if the criminal has no assets then recovery isn’t possible.
The aim of the unit is to make the life of the fraudster as unattractive and uncomfortable as possible. It’s not likely to be an aim with an end in sight-fraud is only limited by human ingenuity, but we continue nonetheless to try to keep up, or sometimes get ahead a little.
So what can you do to help?
- Keep an eye out for known individuals – the Fraud Squad and SCDEA do provide information to intelligence departments in banks
- Audit rigorously and log everything
- Use mystery shoppers to test in store security procedures
- Make examples of the ones who get caught – especially for internal fraud
- Understand the mind of the fraudster – how would YOU subvert your controls.
The Scottish branch of the IISP and ISACA Scotland hosted a joint talk on the 17th of February at the English Speaking Union with our guest speaker, Louise Behan, of the Lothian And Borders Police Specialist Fraud Unit.
Louise described the remit of the fraud unit, which includes investigation of contraventions of the Company, Insolvency and Bankruptcy laws, all public sector corruption enquiries, major or complex enquiries involving offences against the financial industry, major embezzlements, particularly those perpetrated by professional persons such as solicitors, accountants and bank officials, enquiries from government departments, the Procurator Fiscal and the Crown Office Fraud Unit, multiple account enquiries, e.g. cross-firing of cheques, collusive merchant enquiries, counterfeit credit cards, major credit/debit card enquiries as well as complex enquiries from other Forces and Agencies.
A significant amount of casework the fraud squad deals with originates in people misusing systems in place or getting round technical controls. In terms of honesty, Louise pointed out that a recent survey showed that most people (80%) are not 100% honest. When times are hard, as now, crime tends to increase, as people struggle with difficult economic circumstances. Very often, the cases dealt with by the Unit have as their main suspect someone with no criminal record. This also means that profiling fraudsters is hard – and of course the best ones are very good at hiding it.
Louise estimated around a third of the fraud she personally sees is internal – with an employee or manager of a company discovering a weak control that can be subverted, and using their position to hide the evidence of fraud. She provided a quick look at some niche frauds, where a criminal has found an area where they could make money in the short term – such as forging one pound coins. It’s unexpected, and when the fakes were good enough, it remained undiscovered for many years. Even ‘small’ frauds can evidently mount up to significant losses, and so the point is that a long term ‘small’ scheme can have just as much impact as a short term ‘big hit’.
In subverting IT controls for financial gain, the risk can be perceived by individuals as very low, whereas the reward can be very high. For example, mortgage fraud can net large sums of money. For the fraud unit investigating these crimes, the issue is that if the controls are too poor, gaining enough evidence to present a reasonable case can be a challenge – so if you don’t keep solid audit logs and implement strong access controls, this may lead to insufficiency of evidence when your systems are breached, without which the Procurator Fiscal cannot take the case forward to prosecution.
The nature of fraud means that investigations often take some time, and there are evidential requirements which can take some time to fulfil, such as obtaining and executing warrants to obtain information, which requires to be appropriately authenticated, and continuity of evidence ensured during seizure. Recovery of money or loss depends entirely on the criminal - if there are recoverable assets, the police always look at the potential for compensation, however, if the fraud is remote (for eg, perpetrated from outwith the UK) the likelihood of recovery tends to be less. And if the criminal has no assets then recovery isn’t possible.
The aim of the unit is to make the life of the fraudster as unattractive and uncomfortable as possible. It’s not likely to be an aim with an end in sight-fraud is only limited by human ingenuity, but we continue nonetheless to try to keep up, or sometimes get ahead a little.
So what can you do to help?
- Keep an eye out for known individuals – the Fraud Squad and SCDEA do provide information to intelligence departments in banks
- Audit rigorously and log everything
- Use mystery shoppers to test in store security procedures
- Make examples of the ones who get caught – especially for internal fraud
- Understand the mind of the fraudster – how would YOU subvert your controls.
Friday, February 18, 2011
B Sides San Francisco
Day 1 of B-Sides San Francisco
The awesome guys at Security Stack Exchange got me 8000 miles across the world to blog B-Sides San Francisco, and it was an amazing opportunity to mix with Infosec professionals from various industries.
All my photos from this trip are on my Picasa page.
My highlights from Day 1:
Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.
In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?
Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.
Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
To provide an alibi? Maybe.
To create a perception of your lifestyle? Possible.
To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.
Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
Automate tools in advance
Be prepared for things to break
Get to the best person as quickly as possible
Segregate response functions to avoid neural congestion
Design to scale up and down
Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
it's broken (minutes count)
it's bandaged (hours count)
it's fixed (days count)
learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)
The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.
After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (we ended up coming 2nd in the Metal category of the Scottish Alternative Music Awards)
Day 2 of B-Sides SF (pictures all up now on my Picasa page)
After very little sleep, headed over to Zeum early and as one of the volunteers was missing presumed sick I volunteered to be a Roamer for the day. Red T-shirt (would this mean I wasn't going to return to the Enterprise?), earpiece and simple duties (keep an eye out for people going where they shouldn't.)
