You Can’t Patch People

December 29, 2012 at 5:06 pm | Posted in Data Protection, Endpoint Security, Human Factors in Security | Leave a comment
Tags: , , , ,

In a recent blog post, Bruce Schneier highlighted how a commercially available and low-cost  (around £200) forensics tool is capable of cracking passwords for common commercial whole disk encryption products.

As I mentioned in a previous post, use of PGP Desktop to encrypt all laptop disks  is compulsory at IBM and is enforced through our end-user computing standards.

The default power management configuration for laptops often just suspends the laptop when the lid is closed or when ‘sleep’ button is pressed. unless the laptop user selects ‘hibernate’ the disk drives are not encrypted. standards dictate that laptop configuration should be changed to hibernate in these circumstances, but how many users actually make the necessary changes?

The comprehensive help documents provided by IBM for configuring the whole disk encryption software step the user through making a ‘rescue disk’ to allow recovery in the event of a lost encryption password. So, how many users take any precautions to protect that?

Going back to the potential attack against whole disk encryption, it relies on the attacker being able to recover the encryption key from memory dumps or hibernation files, after the disk has been decrypted. Of course, if the laptop is always left safe (ie. powered down or at least hibernating) then that attack vector isn’t available. However, how many users leave their laptop unattended and logged in when they believe the environment is ‘safe’? And, how many leave their laptop unattended before the hibernation process has completed?

The common thread through all of this is that if users are careless, they can inadvertently cancel out any benefits from technical countermeasures. It’s simple enough to describe the exact behaviour that will prevent this. In Public sector security, we call this Security Operating Procedures, or SyOPs for short.

It’s usual to define the IT security risk management process as starting with risk assessment to select the right security controls, followed by incident management to deal with residual risk, invoking crisis management and BCP when required, to recover from the most severe incidents. I strongly believe that SyOP production and security awareness training for end users must form part of the risk management process and must be in place before a service is activated to ensure that the security controls operate as designed and to defend against the sort of attack described here.

As I said in the title, users are the one part of the system that can’t be patched to remove vulnerabilities.  It’s vitally important to explain the importance of what we ask them to do and then to reinforce that through adherence to mandatory written instructions, in order to establish the ‘habit’.

15 Minutes

August 15, 2011 at 11:25 pm | Posted in Cloud Security, Cyber Security, Data Protection, Security Governance | 2 Comments
Tags: , , , , , , ,

According to Andy Warhol, everyone gets 15 minutes of fame.  If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with  the CEO of your customer, to convince them to focus on security.

The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor.  During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news.  The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.

So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes?  Clearly, there’s no use talking about operational security – that’s the CISO’s patch.  So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC).  Most organisations of any size are now quite adept at security compliance.  Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened.  Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy.  Governance is about monitoring how that decision-making process is working.  Finally, the real objective looking forward should be to deploy adequate security to meet the business risk.  That ought to be something the CEO cares about.

OK, so now we have a context, but what are the big issues in security for the business?  I came up with a Top 3 (you may well disagree):

  1. Consumerisation:  Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work.  Of course, these devices are outside the control of the IT department, so how do you enforce security policies?  What happens if the device is lost?  Can you do a remote wipe (which will include the owner’s data as well as the company data)?  This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
  2. Advanced Persistent Threats:  The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective.  Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted.  All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
  3. Cloud Services:  I wrote in a previously post about the threats to security governance posed by cloud services.  In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists.  The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.

All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real?   The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business.  By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security.  His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level.  So, I thought about it for a while and this is what I came up with:

  1. Where is your data stored right now?  Can you account for every copy?  If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service?  Are you sure they’ll delete it when you tell them?
  2. Can you be sure that your sensitive data isn’t being exfiltrated  by an attacker?  If it was happening, would you know?
  3. If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it?  Can you withstand the reputational damage while you execute your plan?

So, that’s my list, all related to the need to protect critical and sensitive data.  How would your CEO answer?

Protecting Data Outside the Office

September 4, 2010 at 11:58 pm | Posted in Data Protection, Human Factors in Security | 1 Comment
Tags: , , , , , ,

A recent article in the Times caught my eye.  It was discussing the notion of “extreme jobs”.  I think most of us can agree with the idea that there’s been an inexorable increase in the pressure on us to always be available, working longer and longer hours and still prepared to answer the mobile phone to a customer or the boss late into the night, at weekends and even on holiday.

Coupled with the ready availability of increasingly sophisticated mobile technology, it’s inevitable that many of us will take work home with us, or at least, outside the safety of the office environment.  For many of us, that means we’re taking with us sensitive information and the consequences of the loss of that data could be catastrophic.

