Top 3-Past-Present-Future

Learn, Deliver & Prepare

Learn, Deliver & Prepare

Threats in the cyberworld have increased multifold, with several organisations having seen multiple attacks in the past 12 months. In some cases the attackers have been successful in causing some sort of embarrassment to enterprises. Some organisations have managed to keep the breaches well covered for some time given that it takes an average of 246 days for a breach to be detected.

With privacy gaining more importance within the EU, organisations are also working towards ensuring that the data that they hold is well secured and is subjected to controls. It is also more difficult to do business with corporate and nations that have a permeable infrastructure that allow the flow of Personally Identifiable Information between ‘co-operating organisations’. At the same time information sharing between corporates and security professionals help avert serious casualities both in the digital and physical ecosystems.

The IS Professional of today manages Governance, Risk and Compliance, while also managing increasing threats and challenges and resources that seem to be getting scarce. With a rapidly mushrooming  technology landscape, more tools are being made available in order to combat the security threats. Some of the recent offerings in security management products show military proven technologies being deployed on the enterprise front.

IS professionals need to Introspect on what they could have done better, Rethink how they could shore up their defences for 2014 and Action critical processes, technology and infrastructure to claw back lost ground.

2014 will prove to be a year that the IS professional will need skills, tools and sharp judgement while juggling his/her responsibilities


ATM fraud-The road is tricky

Many developed countries now rely to a great extent on card transaction and a chip-and-pin. However, there is quite a way to go to make it a cashless society across the whole country, with small merchants and traders unable to accept cards. So hard currency is still required, it feels nice to have a some ‘money’ in your wallet or purse instead of a plastic card.

Read the road

Watch the signpost!

Fraudsters are finding new ways of separating us and our hard earned money. One incident that I came across recently was a good old trick, the team operates as a pair, a girl stands on one side of the ‘victim’ and the guy stands on the other and tries to ‘see’ the PIN as it’s typed, the girl keeps distracting the victim all the time so as to slow the victim down, something called the nuisance value. As the victim withdraws the money, the card is then snatched by the accomplice who now has the PIN also. By the time the crime gets reported the crooks are far away and your card is in use.

However, there has been more reported incidents of the use of skimming devices that have grown sophisticated, and pin-hole cameras that ‘see’ the PIN as it’s typed. Others are now resorting to a more technical attack by gaining an understanding of how processors and banks route and review ATM transactions. One ATM I used had its camera actually pointing to the keypad.

In the first case, make sure that you use an ATM that has a cover to shield what numbers are being entered, or cover your hand. Shield the keypad from anyone who may be observing you. If you feel that you are likely to have a visitor or two while withdrawing the money, either walk away or abort the transaction. Keep the hotline number of your Bank handy so as to report the loss. Report insecure ATMs to your Branch quickly.

Ask what you bank is doing to detect fraud; and do they have a fraud detection team that is dedicated to card fraud. One hopes that they have software monitoring the transactions and alerts the fraud team to such transactions. Does the ATM camera actually work? In the case I described above no camera was working nor were the street cameras pointed in that direction.

If you are entrusted with security at banks or are responsible for overseeing ATMs and cards, check what measures you can adopt to keep information processing secure and secret. Following a good practice and even adopting a more secure approach to ATM security will go a long way in ensuring that your customer is well protected. Keep your customers educated and informed on what you are doing to prevent and detect fraud. Cashless transactions will be adopted by customers if they are sure that their transactions are managed securely.

The road to secure e-banking  has twists and turns, make sure you read the signs carefully and watch the road.

Is Privacy an Illusion?

PRISM/Rainbow tables

What do you see?

In the last few week, we have seen how Governments are interested in watching, some call it spying on it’s netizens. There has also been a number of privacy advocates that have sounded the klaxon at the perceived level of spying by governments. These were governments that were supposed to have safeguarded the liberty of it’s citizens and allies. However, several leaks showed that the citizens are being relentlessly spied upon in several ways.