There were so many good speakers on Day 2 I found myself dotting between them to try and pick up content, but I did enjoy Anton Chuvakin's talk on SIEM. Key point he made was that you need to plan resource for it. I quote "If you only have an hour a month to do SIEM, stick to log management. Dedicate at least 50% of someones time"
Andrew Hay, Richard Bejtlich and Travis Reese's talk on Cyber Security Marketecture was well received as well. Some arguments about particular points, but in a generally productive spirit. I think they focused a little too hard on APT to the exclusion of all else, but they did cover APT in a rational way, unlike the usual FUD. I like the comment about Stuxnet - not very advanced or persistent but definitely a cyber warfare threat.
I also managed to get brief interviews with Jack Daniel of Astaro and Jon Speer of Tripwire to find out what sponsors get out of BSides. They both had remarkably similar viewpoints. They see value from:
After lunch I managed to win The Manga Guide to Databases in the raffle (Excellent Prize) before the BSidesSF Carousel ride!
Dave Shackleford and Andrew Hay's "A Brief History of Hacking" was also very entertaining, including along the way the good and bad hacker films.
Robert Zigweid of IOActive then spoke about a topic quite close to our hearts here at 7 Elements - Threat modelling taxonomy. He splits out into the following types:
And these impact categories:
Damon Cortesi's talk on Developers also included Threat Modelling - it is becoming pervasive.
The EFF panel were very well received but I only caught a small piece of it: key usage of end to end encryption to avoid compromise from threat sources as well as to avoid misuse by governments and their view that subject lines and text messages are definitely content, and email addresses and IP addresses may be in certain circumstances.
Raffael Marty's log analysis and visualisation in the cloud. This is an area which is likely to become all too important as more and more services are pushed to the cloud. Loggly have the concept of logging as a service, and Raffael's talk included an important piece on the need for visibility of dynamically scaling virtualised environments and the hypervisor, as well as availability.
I then said my goodbyes to the wonderful BSidesSF folks and volunteers - Banasidhe, MikD, djbphaedrus, Duckie, CindyV etc and headed east for the Owasp meet, where we had very worrying discussion around the security of critical national infrastructure...
Day 3 - RSA, ISACA and IISP
After all the B-Sides fun and games, I managed to get an Expo pass for RSA (thanks to the Damballa folks) so thought I should pop in, chat to a few key folks and grab some swag to take home.
Highlights:
The awesome guys at Security Stack Exchange got me 8000 miles across the world to blog B-Sides San Francisco, and it was an amazing opportunity to mix with Infosec professionals from various industries.
All my photos from this trip are on my Picasa page.
My highlights from Day 1:
Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.
In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?
Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.
Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
To provide an alibi? Maybe.
To create a perception of your lifestyle? Possible.
To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.
Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
Automate tools in advance
Be prepared for things to break
Get to the best person as quickly as possible
Segregate response functions to avoid neural congestion
Design to scale up and down
Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
it's broken (minutes count)
it's bandaged (hours count)
it's fixed (days count)
learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)
The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.
After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (we ended up coming 2nd in the Metal category of the Scottish Alternative Music Awards)
Day 2 of B-Sides SF (pictures all up now on my Picasa page)
After very little sleep, headed over to Zeum early and as one of the volunteers was missing presumed sick I volunteered to be a Roamer for the day. Red T-shirt (would this mean I wasn't going to return to the Enterprise?), earpiece and simple duties (keep an eye out for people going where they shouldn't.)
There were so many good speakers on Day 2 I found myself dotting between them to try and pick up content, but I did enjoy Anton Chuvakin's talk on SIEM. Key point he made was that you need to plan resource for it. I quote "If you only have an hour a month to do SIEM, stick to log management. Dedicate at least 50% of someones time"
Andrew Hay, Richard Bejtlich and Travis Reese's talk on Cyber Security Marketecture was well received as well. Some arguments about particular points, but in a generally productive spirit. I think they focused a little too hard on APT to the exclusion of all else, but they did cover APT in a rational way, unlike the usual FUD. I like the comment about Stuxnet - not very advanced or persistent but definitely a cyber warfare threat.
I also managed to get brief interviews with Jack Daniel of Astaro and Jon Speer of Tripwire to find out what sponsors get out of BSides. They both had remarkably similar viewpoints. They see value from:
- Connecting with security professionals
- Learning from and teaching the security community
- Meeting potential employees
- Having fun
After lunch I managed to win The Manga Guide to Databases in the raffle (Excellent Prize) before the BSidesSF Carousel ride!
Dave Shackleford and Andrew Hay's "A Brief History of Hacking" was also very entertaining, including along the way the good and bad hacker films.
Robert Zigweid of IOActive then spoke about a topic quite close to our hearts here at 7 Elements - Threat modelling taxonomy. He splits out into the following types:
- spoofing
- tampering
- repudiation
- information disclosure
- denial of service
- privilege escalation
And these impact categories:
- damage potential
- reproduceability
- exploitability
- affected users
- discoverability
Damon Cortesi's talk on Developers also included Threat Modelling - it is becoming pervasive.
The EFF panel were very well received but I only caught a small piece of it: key usage of end to end encryption to avoid compromise from threat sources as well as to avoid misuse by governments and their view that subject lines and text messages are definitely content, and email addresses and IP addresses may be in certain circumstances.
Raffael Marty's log analysis and visualisation in the cloud. This is an area which is likely to become all too important as more and more services are pushed to the cloud. Loggly have the concept of logging as a service, and Raffael's talk included an important piece on the need for visibility of dynamically scaling virtualised environments and the hypervisor, as well as availability.