One of my current tasks is preparing security awareness training for colleagues working on a large Public Sector bid.  We’ll be delivering this training to highly skilled and very experienced IT professionals, but looking around, I’m reminded that what is obvious and necessary to a security specialist is often at best an annoying distraction to others.  We all have to remember that mishandling sensitive information can have grave contractual and even legal consequences both for an individual and for their employer.  So, take a look at these 5 simple precautions, to make sure it’s not you that makes the headlines.

1:  Pay attention to the physical security of your laptop while travelling

Any attempt to work outside the office almost inevitably means taking a laptop, loaded with project data (including sensitive commercial and even personal data) with you while you’re travelling.  No matter how you travel, it’s bound to present plenty of opportunities for your laptop to be lost or stolen.  It’s fair to assume that, generally the motive for theft is to sell the laptop onwards, rather than a concerted attempt to obtain any data stored on it.  However, you should take reasonable care not to advertise that you might be a valuable target.  Don’t for example wear your company pass outside the building.  The risk is greatest, when you have to leave the laptop unattended:

  • While driving, keep the laptop out of sight, in the boot of your car.
  • When staying in a hotel, keep the laptop in a safe, if one is provided in your room.
  • When using the laptop in a public place, secure the laptop with a Kensington lock.

2:  Use whole disk encryption to protect your data

If your laptop is lost or stolen, the cost of replacing the hardware is relatively minor – and it’s insured anyway, isn’t it?  The real cost of the incident is the loss or disclosure of sensitive information stored on the laptop.  To  protect against this, you should install whole disk encryption software.  This  ensures that all the data on the laptop’s disk is encrypted, when the laptop is shut down.  Only when the laptop is powered up and the authorised user completes pre-boot authentication, is the disk data decrypted and available for use.  Commercial software is available from a number of well-known vendors, including PGP and DESlock.  You should bear in mind that, unless care is taken, even the authorised user may be unable to decrypt the data on the disk.  You should make sure that:

  • You run the operating system’s disk maintenance utilities to defragment the disk and check and mark any bad areas on the disk;
  • You should make a full backup of the disk volume(s) before installing the encryption software;
  • The install process will give the opportunity to create Emergency Recovery Information – make sure you write this ERI to a CD or other removable medium and store it somewhere safe;
  • Most importantly, the encryption software only takes effect when the laptop is shut down or hibernated.  You should never travel with your laptop in standby.

3:  Protect yourself against eavesdropping when working in public places

One of my favourite tech commentators is Peter Cochrane, who writes a regular column for  Earlier this year, Peter reported on how easy it was to collect sensitive information from fellow travellers on the train.  Anyone who travels regularly on commuter train services will be familiar with indiscreet conversations and (even worse) one-sided mobile phone conversations, that give away far more sensitive information than they should.  Do resist the temptation to discuss sensitive matters in public places and try to curtail calls to your mobile until you can find somewhere more private.

Back to Peter Cochrane again.  During his frequent air travel, he noticed people using mobile phones to photograph – or even video – the screens of other people’s laptops.  His blog shows how it’s possible (given enough patience and a bit of experimenting) to get a reasonable picture of someone’s laptop screen.  This situation is easily fixed for a modest outlay, through the use of a privacy screen.  These clip over the laptop screen and make it impossible to read the screen unless you’re directly in front of it.  These screens work along the same lines as polarising sun glasses – do make sure they’re fitted the right way round.

4:  If you must use removable media, take extra care

It’s almost an immutable law of nature that, if you copy sensitive data to removable media, eventually, that media is going to get lost.  The simplest remedy of course is not to use removable media.  My current employer bans the use of these devices on Public Sector projects and, at one time, at least one UK government department  filled the USB ports of laptops with superglue, to be absolutely sure.  Of course, a blanket ban isn’t always practicable, so, if you do need to use a memory stick, removable drive or similar, here are a few suggestions:

  • Don’t ever allow the use of personal removable devices – you have no idea how or where they’ve been used before or will be next
  • Have a pool of memory sticks for your project, clearly marked and with some sort of unique identifier.  Make team members check them in and out (with a signature) when they need them and make sure that missing or overdue devices are always followed up immediately.
  • Always encrypt the device.  As we discussed earlier in this article, the use of whole disk encryption when dealing with sensitive information is absolutely vital.  So, if all your team members have the capability, it’s crazy not to use it for removable devices as well.
  • It’s well worth the effort to select only the minimum amount of data for copying onto the removable media.  It might be quicker to export the whole contents of a database, but you must do everything in your power to limit the potential loss.