Ask politely, and citizens worldwide will share their personal data with everyone through social media, describing all aspects of their life and even play online games that highlight their psychological profile. Smart data analytics can reveal lot more about potential political dissidents than a standard survey. Yes, many of us have no concern what can be done with the data, but I seriously think that we have to consider the risk element of what we write on Social Media and how we write it.

Free email systems are not ‘free’ the words and text that you write are analysed, mined and further dissected only to be sold to the highest bidder. How else could large datacentres afford to give your ‘free’ email. Same goes for file-sharing services. If you wanted to be anonymous your could use an anonymous client, but how do you know which clients are run by governments and which are not? Large companies have had to include back-doors to be allowed to conduct business in the country.

Certain supermarkets now perform heat-map analysis on which aisle you use based on your WIFI signal pattern, and yet some others are rumoured to ‘follow’ your RFID tag as you wander around the store, thereby providing information to analysts to predict your next move and decide how to position your next big buy. Remember the story of the teenage girl who was pregnant but the local supermarket knew about it much before her own father did? So in short; we are all tracked, mobile phones signals, wifi, login times, uploads, geo-tagging and so on. Will we have any privacy? I seriously doubt it? Can unscrupulous data admins, government officials blackmail you with your own personal data, of calls that you made to your girlfriend that your wife doesn’t know about? or about places that you were not meant to be at or others did not know about.
Person of Interest anyone?

Too many questions, too few answers?

Graphic: The Spread of "Red October"The threat landscape is changing, and if you have seen the latest James Bond movie (SKYFALL) you would recall the clip when M launches into her speech(1:39). Similar kind of scenarios are exactly what information security professionals worldwide are dealing with, some information security professionals know and understand the actual threat vectors, others are left with limited or no budgets.

Is your security team busy with routine tasks, compliances, mundane stuff but not the top 5 risk items. Did the risk items change when the clock switched to February? And your security staff was working on risk items from the previous year’s calendar.

There are several vulnerabilities that could exist and earlier this year it was found that Java has vulnerabilities that would take some time to fix. We were also told about Red October this year where several GB of data were siphoned off systems.

Whichever industry you are in, have you locked down at the end of the day, akin to a lock down at night at home to keep out burglars? There are new state-sponsored organised cybercrime rings that now use their industry vertical experience to carry out target attack, for example this month it could Banking, next Telephony and so on. Cyber-intelligence gathering can work both ways, with the bad guys collecting data on your organisation and then finding way in.

What about you security dashboard? As a CEO you look at the top line financials, sales and how well your stock is doing. Have you considered an Infosec dashboard? No!! that’s because you have left it to the CISO who isn’t monitoring that either. If you haven’t had a public security breach is because the bad guys are already in or that they have listed you somewhere down the list, or maybe it is happening and you don’t know it. Will this security breach damage the reputation of your organisation? And your stocks downslide?

Is your security infrastructure actually working? Is your helpdesk your worst enemy,  that open ports to access the internet at night? Do your employees access restricted applications in collaboration with the IT team? Have you actually sifted through audit trails(Big Data challenges)  to understand if compliances are being bypassed? Is your security contractor giving you really good advice? or ticking a few boxes? Has your IT team actually seen the threats first hand?

Are your advisors really providing sound security advice to the client or are they just fulfilling the role and box-selling? Do they ignore/bypass the security protocols at client sites? Are you relying on age old mechanisms of security searches? Which version of Angry Birds do you play? Has this been vetted by the security team?

We are actually staring in the face of information security meltdown, probing has already started from all cyber agencies and your network is not safe. What are you going to do about it? Or will it be a case of TOO LITTLE!! TOO LATE??

Next week: Quick wins!!

Further Reading
The hunt for Red October
Java Zero Day vulnerabilities
Java Exploits


Use a privacy screenSitting in the train from London to Manchester yesterday, my passenger an HR Manager in a leading UK Bank pulled out her laptop and started reviewing the numbers for her department, a spreadsheet that contained details of a month-on-month comparison for the business and made for very interesting reading. Next she started on the report that gave me a detailed understanding of the business model and the financials which according to me was very confidential and should have not been out in the open.