I then said my goodbyes to the wonderful BSidesSF folks and volunteers - Banasidhe, MikD, djbphaedrus, Duckie, CindyV etc and headed east for the Owasp meet, where we had very worrying discussion around the security of critical national infrastructure...
Day 3 - RSA, ISACA and IISP
After all the B-Sides fun and games, I managed to get an Expo pass for RSA (thanks to the Damballa folks) so thought I should pop in, chat to a few key folks and grab some swag to take home.
Highlights:
- I got to take apart a real Enigma machine at the NSA booth!
- Almost won a kindle at the M86 quizshow
- Had a good chat with the Australians at the Cryptsoft booth
- Learned all about splunk
- Had to sit through a very content free Kaspersky talk
- Gal Shpantzer gave me a good Becrypt run through
- Had far too many burgers at the Qualys bar
San Francisco trip
So - was over in San Francisco for the B-Sides SF security conference (and also managed to pop into RSA) which I have blogged aboutin a separate post, but as I managed to have some time to see the city and friends I thought I'd blog the non-work stuff as well.
After leaving Edinburgh in freezing temperatures, with ice on the cars, I had an excellent flight over with Virgin Atlantic, despite being in cattle class the whole way. It was a fairly empty plane, so by the time we arrived in SF I had been able to stretch out, watch 4 films and was raring to go. Was picked up from the airport by Danny - and the plan was to celebrate his birthday, so straight back to San Rafael in Marin County where the weekend commenced in 27 degree temperatures!
Marin County is beautiful, and all the restaurants visited were excellent. Definitely recommend Taqueria Bahia! Most of the evening's festivities were courtesy of Country Club Bowl, and then the Mayflower, finishing up with Soul Food on the way home.Good to meet so many fun and interesting people.
Saturday morning, and off to Theresa and Johnny's Comfort Food in San Rafael - big breakfast saved the day.
We then took in a tour out to Point Reyes, near Inverness, and had a chilled out day, before heading off to watch the B-Side 70's kick off their tour at the Broadway Studios.
Sunday, got a lift into the city to check into the Hilton Union Square. Got a brilliant room upgrade to the 42nd floor, and then met up with Stew, a long term poster on the Empeg BBS who took me for a car tour of SF in his supercharged Honda Del Sol, starting with the corner of Haight and Ashbury :-)
Really enjoyed seeing Lombard Street, Fisherman's Wharf, the drive to Treasure Island to see the city from there, Coit Tower and then over through the Presidio to the Cliff House for dinner with more empeg guys - Hugo and Neil, as well as Neil's wife Lucia. Cheers for an excellent evening guys, and a huge thanks to Stew for driving me round everywhere.
Monday and Tuesday were all about the B-Sides conference, covered over on the 7Elements blog, and then on Wednesday before heading home I managed to take a trip on the trolley cars - in hail and snow (very briefly)
Many thanks again to Danny for the airport runs, as well as putting me up for the weekend and taking me out to some excellent places.
Definitely want to go back!
Monday, January 31, 2011
February is getting busy: The Scottish Alternative Music Awards 2011, and Acoustech
The Scottish Alternative Music Awards are here for their second year, and this year Metaltech have been nominated for best Metal act. Voting and judging will happen from the 7th of February, leading up to the awards show at the Classic Grand in Glasgow on the 25th of February.
To help us in our quest to win this prestigious award, we need YOU to visit the SAMA page from Monday the 7th of February to vote! Use Metaltech's Facebook Page to tell all your friends. Tweet about us - hashtags #metaltech and #sama11, or retweet my tweets @roryalsop - and buy tickets for the awards event so you can come and enjoy the fun with us. We will have T-shirts and merchandise on sale there. Spread the word, people!
Metaltech, the crazed brainchild of Erik Tricity, Lord Thrapston Flagellator and the Insidious Dr Mayhem has found a common resting place in Scotland. The band have built up a loyal following in Edinburgh through regular gigs since their conception in 2009, and in 2010 stepped up their visibility through touring, a sell out gig at Club Antichrist in London, an evening on Edinburgh radio, the release of their first two EP's (Alkomatik and Sex On The Dancefloor), being asked to remix tracks for Japanese band Psydoll and the Edinburgh based Gin Goblins. They have also provided tracks for local venues' compilation albums to much acclaim.
Metaltech delivered staggeringly popular sets at GoNorth, Rockness, Wickerman and Belladrum Festivals and have carried on increasing their fan base playing venues such as the prestigious King Tut's Wah Wah Hut supporting Swedish band Marionette on their tour.
Metaltech were the support act on all dates of Psydoll's Scottish tour and converted many a punter during an epic gig supporting Alec Empire from Atari Teenage Riot. Return gigs on request in Inverness and Aberdeen have not only helped cement this band's place in the local psyche but have led to further requests for upcoming tours.
Metaltech were the support act on all dates of Psydoll's Scottish tour and converted many a punter during an epic gig supporting Alec Empire from Atari Teenage Riot. Return gigs on request in Inverness and Aberdeen have not only helped cement this band's place in the local psyche but have led to further requests for upcoming tours.
As a full alchemical mix of pounding techno/dance beats, grinding guitars, lyrics smeared with innuendo/tongue in cheek humour, audience participation, ridiculously infectious imagery and gifts for all who attend their live gigs, Metaltech are not only a force to be reckoned with but a force you want to be a part of!
