Tags: Advanced Persistent Threat, cloud, consumer devices, consumerisation, crisis management, GRC, smartphones, tablets
According to Andy Warhol, everyone gets 15 minutes of fame. If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with the CEO of your customer, to convince them to focus on security.
The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor. During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news. The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.
So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes? Clearly, there’s no use talking about operational security – that’s the CISO’s patch. So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC). Most organisations of any size are now quite adept at security compliance. Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened. Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy. Governance is about monitoring how that decision-making process is working. Finally, the real objective looking forward should be to deploy adequate security to meet the business risk. That ought to be something the CEO cares about.
OK, so now we have a context, but what are the big issues in security for the business? I came up with a Top 3 (you may well disagree):
- Consumerisation: Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work. Of course, these devices are outside the control of the IT department, so how do you enforce security policies? What happens if the device is lost? Can you do a remote wipe (which will include the owner’s data as well as the company data)? This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
- Advanced Persistent Threats: The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective. Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted. All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
- Cloud Services: I wrote in a previously post about the threats to security governance posed by cloud services. In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists. The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.
All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real? The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business. By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security. His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level. So, I thought about it for a while and this is what I came up with:
- Where is your data stored right now? Can you account for every copy? If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service? Are you sure they’ll delete it when you tell them?
- Can you be sure that your sensitive data isn’t being exfiltrated by an attacker? If it was happening, would you know?
- If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it? Can you withstand the reputational damage while you execute your plan?
So, that’s my list, all related to the need to protect critical and sensitive data. How would your CEO answer?
Tags: encryption, GSM, hacking, IAM, IMSI Catcher, mobile phone, one time password, SMS
At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks. My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.
It’s common knowledge that the crypto scheme in GSM is so weak that it’s easily broken, but in fact, if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely. In his talk, Paget explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station). Even if instructed to turn off crypto, the handset will not warn the user. Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US. This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.
So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries. While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours, it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).
Why does this concern me? Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems. In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme. We must now seriously question our trust in SMS as a secure transport for these applications.
Tags: application white list, Atlas Consortium, Baseline Security, Common Criteria, Defence in Depth, DII, Internet Explorer, UK government, Zero Day Exploit
…not as I do, as Mrs V1951 the Elder (my Mum) used to say to me regularly.
I’ve discussed before how I went about organising news feeds when I started my new life as an independent consultant. One of the first blogs I subscribed to was the BBC’s dot.Life blog (now renamed “dot.Rory” to distinguish it from posts by US correspondent Maggie Shiels), written by technology correspondent Rory Cellan Jones. That in turn prompted to to join Twitter to follow Rory’s updates. His position gives him great access to what’s happening particularly amongst the vendors and his articles are thorough, well written and humerous.
However (you knew this was coming, didn’t you?) I have to take issue with a recent post on his blog. The debate over Google’s troubles in China and the vulnerability in Internet Explorer v6 rumbles on and Mr Cellan Jones decided to investigate what advice the UK government is offering to its citizens and how that advice squares with what government departments are doing with their own computer systems. So far, so good.
Both the German and French governments advised their citizens to switch to an alternative browser (Firefox, Opera or Safari for example), implying that the flaw exposed in the attack on Google is common to all versions of the Microsoft browser. However, when questioned the UK’s Cabinet Office, which takes the lead on matters related to digital technology, confirmed that it is directing people to the web site for the Get Safe Online campaign. The advice here is “All web browsers are at ongoing risk to vulnerabilities and as such Get Safe Online’s recommended advice to consumers and small business is always to use the most up-to-date version.” It also suggests that “… there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.”
By comparison, when asked by Mr Cellan Jones, the Ministry of Defence confirmed that, based on advice from the Communications Electronic Security Group, it is considered that IE6 is suitable for use in central government. Later, the Cabinet Office explained further that “A government user working on government systems will benefit from additional security systems unlikely to be available to the average home computer user. These include tools that actively monitor for any malicious attack.”