This report mentioned a few names that were based out of the practise in Mumbai and indicated the next moves that involved promotions and team details. Not being content with this, I accessed the internet and figured out her role in the organisation, her colleagues(named in the emails) and their roles within the department and the nature of the business. As the journey progressed, I also was able to review a tribunal case that was in progress of an individual within the organisation.

I am sure that this bank does have a great information security program and regularly holds security awareness within departments, but one does not have to enter the building to get data, this data is provided to the external world by the employees themselves. Employees want access to the data and want to be a part of the mobile workforce, but then this exposes an organisation to great security breaches. I’m sure that a privacy screen would have helped in this case and would have been a very effective solution.

Just for a moment imagine that I was a news reporter, or had a malicious intent; further digging could have yielded more useful information. I have informed the bank that their security awareness should improve.

Employees must understand that with great freedom comes great responsibility.

Security, Metrics and Big Data

BBC (UK) and Thoughtworks seem to be ahead on the technology horizon with an excellent thought provoking sessions on Big Data held at BBC Media City (Salford) and London.

Big Data is here to stay and so are the new ways of looking at Big Data. This means that the RDBMS could on its way out, or so it seems. Welcome NoSQL, MongoDb, Cassandra, Riak, Vertica  and a host of other open source databases with the ability to handle hundreds of millions of rows

Consider a large website having built in-house connectors to Apache to analyse the website data in real-time and uses that data to block suspicious activity on the site. Known as HTTPShark and using Vertica, this home grown open source engine enables low-latency response times while at the same time ingesting large volumes of data.

Would a CISO allow such low investment innovation that provides real-time data and helps in preventing malicious attacks and saving the reputation of the company or would the CISO prefer standard off-the-shelf tools that may measure up?

Can a CISO take advantage of all the information such as CPU, Disk I/O and other log information that can be correlated, aggregated and reported as a uniform event stream thereby providing a picture of the current availability of systems? This now requires the CISO to be able to have a hacker (not cracker) mindset to be able to put different streams together and join the dots.

Another emerging paradigm is continuous delivery, as business demands a faster turnaround for deployment can auditing for such scenarios match up or will auditors still demand staging servers and standard review mechanisms? Controls for minute-by-minute code upgrades across continents and polyglot persistence is here to stay and security and controls will have to be built around this to ensure compliance, confidentiality, availability and integrity.

A quick word of caution: It would be good to see the Hype-Curve for these technologies.

Further reading
Develop: north

There’s many a slip..

Security issues in Near Field Communications

Near Field Communications (NFC) is communication that is used as a contactless form between devices such as smartphones and tablets. In effect NFC payment cards have already been issued by banks and other organisations that wanted to make things quicker than the current chip-and-pin. The working distance is approximately 10cm.

Rogue card readers that will read all the cards inside your wallet/handbag, if you present your wallet/handbag to the reader. This means that in the moment that you wallet was presented to the reader all card data is read off from all the cards including the personal credit/debit cards. Such compromised readers could also re-transmit information to another nearby receiver.

Imagine a rogue reader at the office door, which read all the cards each day including those of the high-profile visitors, and logged these on your local servers for future reference. A server administrator could access this not-so-secure database retrieve the numbers and release these into the wild. What ifthe data leak was traced to your door? Would your organisation be responsible for abetting the crime?

What if a person could read your data by using reader that scanned all the cards in the room? Maybe a one transmitter and several non-interfering receivers could work?

This takes on another version of eavesdropping; the attacker could read the transaction as you present your card to the reader thereby compromising the security of the transaction. As is with RF, there are a number of factors that would determine how close an attacker needs to be to retrieve the data from the RF signal.

Denial-of-service attacks are the easiest to do. An attacker needs to transmit the correct frequencies in the spectrum at a higher power than the reader; a slightly more advanced attack could be to understand the modulation scheme and coding. By stretching this further, data manipulation and data insertion are also possible from a distance.