What we need YOU to do to help us win this year's SAMA for best metal act is VOTE FOR US!
---
This year, Metaltech has spun off a weird and wonderful creation, which is playing live in Edinburgh on the 9th of February at the Royal Oak.
Acoustech - does almost the opposite of what it says on Metaltech's tin. There is no metal, there is no techno, no industrial. Instead we have slide guitar, 12-strings and a fretless acoustic bass, and Erik's dulcet tones sans Marshall stacks.
-------------Reviews:
‘the Alkomatic EP IS one of those rare records which is as much at home on the dance floors of the UK’s club fraternity as it is when you’ve just got a few friends around and the alcohol is flowing freely.’(isthismusic.com)
‘FINALLY a band that put fun into Scotland's music scene. Erik Tricity veers from the languid vocals of The Jesus and Mary Chain to Slipknot's throaty growl.’
(Daily Recor
d) ‘...mix of electronic beats blended with distorted guitars and a voice which sometimes reminded me of Rob Zombie...Guaranteed to make you dance, drink and chant along to the choruses! … and to want to destroy this planet ! Think Orange ! Think MetalTech !’
(Dose Productions)
‘the powerful and loud sounds emanating from this charismatic threesome are theirs and theirs alone! These songs are guaranteed to get your feet moving while your head and ears pulsate uncontrollably with the electronic beats and sequences. But MetalTech have a serious side as well...This versatility in material combined with their mesmerizing stage presence and truly entertaining show makes me certain that it’s just a matter of time before MetalTech (signed to Alex Tronic Records) become mammoth.’(Tone and Groove)
Remember - Go to Metaltech's Facebook Page and click on [Like] - and then share the link with all your friends. And their friends. And vote on SAMA11.co.uk!
Oh, and if you haven't yet bought either of the first 2 EP's, or T-shirts or badges, get on over to www.metaltech.me for merch links.
Tuesday, January 18, 2011
Improvement and Education in the Security Community
Those of you who know me will know how keen I am on helping the continued professionalisation of information security, and in providing training, guidance and steer back to the community. I get a lot of queries from individuals in IT or Information Security roles asking for more ways to get information, improve their skillset or even just to learn from others.
Many of you may be familiar with the Stack Exchange family of websites - a question and answer site using reputation weightings to help individuals find answers that they can trust.
We have been working with a new one - Security Stack Exchange - near the end of its public beta - that aims to provide security professionals with a forum thttp://www.blogger.com/img/blank.gifo ask or answer questions around security, risk, governance etc.http://www.blogger.com/img/blank.gif
Some examples to show the range of questions already on the site:
Securing the security guy's home office: what should we do?
http://www.blogger.com/img/blank.gif
Although Incident Response is often handled well in larger organisations, it is very relevant for smaller companies
Establishing routines on what to do if a PC gets stolen?
Security around database password hashing:
If I hash passwords before storing them in my database, is that sufficient to prevent them being retrieved by anyone?
If you deal with information or IT security, governance or risk your input could be very valuable, or if you have questions in these areas someone on the forum could help you out. Either way, have a look and see what you think.
Many of you may be familiar with the Stack Exchange family of websites - a question and answer site using reputation weightings to help individuals find answers that they can trust.
We have been working with a new one - Security Stack Exchange - near the end of its public beta - that aims to provide security professionals with a forum thttp://www.blogger.com/img/blank.gifo ask or answer questions around security, risk, governance etc.http://www.blogger.com/img/blank.gif
Some examples to show the range of questions already on the site:
Securing the security guy's home office: what should we do?
http://www.blogger.com/img/blank.gif
Although Incident Response is often handled well in larger organisations, it is very relevant for smaller companies
Establishing routines on what to do if a PC gets stolen?
Security around database password hashing:
If I hash passwords before storing them in my database, is that sufficient to prevent them being retrieved by anyone?
If you deal with information or IT security, governance or risk your input could be very valuable, or if you have questions in these areas someone on the forum could help you out. Either way, have a look and see what you think.
Monday, December 20, 2010
Working from home - securing your environment
More and more people are working from home, and since an article I wrote for the Financial Times a few years back I have had more and more people ask about what can be done to make their home environment a little more secure without breaking the bank.
After some of the discussion on IT Security Stack Exchange, and especially this question, I thought it would be worthwhile popping the link up here, as it is likely to generate a fair amount of traffic, whether it be opinion, fact or discussion.
Go have a look.
After some of the discussion on IT Security Stack Exchange, and especially this question, I thought it would be worthwhile popping the link up here, as it is likely to generate a fair amount of traffic, whether it be opinion, fact or discussion.
Go have a look.
Friday, December 17, 2010
Being Prepared
With this winter in Scotland already a repeat of the freezing conditions of last year we are still astonished at how many people leave themselves at risk by being entirely unprepared. Not only does this cause them problems, but it also causes some impact to those who are prepared. So here are a few notes on how to minimise the impact from adverse weather and foolhardy unprepared individuals on the roads.
Obviously the simplest solution is don't go outdoors - get stocks of food and drink in and batten down the hatches. Cosy, but not always a workable solution, so lets have a look at what you can do if you do need to go somewhere.
