15 Minutes

August 15, 2011 at 11:25 pm | Posted in Cloud Security, Cyber Security, Data Protection, Security Governance | 2 Comments
Tags: , , , , , , ,

According to Andy Warhol, everyone gets 15 minutes of fame.  If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with  the CEO of your customer, to convince them to focus on security.

The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor.  During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news.  The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.

So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes?  Clearly, there’s no use talking about operational security – that’s the CISO’s patch.  So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC).  Most organisations of any size are now quite adept at security compliance.  Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened.  Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy.  Governance is about monitoring how that decision-making process is working.  Finally, the real objective looking forward should be to deploy adequate security to meet the business risk.  That ought to be something the CEO cares about.

OK, so now we have a context, but what are the big issues in security for the business?  I came up with a Top 3 (you may well disagree):

  1. Consumerisation:  Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work.  Of course, these devices are outside the control of the IT department, so how do you enforce security policies?  What happens if the device is lost?  Can you do a remote wipe (which will include the owner’s data as well as the company data)?  This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
  2. Advanced Persistent Threats:  The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective.  Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted.  All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
  3. Cloud Services:  I wrote in a previously post about the threats to security governance posed by cloud services.  In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists.  The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.

All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real?   The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business.  By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security.  His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level.  So, I thought about it for a while and this is what I came up with:

  1. Where is your data stored right now?  Can you account for every copy?  If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service?  Are you sure they’ll delete it when you tell them?
  2. Can you be sure that your sensitive data isn’t being exfiltrated  by an attacker?  If it was happening, would you know?
  3. If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it?  Can you withstand the reputational damage while you execute your plan?

So, that’s my list, all related to the need to protect critical and sensitive data.  How would your CEO answer?

Managing Credentials on the Web

January 19, 2011 at 11:19 pm | Posted in Cyber Security, Identity Management | 1 Comment
Tags: , , , , , , , , , , , , , , , , ,

I enjoyed reading a good natured rant about the vagaries of managing your identity online on the Des Res blog the other week.  If, like me, you work for a large organisation, you’ll probably be obliged to follow strict rules on selecting a password for access to corporate systems.  If, again like me, you use a lot of websites that require you to select credentials for logging in, you may struggle to manage a large (and constantly growing) set of strong passwords without writing them down.  In these circumstances, it’s very tempting to re-use the strong password for your work systems for other purposes.

Identity 2.0

Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication.  This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum.  However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.

Multiple Identities Online

Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story.  The convenience of managing a single set of credentials comes at a price:  it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with.  It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity.  For example:

  • Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere.  In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport.  This protection can be easily extended to other high risk sites.
  • Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog.  Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook).  This makes use of the Open Authentication (OAuth) protocol.  OAuth allows the user to authenticate with their chosen service to generate a token.  The token can then be used to allow another application to access resources for a given period of time.  So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.

Single Sign On
This still leaves a wide range on different sites that require a login.  I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs.  These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On.  With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits.  However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:

  • Store all my credentials in a single location;
  • Secure them with a single strong password, which never leaves my machine;
  • Synchronise that credential store across multiple computers by locating the credential store on Drop Box;
  • Use the same, synchronised solution on my iPhone.

So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password.  As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials.  Next time you visit the site, just press the 1Password button to login.  Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta.  The Windows version is now in fact available as a paid-for GA product.

Summing Up

So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection.  By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee.  All in all, the benefits far outweigh the modest outlay of time and cash.

Wrong Number

September 11, 2010 at 11:58 pm | Posted in Cyber Security, Privacy | Leave a comment
Tags: , , , , , , ,

At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks.  My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.

It’s common knowledge  that the crypto scheme in GSM is so weak that it’s easily broken, but in fact,  if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely.  In his talk, Paget  explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station).  Even if instructed to turn off crypto, the handset will not warn the user.  Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US.  This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.

So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries.  While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours,  it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).

Why does this concern me?  Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems.  In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme.  We must now seriously question our trust in SMS as a secure transport for these applications.


Do as I Say …

February 11, 2010 at 6:33 pm | Posted in Cyber Security, Endpoint Security | Leave a comment
Tags: , , , , , , , ,

…not as I do, as Mrs V1951 the Elder (my Mum) used to say to me regularly.

I’ve discussed before how I went about organising news feeds when I started my new life as an independent consultant.  One of the first blogs I subscribed to was the BBC’s dot.Life blog (now renamed “dot.Rory” to distinguish it from posts by US correspondent Maggie Shiels), written by technology correspondent Rory Cellan Jones.  That in turn prompted to to join Twitter to follow Rory’s updates.   His position gives him great access to what’s happening particularly amongst the vendors and his articles are thorough, well written and humerous.

However (you knew this was coming, didn’t you?) I have to take issue with a recent post on his blog.  The debate over Google’s troubles in China and the vulnerability in Internet Explorer v6 rumbles on and Mr Cellan Jones decided to investigate what advice the UK government is offering to its citizens and how that advice squares with what government departments are doing with their own computer systems.  So far, so good. 