5:  Always use a secure connection over public networks.

Finally, when you’re out of the office and you need to work, be careful to secure your communications.  Assume that all networks (in hotels or other public spaces, in customer sites and even at home) are hostile.  Always use a Virtual Private Network (VPN) connection to encrypt all your traffic when connecting to your organisation’s intranet from outside and never use a public computer or your home computer to connect to the intranet.

So, to summarise, a mixture of sensible procedural precautions, together with a few simple and inexpensive technical additions can do much to control the risks of taking sensitive information outside the normal office environment.  These measures might be a little inconvenient, but they will go a long way to ensuring that you’re not the one found responsible for a data loss, resulting in massive reputational damage, the loss of contracts and potentially huge fines for your employer.

Protecting your Identity

August 1, 2010 at 12:23 am | Posted in Data Protection, Identity Theft | 7 Comments
Tags: , , , , , , ,

A post on Twitter from @backupify the other day amused me …

“Google Apps has the same vulnerability as Microsoft products: Users”

They were making the point (explained further in their blog) that, according to a poll,  a significant number of administrators, if they were fired, would take with them business sensitive information.  Now, I’m not looking at those that take business sensitive information (customer databases, price lists, R&D files) as serious as that might be.  What interests me is that a significant number said they’d take a key set of credentials with them.  Yet another reminder of how vulnerable our online identity can be.

It also occurs to me that you can’t always expect to mitigate users’ behaviour with software based controls, particularly when those users are members of the general public, with, at best, a sketchy idea of what online security is all about.  back in 2003, I was working as lead architect on an Identity Management solution for ABSA, South Africa’s biggest retails bank (and now part of the Barclays group).  3 customers had funds removed from their accounts through ABSA’s internet banking facilities, in what appeared to be the country’s first documented case this type of crime.  It transpired that the 3 customers had picked up a keystroke logger, not having the necessary security software installed on their home PCs.  Nevertheless, it was their Bank that reaped the bad publicity.

Since then, banks around the world have done much to try to protect their customers, offering free or highly subsidised anti-virus software, offering various alternatives to the wholly inadequate use of passwords for authentication and even in some cases, confirming transactions through SMS message to your mobile phone.  My business bank account is protected by a token, which generates a one time password (OTP) as well as a conventional password.  My Bank also supplies me with free anti-fraud software from Trusteer.  The Rapport browser plug-in protects session information stored in the browser and defends against man-in-the middle attacks, trojans and phishing scams.  Most significantly for this discussion, it also monitors the user’s activity on the web and warns if the user attempts to use their Internet banking password in conjunction with another site.

Still though, users will continue fall victim to identity theft because of unwise behaviour online.  So, I was pleased to see Macafee launch a decent eguide to Identity Theft on their website recently.  As well as the guide, Macafee provide an online self-assessment tool.  By answering a series of questions, you can build a picture of the risks you run of identity theft, based on your online behaviour.  The risk assessment tool generates a detailed report in PDF.

Working through the tool, I found that my risk is assessed as moderate.  I could guess as I carried out the assessment which answers were affecting the score, but I feel comfortable that I’m making informed decisions to accept some risks.  After all, you can’t remove all risks, only mitigate some and accept the rest.  In fact, for many years, Marcus Ranum, who is widely credited with designing the first ever commercial firewall, published a picture of a set of wire cutters, under the title “The Ultimate Firewall”.  This illustrates the basic dichotomy in computer security – that for total security you can’t have any connectivity.  All security is a compromise with usability.

The Macafee eGuide and risk assessment tool are welcome resources, provided that they’re brought to the attention of users.  Of course, their publication coincides with the launch of Identity Protection features into their flagship consumer packages.  These features prompt the user for permission before Personally Identifiable Information (PII) is sent to a web site.  This is the consumer equivalent of the Data Loss Prevention (DLP) solutions, which are beginning to be deployed by large organisations.  These packages aim to identify information assets (files to you and me) on computer systems) that contain PII and apply policies to control what can be done with those files.  This in turn limits the dangers of accidental or malicious leakage of the PII through USB sticks, email attachments, printed copy and so on.  All these technologies will of course help, but ultimately, each of us is responsible for protecting our identity through responsible online behaviour.  At least for now, too many users are completely unaware of the risks in what they do online.   To find out more about the risks, try starting at the UK Information Commissioner’s website.

Create a free website or blog at
Entries and comments feeds.