Practice:
Okay, so I'm is a petrolhead, and so I take any opportunity to go out on a racetrack, but knowing how to handle ice is within anyone's grasp. While the Andros Trophy could be a little excessive, having at least one skid pan session under your belt will get you through a lot of ice. You'll learn how to use the right amount of torque - unlike the many people we have seen over the last couple of weeks trying to drive under full power, wheels spinning and sliding - resulting in some interestingly stuck vehicles! The driving test in Finland requires a test on a slippery course - is it any wonder they do so well in the World Rally Championship?
Planning the route:
Look at an OS map to understand the hills. Last winter I had a very tense hour driving the last couple of miles to Drumoak in Aberdeenshire as I didn't prepare his route (but trusted a Tom Tom... mistake!) - I ended up descending a very steep slope using the ditch on the right hand side of the road as a runner to stop the car sliding off the left hand side of the road, which had no barrier other than some trees further down the slope. Learnt that lesson now, but wouldn't ever want to go through it again.
Avoid motorways - you would think they would be fine as the inclines are minimal, and they are wide, but unfortunately they are not sheltered, and when conditions deteriorate it is all too easy to be caught out, or get stuck behind someone else who does. When the inevitable crashes happen, you can't get off a motorway easily, and being stationary in heavy snow can lead to being stuck there for many hours.
Mechanical:
Defrost/de-ice your car every day. Not only will this help you avoid having to call out the AA/RAC/equivalent for your country, but you will avoid the doors freezing solid, ice buildup inside (which can easily damage wiring.) In addition you'll find it much easier to keep all your windows and lights clear of snow and ice - this doesn't seem to be understood by many road users. Personally we like to be able to see everything around us, and ensure they can see us - don't want to be anywhere near another car with the windows all frosted up and just a small patch on the windscreen for them to peer out! Minimising risk here is a good thing (tm)
At the start of winter you really want to ensure the car is properly serviced. Fresh tyres, new wiper blades, engine oil, antifreeze levels correct. Then take every opportunity to fill up the petrol tank - just in case you need to run the engine for warmth while stuck for days! In the more remote areas you should consider snow tyres, snow socks or even chains - they can make all the difference.
Supplies:
Everyone should have a blanket, sleeping bag or slanket in their car anyway. They are so cheap or even free at garages that you might as well. Not just an essential to keep you warm if you do have to overnight in the car, but they are really useful to give you grip if you are really stuck - tucking a blanket or rug under the tyres can give a lot of traction.
Gloves and Hat - yep, simple, but if you are trying to dig yourself out and the temperature is down below minus 15 you want to conserve heat! Possibly a Cthulhu Balaclava is the best solution.
YakTrax Ice Grips - get yourself a set of these essential accessories.
Snow shovel - if you can find one! The telescopic ones can easily be stored in the boot.
Drinks - would be really nice to have a flask of hot coffee or soup, but realistically you can keep juice or cans in the car really easily. You can dehydrate very quickly when stationary and running the engine to keep the car warm. Keep some bottled water as well, and ideally some coffee powder (see below)
Food - cereal bars or chocolate are easy to store in a car for long periods of time.
The important bit - Geek essentials:
An inverter - ideally reasonably high wattage, so you can charge your laptop.
Torch - ultrabright LED torch, or for extra bling, one of these 10 Million Candlepower torches.
High gain antenna (at least 9dB) and 802.11 card if necessary. How are you going to update your blog, check out your Stack Exchange posts and twitter feed, follow the Met Office updates detailing the cold and ice coming your way, or keep yourself entertained with iPlayer if you can't connect?
Immersion heater - either a 12v car version, or a 240v one to run off the inverter - so you can make coffee.
USB Handwarmers - keep your typing speed up. Or your strafe speed in Brink!
eBook Reader - whichever flavour floats your boat.
In car mp3 player - you don't want to run out of tunes before help arrives! Ideally at least a half a terabyte of music will avoid any risk of boredom.
Best wishes for the festive season - see you in 2011
Obviously the simplest solution is don't go outdoors - get stocks of food and drink in and batten down the hatches. Cosy, but not always a workable solution, so lets have a look at what you can do if you do need to go somewhere.
Practice:
Okay, so I'm is a petrolhead, and so I take any opportunity to go out on a racetrack, but knowing how to handle ice is within anyone's grasp. While the Andros Trophy could be a little excessive, having at least one skid pan session under your belt will get you through a lot of ice. You'll learn how to use the right amount of torque - unlike the many people we have seen over the last couple of weeks trying to drive under full power, wheels spinning and sliding - resulting in some interestingly stuck vehicles! The driving test in Finland requires a test on a slippery course - is it any wonder they do so well in the World Rally Championship?
Planning the route:
Look at an OS map to understand the hills. Last winter I had a very tense hour driving the last couple of miles to Drumoak in Aberdeenshire as I didn't prepare his route (but trusted a Tom Tom... mistake!) - I ended up descending a very steep slope using the ditch on the right hand side of the road as a runner to stop the car sliding off the left hand side of the road, which had no barrier other than some trees further down the slope. Learnt that lesson now, but wouldn't ever want to go through it again.
Avoid motorways - you would think they would be fine as the inclines are minimal, and they are wide, but unfortunately they are not sheltered, and when conditions deteriorate it is all too easy to be caught out, or get stuck behind someone else who does. When the inevitable crashes happen, you can't get off a motorway easily, and being stationary in heavy snow can lead to being stuck there for many hours.