Proven attacks have also taken place by using a cell phone to read cards from people’s wallets and handbags. With people storing data such as bank and credit card information on cell phones for NFC use, viruses and other forms of malware targeted at smartphones will increase.

I leave further concerns and risks of the use of such technology without the use of appropriate safeguards and countermeasures to your imagination.

Further Reading

Debit Cards Details Can Be Nicked With an NFC Mobile Bump
Security in NFC
Eavesdropping Near Field Communication

We are responsible for our online security

Act Now!

I am tired of receiving spam messages from friends whose computers/smartphones have been compromised. This is due to our plain and simple negligence in a constantly online world. We use computers/smartphones and other devices without understanding the risks and consequences. We expect our data to be kept safe by the organisations we deal with, but are seemingly lax and frivolous with the way we treat our own data and electronic devices. We wonder why our online account got hacked, or why someone is targeting our family with sinister messages, or why we see an influx of junk mail in our inbox.

The answer: WE are responsible! This will be a weekly series, what I expect you to do is this: Each week, carry out a self-assessment and try and fix the issues quickly. Not carrying out these over a prolonged period is like keeping your front door open while going out for a vacation, not to mention putting up a huge sign “We are away on a vacation!!” (see graphic)

  1. I shall endeavour to use a legal copy of my current OS or switch to an Open Source Operating System!
    Because a pirated Operating System not only compromises the security of my online transactions but also those of my family members that use my computer. I will also be able to get upgrades and security fixes to my Operating System which will prevent attacks from viruses, Trojans and other malware that intend to compromise my system.
    Analogy: I put a proper lock on my front door and ensure all my cupboards are safely locked at all times.
  2. I shall get a trained person to update the firmware on all my electronic devices such as computers & smartphones!
    Because the firmware updates will patch all current detectable vulnerabilities and will prevent their exploit by hackers and other nation states that want to carry out subversive activities against my country.
    Analogy: I get a trained person to carry out repairs to my home, I don’t want a carpenter fixing my plumbing in my house right? I also ensure that my front door that does not close at all is fixed the very next day by a competent person.
  3. I shall install an antivirus and firewall and ensure that it is set to automatic updates, and that a manual scan is carried out at least once a month!
    Why? I do not know which viruses/trojans will target my operating system and applications and pass my confidential information to hackers. They want my information and I will not give it to them.
    Analogy: Do I not check my doors/windows at night to see it they are locked and ensure the safety and comfort of my family.
  4. I shall at least inform or carry out an upgrade for my neighbour, friend, relative who is unable carry out the upgrades themselves, due to funds, limitation of technology or age!
    Why? If their security is compromised that will mean that the information I share with them will also be compromised and leaked.
    Analogy: Do I not alert my neighbour or family member if I see their door damaged or lock broken? If I see the lock damaged of my building, I alert the maintenance manager to have it fixed in the shortest possible time.
  5. I shall teach children and young persons the dangers of posting private material and photographs of themselves and their friends online on social media sites!
    Why? Hackers can build a picture of my family and friends and target them so as to cause my family and me serious harm to my reputation. Believe me, if my information is out there, hackers are using it, don’t be naive!!
    Analogy: Do I put up photographs of myself and give out information about myself on notice boards in my building, college or do I make photocopies of my profile and hand them out to any stranger I meet on the street?

To be continued…..

Playing mindgames

Countdown to System Infection (Infographic)Social engineering involves tactics that make individuals let their guard down.

When is the last time that you received a phone call from a person claiming to be from a bank and needed you to give your PIN number to validate your account details? Social Engineering attacks can take all forms and trick you into divulging information about yourself or comprising the security of your organisation? Attackers take advantage of emergency situations to get access to controlled resources, such as pretending to be a first responder (police officers, medics, etc.).

A senior looking person asks to be let in your office premises claiming that s/he is late for a meeting with the CEO. A person who speaks authoritatively asking for details such as the key code for the door? Would you divulge the code? Or would you challenge the lady who is about to tailgate you?

Your social media sites are a great place for a hacker to start looking for information such as your email-id, phone number, likes, family, friends among other titbits of information.

