Wednesday, November 17, 2010

Security in Scotland

A topic very dear to me is the development of the Information Security profession, but specifically in Scotland, and I thought it would be worthwhile posting some information on initiatives in Scotland that help with this aim, as well as discuss areas where stronger involvement from the wider industry would be welcomed. We have selected a few of the key organisations and events, but if you feel we another is key, please let us know and we'll update this post.

The Institute of Information Security Professionals, of which Rory Alsop is the Scottish chair, is providing support and guidance to universities and companies across the UK through the Graduate Development Scheme, Academic Partnerships, the Accredited Training Scheme and the IISP Skills Framework. The IISP's mission is to be the authoritative body for information security professionals, with the principal objective to advance the professionalism of the industry as a whole. Whilst the existing IISP membership in Scotland is strong I would encourage individuals and companies to visit the website or speak to representatives to understand what they can get out of membership (at all levels from student through to full membership) and more importantly for the industry what they can offer in return from their own experience or skills. The IISP always welcomes speakers who have a story to tell in the information security space, so please get in touch if you would like to present at one of our quarterly events.

Similarly, ISACA aims to define the roles of information systems governance, security, audit and assurance professionals. Through close links with local industry, ISACA Scotland provides guidance, benchmarks and effective tools for organisations in Scotland. The majority of members in Scotland have the CISA certification so here there is a very strong focus on audit and control, but we are seeing increasing numbers in security management, governance of enterprise IT and risk and information systems control. Like the IISP, ISACA Scotland would welcome guest presenters or new members - the global knowledge base and information flow are extensive and the opportunities for networking are invaluable.

The Scottish Universities, under the guidance of Professor Buchanan have created the framework for a Centre of Excellence in Security and Cybercrime in Scotland - with strong links already forming between academia, law enforcement, industry and professional bodies such as the IISP. One goal is to provide academia with a greater awareness of real world security issues and activities through a number of avenues including volunteer work, summer placements, guest lecturers etc. From the perspective of your organisation, if you find that when hiring software developers, for example, you need to give them additional training in secure development or spend resource remediating vulnerable code, the argument for providing a small amount of resource to help develop coursework in these subjects, or to provide the odd guest lecture is a very strong one. As an industry we can make great improvements by simply providing the new entrants with the benefits of at least some of our years learning the hard way.

The e-Crime Scotland website was officially launched at the Scottish Financial Crime Group Conference on the 28th of October. Currently this has been set up with support from, and using the framework developed by the Welsh Assembly, demonstrating an excellent level of sharing of expertise and resource. This website provides a portal of information on e-crime, a reporting mechanism and is planned to develop as Scotland takes greater ownership of content.

The Scottish Financial Crime Group, under the ownership of the Scottish Business Crime Centre, has been working with law enforcement and clearing banks for the last 35 years, but more recently through the annual conferences and an active presence in many forums has been in a good position to draw on expertise from a wide range of specialist individuals and organisations to develop opportunities to disrupt the criminal element in our society. Membership of the SFCG or at the very least, attendance at the annual conference is invaluable both from a learning perspective and an opportunity to influence discussion relating to financial crime.

The National Information Security Conference is held in St. Andrews each summer and provides speakers renowned within their field, education and an excellent networking opportunity to meet like minded individuals from industry and security experts. This three day residential event attracts many security professionals who are trying to drive the industry forwards and should not be missed!

On the more technical front, the Scottish OWASP chapter, headed up by Rory McCune is a growing group of individuals from across various industries focused on improving web application security. Join the mailing list to find out about meetings, initiatives etc. The scope of interest includes everything from SCADA to online banking and from smart meters to social networking.

Monday, November 08, 2010

Key Security Risks and Practical Remediation - ISACA Event notes - October 26 2010

In my role as Vice-President of ISACA Scotland and chairman of the Scottish branch of the IISP I chaired a joint session titled "Key Security Risks and Practical Remediation." Audit Scotland hosted the session, and we had a good turnout representing the financial and government sectors as well as law firms and retail.

A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.

For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.

We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:

Input Validation

Very old news, but:

The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue

This is a relatively easy area to improve on:

Popular frameworks have input validation modules – why not use them
With modern applications, a call to an input validation module is often straightforward
Never trust the client – validate all input at server side
White listing or black listing - both are acceptable and have their own pros and cons

Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.

Brute Force and Dictionary attacks

More old news, but:

The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
Humans are still pretty bad at choosing strong passwords


Remediation should be in a number of areas:

Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect

Prevalence of 0-day exploits

For organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.

Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.

Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side Attacks

Krebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).

Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.

The simple answer is to remove Java from machines. Most do not need it!

For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.

As part of audit look at the budget assigned for product maintenance or ongoing development

The Cloud

Moving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.

Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team

Good practice includes the following steps:

Model the new architecture on existing good practice
Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
Understand segregation of duties needs between administrators


Widespread DDoS

WHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:

Blackmail, especially of internet gambling sites is on the increase
Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
Bot net slots available for hire at cheap rates

(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)

It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?

IPv4 Address Space Exhaustion

Little bit more off the wall –

Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.

The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.

Review your networks to understand the security structures in the infrastructure and protocol stacks
Work with your telecommunications and network service providers to ensure you are prepared

More Generally

I would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.

Work in partnership with IS specialists to:

Add value to audits and gain a more holistic picture of the current state of security
Understand new threats and risks
Always take a holistic look – what are the threats to the business, not just to IT
Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently

Threats will continue to develop – aim for resilience!

References

OWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Verizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Krebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdf

Potaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html