Mechanical:
Defrost/de-ice your car every day. Not only will this help you avoid having to call out the AA/RAC/equivalent for your country, but you will avoid the doors freezing solid, ice buildup inside (which can easily damage wiring.) In addition you'll find it much easier to keep all your windows and lights clear of snow and ice - this doesn't seem to be understood by many road users. Personally we like to be able to see everything around us, and ensure they can see us - don't want to be anywhere near another car with the windows all frosted up and just a small patch on the windscreen for them to peer out! Minimising risk here is a good thing (tm)
At the start of winter you really want to ensure the car is properly serviced. Fresh tyres, new wiper blades, engine oil, antifreeze levels correct. Then take every opportunity to fill up the petrol tank - just in case you need to run the engine for warmth while stuck for days! In the more remote areas you should consider snow tyres, snow socks or even chains - they can make all the difference.
Supplies:
Everyone should have a blanket, sleeping bag or slanket in their car anyway. They are so cheap or even free at garages that you might as well. Not just an essential to keep you warm if you do have to overnight in the car, but they are really useful to give you grip if you are really stuck - tucking a blanket or rug under the tyres can give a lot of traction.
Gloves and Hat - yep, simple, but if you are trying to dig yourself out and the temperature is down below minus 15 you want to conserve heat! Possibly a Cthulhu Balaclava is the best solution.
YakTrax Ice Grips - get yourself a set of these essential accessories.
Snow shovel - if you can find one! The telescopic ones can easily be stored in the boot.
Drinks - would be really nice to have a flask of hot coffee or soup, but realistically you can keep juice or cans in the car really easily. You can dehydrate very quickly when stationary and running the engine to keep the car warm. Keep some bottled water as well, and ideally some coffee powder (see below)
Food - cereal bars or chocolate are easy to store in a car for long periods of time.
The important bit - Geek essentials:
An inverter - ideally reasonably high wattage, so you can charge your laptop.
Torch - ultrabright LED torch, or for extra bling, one of these 10 Million Candlepower torches.
High gain antenna (at least 9dB) and 802.11 card if necessary. How are you going to update your blog, check out your Stack Exchange posts and twitter feed, follow the Met Office updates detailing the cold and ice coming your way, or keep yourself entertained with iPlayer if you can't connect?
Immersion heater - either a 12v car version, or a 240v one to run off the inverter - so you can make coffee.
USB Handwarmers - keep your typing speed up. Or your strafe speed in Brink!
eBook Reader - whichever flavour floats your boat.
In car mp3 player - you don't want to run out of tunes before help arrives! Ideally at least a half a terabyte of music will avoid any risk of boredom.
Best wishes for the festive season - see you in 2011
Wednesday, December 08, 2010
Business Continuity - Personal
I don't know if you noticed, but Scotland is suffering a bit of a cold snap - to such an extent that many normal activities are halted. Normally we would expect a temperature of around 6 degrees Centigrade at this time of year. It has been below freezing for 9 days now, with a low of minus 12 today, and so far we have had around 3 1/2 feet of snow fall, so transport has been very difficult, shops have had no stock, power supplies have suffered and in general it has been tough on people.
Luckily I didn't take the M8 on Monday, otherwise I could have been one of those stuck there for nearly 48 hours.
I'm rambling - what I'm getting at is being prepared makes the difference between what was for me a time to catch up on playing with the kids, enjoying some snow activities, keeping cosy indoors and working from home on pieces of work which I could bring forwards (such as documentation, marketing planning etc) as I had sensible stocks of food in, warm clothing and a network set up to allow me to connect remotely to the servers I need.
Some people I know had no tinned food, and no transport so had to walk to the shops, which were already sold out of essentials, through thigh high snow!
I mean, I am definitely not a pessimist in this (I know individuals with enough stocks to cope with the Fimbulwinter if need be) but there are some planning concepts which shouldn't just be in the realm of business continuity, but should be accepted as essential in everyday life.
For example - looking at the slight outliers from business as usual we can plan for extreme weather putting a hold on transport, power supply failures, food supply failures etc., and it doesn't take much resource.
Similarly, for a business to plan for continuity, an initial analysis to identify those slight outliers which could occur with reasonable likelihood can be very quick and simple for a small business. Large scale organisations almost always do this, but there is no reason why small businesses shouldn't do something in a similar vein.
Oh, and of course owning Subarus is planning of a different nature - getting the basics right makes life much simpler!
Luckily I didn't take the M8 on Monday, otherwise I could have been one of those stuck there for nearly 48 hours.
I'm rambling - what I'm getting at is being prepared makes the difference between what was for me a time to catch up on playing with the kids, enjoying some snow activities, keeping cosy indoors and working from home on pieces of work which I could bring forwards (such as documentation, marketing planning etc) as I had sensible stocks of food in, warm clothing and a network set up to allow me to connect remotely to the servers I need.
Some people I know had no tinned food, and no transport so had to walk to the shops, which were already sold out of essentials, through thigh high snow!
I mean, I am definitely not a pessimist in this (I know individuals with enough stocks to cope with the Fimbulwinter if need be) but there are some planning concepts which shouldn't just be in the realm of business continuity, but should be accepted as essential in everyday life.
For example - looking at the slight outliers from business as usual we can plan for extreme weather putting a hold on transport, power supply failures, food supply failures etc., and it doesn't take much resource.