Did you get an email from someone with a position of authority? Spear phishing relies on the ’colonel effect’ to get you to reveal data. This will be more prevalent for employees that work with defence contractors, government and the military.

Do you trash confidential papers without first shredding, pulverising them? Dumpster divers get your credit card details, addresses and other private information from the trash.Using the information gleaned from these methods, hackers can then work their way to collecting more information about you. Just because you do not do it, does not mean hackers will not do it. There are sites that teach you how to dumpster dive.

A hacker could also leave pendrive/usb sticks in public places with the logo/label of a Fortune500 company with a title ‘Salary Review – Senior Management’. Plug the USB stick and your machine is compromised.

Cultures in some countries such as India may also allow a hacker to gain access to secure locations. For example, a speaker at a security conference claimed to have tested a social engineering tactic at a secure data centre by ‘threatening’ a lowly security guard that he would call the CEO if he was not let in. He also managed to gain access to the secure data processing area by talking to employees. Would that mean that all foreigners are allowed access to secure areas without a second thought? I think not!!

Beware of shoulder-surfers, the ones that try to get your password/PIN by looking over your shoulder and spot the keys that you type in. They may casually approach you at the ‘right moment’. A good training and awareness programme for all employees is necessary to reduce the number of incidents in the office and this awareness also needs to spread to your friends and family. Unsolicited phone calls, visits or emails asking for information should always be suspect. Verify the person by using your own resources not the number or device given by that person. Do not click on any links in an email, on a social media site. Check the URL of the website, this may look identical but keep an eye out for a mispilleng. Ensure that your antivirus and firewalls are installed correctly and up-to-date.

New methods of social engineering are always being tried and tested, be aware, stay secure, keep your family safe.

Further Reading
Track a fake Facebook account
Baracuda Labs Social Networking Analysis

EU Data Protection Act – Ready, Get Set, Go


A balancing act-EU Data Protection regulations

70% of EU citizens are worried about the misuse of their personal data. There are several changes proposed to the regulatory landscape. The old rules were framed circa 1995 when the internet was albeit new and in its infancy.

The new data protection act will give EU citizens the right to access, change or delete their data. Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data. Most interestingly, it will include ‘the right to be forgotten’. If the controller has made the data public, it must take all reasonable steps, including technical measures to inform third parties that the individual requests that the data be deleted. Imagine the effort required by social media sites that have shared your information to other ‘apps’ and businesses for a fee. The right to be forgotten has several caveats which may prove to be an Achilles heel for those invoking this right.

  • 74% of Europeans see disclosing personal information as an increasing part of modern life.
  • 43% of Internet users say they have been asked for more personal information than necessary.
  • Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection (33%).
  • 90% of Europeans want the same data protection rights across the EU.

Interestingly, EU rules will apply to companies not established in the EU, if they offer goods or services in the EU (or monitor the online behaviour of citizens). This means that foreign banks (from outside the EU) will be subject to these laws, data for these institutions currently reside in data centres outside the EU.

Privacy to the data is to be built in by design and default, movement of data outside the EU only to countries with adequate protection.  What defines ‘adequate protection’?  Again, this will impact the BPO industries and web-hosting providers whose data centres reside outside the EU.

An EU citizen will have to consent explicitly for data processing rather than assumed. What mechanisms are to be provided for this? And how will a citizen be sure that the request has been complied with to the letter?

Companies will have to notify individuals of serious breaches within 24 hours, this was not forthcoming in a breach of security of the world’s largest professional network as we have seen recently.

Data Protection Officers to be mandatory, and will need to be an expert , should be involved in a timely manner, must receive proper support to perform tasks.

On a more serious note, firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws. This is severe, steep and dissuasive. Companies should ensure that compliance in necessary and should take steps to address the changes.

Proposed timeline

  • 2 years to complete the legislative process,
  • and further 2 years as with any proposed regulation,
  • not before 2015 (est.)

Further reading
European Commission (Protection of Personal Data – Justice)
EU data protection law proposals include large fines
How to prepare for proposed EU data protection regulation