Both the German and French governments advised their citizens to switch to an alternative browser (Firefox, Opera or Safari for example), implying that the flaw exposed in the attack on Google is common to all versions of the Microsoft browser.  However, when questioned the UK’s Cabinet Office, which takes the lead on matters related to digital technology, confirmed that it is directing people to the web site for the Get Safe Online campaign.  The advice here is “All web browsers are at ongoing risk to vulnerabilities and as such Get Safe Online’s recommended advice to consumers and small business is always to use the most up-to-date version.”   It also suggests that “… there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.” 

By comparison, when asked by Mr Cellan Jones, the Ministry of Defence confirmed that, based on advice from the Communications Electronic Security Group, it is considered that IE6 is suitable for use in central government.  Later, the Cabinet Office explained further that  “A government user working on government systems will benefit from additional security systems unlikely to be available to the average home computer user. These include tools that actively monitor for any malicious attack.”

So, on the face of it, the UK Government is ignoring the advice it gives to its citizens.  But is this really as unreasonable as the blog suggests?  Let’s look at the issues:

  • Context:  The Ministry of Defence IT systems form the Defence Information Infrastructure (DII), serving 300,000 users on 150,000 end point systems, spread across more than 2,000 locations (fixed and mobile) world-wide.  This massive infrastructure is managed by the Atlas Consortium, under a 10 year contract worth £4.8Bn.  While the programme has been criticised for slow progress, a National Audit Office report in 2009 concluded that important benefits are being delivered and (unusual for a government IT project) costs are predicted to be within 3% of the original budget approved in 2005.
  • Guidance:  The Ministry of Defence and other front line government departments is guided by CESG, which is the UK’s National Technical Authority on information assurance.   This same support is also available to other public bodies and private concerns which form the Critical National Infrastructure, through the Centre for the Protection of National Infrastructure (CPNI) and some is available to the general public through the CPNI web site.
  • Assurance:  Systems and networks designed for use in front line departments (MoD, FCO, Home Office ..) are:
    • Built where possible using certified components  that have been rigorously tested for correct operation of their security functions, based on the internationally accepted Common Criteria  (ISO/IEC 15408);
    • Subjected to accreditation, to prove that their security functions are adequate to protect the classified information they will process;
      • Organised into distinct security “zones” separated by specialised devices, which are not available to most organisations.  Some of these devices are designed and tested  using formal methods like Z  or Vienna Development Method (VDM) to mathematically prove the correctness of their security functions.
  • Restricted Access:  Access to these systems is strictly controlled, based on security clearance (granted based on rigorous and repeated vetting checks), “need to know” and finally subject to the formal approval of the system owner.  Social engineering played a significant role in the Google attack and this is at least mitigated by these formal processes.

 As well as being a front line government department, with special security requirements and the processes and procedures to enforce them, it is also a very large organisation (300,000 users) and faces the same problems as its private sector counterparts:

  • Compatibility:  These days, the browser is used to access a wide range of applications, many of them missions critical.  As Gartner’s Neil MacDonald said in his blog, the application vendors are a big part of the problem in getting organisations to move off of Internet Explorer  v6.  Often the applications use proprietary mechanisms in IE6, making it difficult or impossible to upgrade to a later browser version, unless you at least upgrade the application as well.
  • Inertia:  Large organisations are notoriously slow to migrate to later versions.  Desktop upgrade programmes are costly, time consuming and riddled with unforeseen complications.  That in part is why large organisations didn’t migrate to Vista on the desktop, and why they’ll take their time before moving to Windows 7.

These considerations have to be fed into the change management process.  The resulting change (assuming it gets approval) will inevitably delay the already planned packages within the DII programme and will with equal inevitability result in additional costs to the customers (that’s the taxpayer – you and me!).

 So, is the Cabinet Office right to claim that the MoD is safe to carrying on using IE6?  At least they’re right to draw a distinction between the level of protection achieved through “defence in depth” and what’s available to the average home user.  David Lacey, in his recent book “Managing the Human Factor in Information Security”,  points out that  baseline security measures, a collection of standard  proven security controls, is the fastest most reliable (and often cheapest) means for improving security.  He compares it with the “trajectory of accident opportunity” described by James Reason in his book “Human Error”.  His premise is that multiple, simultaneous failures or compromises would be needed to Allow an attack to be pressed home.  Gartner’s Neil MacDonald says that there are 3 lessons to be drawn from the attack on Google:

  1. Run users as standard not administrator
  2. Get off IE6 – using Win7 migration to justify budget if necessary
  3. Use defence in depth at the end point.

 In conclusion, for the risk of compromise to materialise, there has to be both vulnerability and the means to exploit it.  In the case of the Google attack, neither of these was known until the incident happened – a zero day attack.  There also has to be a threat, someone with the means, skills and motive to mount an attack.  Again, in the case of Google, this appeared to be a targeted attack.  But risk efficiency demands that the cost of the countermeasure be proportionate to the cost of the damage resulting from a successful exploit.  For a large organisation (like MoD) replacing the browser isn’t going to pass that test.  But careful design and baseline security measures will prevent the hacker from reaching the vulnerable component. 

And the last word goes to Neil MacDonald of Gartner again, who points out that application white listing has to become a fundamental part of endpoint securityIf a zero day attack is mounted and if the attacker succeeds in dropping malicious code onto the browser, white listing would prevent it from running.

Blog at WordPress.com.
Entries and comments feeds.