Similarly, for a business to plan for continuity, an initial analysis to identify those slight outliers which could occur with reasonable likelihood can be very quick and simple for a small business. Large scale organisations almost always do this, but there is no reason why small businesses shouldn't do something in a similar vein.
Oh, and of course owning Subarus is planning of a different nature - getting the basics right makes life much simpler!
Wednesday, November 17, 2010
Security in Scotland
A topic very dear to me is the development of the Information Security profession, but specifically in Scotland, and I thought it would be worthwhile posting some information on initiatives in Scotland that help with this aim, as well as discuss areas where stronger involvement from the wider industry would be welcomed. We have selected a few of the key organisations and events, but if you feel we another is key, please let us know and we'll update this post.
The Institute of Information Security Professionals, of which Rory Alsop is the Scottish chair, is providing support and guidance to universities and companies across the UK through the Graduate Development Scheme, Academic Partnerships, the Accredited Training Scheme and the IISP Skills Framework. The IISP's mission is to be the authoritative body for information security professionals, with the principal objective to advance the professionalism of the industry as a whole. Whilst the existing IISP membership in Scotland is strong I would encourage individuals and companies to visit the website or speak to representatives to understand what they can get out of membership (at all levels from student through to full membership) and more importantly for the industry what they can offer in return from their own experience or skills. The IISP always welcomes speakers who have a story to tell in the information security space, so please get in touch if you would like to present at one of our quarterly events.
Similarly, ISACA aims to define the roles of information systems governance, security, audit and assurance professionals. Through close links with local industry, ISACA Scotland provides guidance, benchmarks and effective tools for organisations in Scotland. The majority of members in Scotland have the CISA certification so here there is a very strong focus on audit and control, but we are seeing increasing numbers in security management, governance of enterprise IT and risk and information systems control. Like the IISP, ISACA Scotland would welcome guest presenters or new members - the global knowledge base and information flow are extensive and the opportunities for networking are invaluable.
The Scottish Universities, under the guidance of Professor Buchanan have created the framework for a Centre of Excellence in Security and Cybercrime in Scotland - with strong links already forming between academia, law enforcement, industry and professional bodies such as the IISP. One goal is to provide academia with a greater awareness of real world security issues and activities through a number of avenues including volunteer work, summer placements, guest lecturers etc. From the perspective of your organisation, if you find that when hiring software developers, for example, you need to give them additional training in secure development or spend resource remediating vulnerable code, the argument for providing a small amount of resource to help develop coursework in these subjects, or to provide the odd guest lecture is a very strong one. As an industry we can make great improvements by simply providing the new entrants with the benefits of at least some of our years learning the hard way.
The e-Crime Scotland website was officially launched at the Scottish Financial Crime Group Conference on the 28th of October. Currently this has been set up with support from, and using the framework developed by the Welsh Assembly, demonstrating an excellent level of sharing of expertise and resource. This website provides a portal of information on e-crime, a reporting mechanism and is planned to develop as Scotland takes greater ownership of content.
The Scottish Financial Crime Group, under the ownership of the Scottish Business Crime Centre, has been working with law enforcement and clearing banks for the last 35 years, but more recently through the annual conferences and an active presence in many forums has been in a good position to draw on expertise from a wide range of specialist individuals and organisations to develop opportunities to disrupt the criminal element in our society. Membership of the SFCG or at the very least, attendance at the annual conference is invaluable both from a learning perspective and an opportunity to influence discussion relating to financial crime.
The National Information Security Conference is held in St. Andrews each summer and provides speakers renowned within their field, education and an excellent networking opportunity to meet like minded individuals from industry and security experts. This three day residential event attracts many security professionals who are trying to drive the industry forwards and should not be missed!
On the more technical front, the Scottish OWASP chapter, headed up by Rory McCune is a growing group of individuals from across various industries focused on improving web application security. Join the mailing list to find out about meetings, initiatives etc. The scope of interest includes everything from SCADA to online banking and from smart meters to social networking.
The Institute of Information Security Professionals, of which Rory Alsop is the Scottish chair, is providing support and guidance to universities and companies across the UK through the Graduate Development Scheme, Academic Partnerships, the Accredited Training Scheme and the IISP Skills Framework. The IISP's mission is to be the authoritative body for information security professionals, with the principal objective to advance the professionalism of the industry as a whole. Whilst the existing IISP membership in Scotland is strong I would encourage individuals and companies to visit the website or speak to representatives to understand what they can get out of membership (at all levels from student through to full membership) and more importantly for the industry what they can offer in return from their own experience or skills. The IISP always welcomes speakers who have a story to tell in the information security space, so please get in touch if you would like to present at one of our quarterly events.
Similarly, ISACA aims to define the roles of information systems governance, security, audit and assurance professionals. Through close links with local industry, ISACA Scotland provides guidance, benchmarks and effective tools for organisations in Scotland. The majority of members in Scotland have the CISA certification so here there is a very strong focus on audit and control, but we are seeing increasing numbers in security management, governance of enterprise IT and risk and information systems control. Like the IISP, ISACA Scotland would welcome guest presenters or new members - the global knowledge base and information flow are extensive and the opportunities for networking are invaluable.