So, on the face of it, the UK Government is ignoring the advice it gives to its citizens. But is this really as unreasonable as the blog suggests? Let’s look at the issues:
- Context: The Ministry of Defence IT systems form the Defence Information Infrastructure (DII), serving 300,000 users on 150,000 end point systems, spread across more than 2,000 locations (fixed and mobile) world-wide. This massive infrastructure is managed by the Atlas Consortium, under a 10 year contract worth £4.8Bn. While the programme has been criticised for slow progress, a National Audit Office report in 2009 concluded that important benefits are being delivered and (unusual for a government IT project) costs are predicted to be within 3% of the original budget approved in 2005.
- Guidance: The Ministry of Defence and other front line government departments is guided by CESG, which is the UK’s National Technical Authority on information assurance. This same support is also available to other public bodies and private concerns which form the Critical National Infrastructure, through the Centre for the Protection of National Infrastructure (CPNI) and some is available to the general public through the CPNI web site.
- Assurance: Systems and networks designed for use in front line departments (MoD, FCO, Home Office ..) are:
- Built where possible using certified components that have been rigorously tested for correct operation of their security functions, based on the internationally accepted Common Criteria (ISO/IEC 15408);
- Subjected to accreditation, to prove that their security functions are adequate to protect the classified information they will process;
- Restricted Access: Access to these systems is strictly controlled, based on security clearance (granted based on rigorous and repeated vetting checks), “need to know” and finally subject to the formal approval of the system owner. Social engineering played a significant role in the Google attack and this is at least mitigated by these formal processes.
As well as being a front line government department, with special security requirements and the processes and procedures to enforce them, it is also a very large organisation (300,000 users) and faces the same problems as its private sector counterparts:
- Compatibility: These days, the browser is used to access a wide range of applications, many of them missions critical. As Gartner’s Neil MacDonald said in his blog, the application vendors are a big part of the problem in getting organisations to move off of Internet Explorer v6. Often the applications use proprietary mechanisms in IE6, making it difficult or impossible to upgrade to a later browser version, unless you at least upgrade the application as well.
- Inertia: Large organisations are notoriously slow to migrate to later versions. Desktop upgrade programmes are costly, time consuming and riddled with unforeseen complications. That in part is why large organisations didn’t migrate to Vista on the desktop, and why they’ll take their time before moving to Windows 7.
These considerations have to be fed into the change management process. The resulting change (assuming it gets approval) will inevitably delay the already planned packages within the DII programme and will with equal inevitability result in additional costs to the customers (that’s the taxpayer – you and me!).
So, is the Cabinet Office right to claim that the MoD is safe to carrying on using IE6? At least they’re right to draw a distinction between the level of protection achieved through “defence in depth” and what’s available to the average home user. David Lacey, in his recent book “Managing the Human Factor in Information Security”, points out that baseline security measures, a collection of standard proven security controls, is the fastest most reliable (and often cheapest) means for improving security. He compares it with the “trajectory of accident opportunity” described by James Reason in his book “Human Error”. His premise is that multiple, simultaneous failures or compromises would be needed to Allow an attack to be pressed home. Gartner’s Neil MacDonald says that there are 3 lessons to be drawn from the attack on Google:
- Run users as standard not administrator
- Get off IE6 – using Win7 migration to justify budget if necessary
- Use defence in depth at the end point.
In conclusion, for the risk of compromise to materialise, there has to be both vulnerability and the means to exploit it. In the case of the Google attack, neither of these was known until the incident happened – a zero day attack. There also has to be a threat, someone with the means, skills and motive to mount an attack. Again, in the case of Google, this appeared to be a targeted attack. But risk efficiency demands that the cost of the countermeasure be proportionate to the cost of the damage resulting from a successful exploit. For a large organisation (like MoD) replacing the browser isn’t going to pass that test. But careful design and baseline security measures will prevent the hacker from reaching the vulnerable component.
And the last word goes to Neil MacDonald of Gartner again, who points out that application white listing has to become a fundamental part of endpoint security. If a zero day attack is mounted and if the attacker succeeds in dropping malicious code onto the browser, white listing would prevent it from running.