The Scottish Universities, under the guidance of Professor Buchanan have created the framework for a Centre of Excellence in Security and Cybercrime in Scotland - with strong links already forming between academia, law enforcement, industry and professional bodies such as the IISP. One goal is to provide academia with a greater awareness of real world security issues and activities through a number of avenues including volunteer work, summer placements, guest lecturers etc. From the perspective of your organisation, if you find that when hiring software developers, for example, you need to give them additional training in secure development or spend resource remediating vulnerable code, the argument for providing a small amount of resource to help develop coursework in these subjects, or to provide the odd guest lecture is a very strong one. As an industry we can make great improvements by simply providing the new entrants with the benefits of at least some of our years learning the hard way.
The e-Crime Scotland website was officially launched at the Scottish Financial Crime Group Conference on the 28th of October. Currently this has been set up with support from, and using the framework developed by the Welsh Assembly, demonstrating an excellent level of sharing of expertise and resource. This website provides a portal of information on e-crime, a reporting mechanism and is planned to develop as Scotland takes greater ownership of content.
The Scottish Financial Crime Group, under the ownership of the Scottish Business Crime Centre, has been working with law enforcement and clearing banks for the last 35 years, but more recently through the annual conferences and an active presence in many forums has been in a good position to draw on expertise from a wide range of specialist individuals and organisations to develop opportunities to disrupt the criminal element in our society. Membership of the SFCG or at the very least, attendance at the annual conference is invaluable both from a learning perspective and an opportunity to influence discussion relating to financial crime.
The National Information Security Conference is held in St. Andrews each summer and provides speakers renowned within their field, education and an excellent networking opportunity to meet like minded individuals from industry and security experts. This three day residential event attracts many security professionals who are trying to drive the industry forwards and should not be missed!
On the more technical front, the Scottish OWASP chapter, headed up by Rory McCune is a growing group of individuals from across various industries focused on improving web application security. Join the mailing list to find out about meetings, initiatives etc. The scope of interest includes everything from SCADA to online banking and from smart meters to social networking.
Monday, November 08, 2010
Key Security Risks and Practical Remediation - ISACA Event notes - October 26 2010
In my role as Vice-President of ISACA Scotland and chairman of the Scottish branch of the IISP I chaired a joint session titled "Key Security Risks and Practical Remediation." Audit Scotland hosted the session, and we had a good turnout representing the financial and government sectors as well as law firms and retail.
A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.
For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.
We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:
Input Validation
Very old news, but:
The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue
This is a relatively easy area to improve on:
Popular frameworks have input validation modules – why not use them
With modern applications, a call to an input validation module is often straightforward
Never trust the client – validate all input at server side
White listing or black listing - both are acceptable and have their own pros and cons
Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.
Brute Force and Dictionary attacks
More old news, but:
The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
Humans are still pretty bad at choosing strong passwords
Remediation should be in a number of areas:
Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect
Prevalence of 0-day exploits
For organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.
Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.
Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side Attacks
Krebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).
Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.
The simple answer is to remove Java from machines. Most do not need it!
For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.
As part of audit look at the budget assigned for product maintenance or ongoing development
The Cloud
Moving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.
Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team
Good practice includes the following steps:
Model the new architecture on existing good practice
Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
Understand segregation of duties needs between administrators
Widespread DDoS
WHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:
Blackmail, especially of internet gambling sites is on the increase
Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
Bot net slots available for hire at cheap rates
(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)
It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?
IPv4 Address Space Exhaustion
Little bit more off the wall –
Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.
The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.
Review your networks to understand the security structures in the infrastructure and protocol stacks
Work with your telecommunications and network service providers to ensure you are prepared
More Generally
I would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.
Work in partnership with IS specialists to:
Add value to audits and gain a more holistic picture of the current state of security
Understand new threats and risks
Always take a holistic look – what are the threats to the business, not just to IT
Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently
Threats will continue to develop – aim for resilience!
References
OWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Verizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Krebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdf
Potaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html
A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.
For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.
We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:
Input Validation
Very old news, but:
The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue
This is a relatively easy area to improve on:
Popular frameworks have input validation modules – why not use them
With modern applications, a call to an input validation module is often straightforward
Never trust the client – validate all input at server side
White listing or black listing - both are acceptable and have their own pros and cons
Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.
Brute Force and Dictionary attacks
More old news, but:
The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
Humans are still pretty bad at choosing strong passwords
Remediation should be in a number of areas:
Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect
Prevalence of 0-day exploits
For organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.
Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.
Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side Attacks
Krebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).
Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.
The simple answer is to remove Java from machines. Most do not need it!
For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.
As part of audit look at the budget assigned for product maintenance or ongoing development
The Cloud
Moving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.
Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team
Good practice includes the following steps:
Model the new architecture on existing good practice
Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
Understand segregation of duties needs between administrators
Widespread DDoS
WHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:
Blackmail, especially of internet gambling sites is on the increase
Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
Bot net slots available for hire at cheap rates
(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)
It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?
IPv4 Address Space Exhaustion
Little bit more off the wall –
Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.
The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.
Review your networks to understand the security structures in the infrastructure and protocol stacks
Work with your telecommunications and network service providers to ensure you are prepared
More Generally
I would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.
Work in partnership with IS specialists to:
Add value to audits and gain a more holistic picture of the current state of security
Understand new threats and risks
Always take a holistic look – what are the threats to the business, not just to IT
Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently
Threats will continue to develop – aim for resilience!
References
OWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Verizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Krebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdf
Potaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html
Subscribe to:
Posts (Atom)